I think in addition to the above policy you need a second one to accept all traffic destined to tun+. Put tun+ in a zone, then add that zone the egress-zones set. Make sure this new policy has a higher precedence (lower priority value) than the one above.
Thanks for the insights, I'll try that. Nice that you're bringing in the fix to v0.9.5 :)
I'm not familiar with setting the zone for a tun0 device. Currently the tun0 interface has no zone assigned to it (not even the default). I currently run openvpn directly as part of a script so that I can easily change the destination ip address (along with changing the firewall just before hand to allow only that address). I'm not that familiar with using network manager (either gui or client) for openvpn connections. Doing some brief digging I've found that I can set the zone using
nmcli connection modify tun0 connection.zone myzone
but this probably isn't the preferred approach since the tun0 device only lasts within the openvpn session.
Should I just delve into using network manager proper for the openvpn client connections, saving the configuration (and zone setting)? Does anyone have any useful links to give an introduction to using it (for use in a scripting with changing destination ip addresses)?