Custom Firewall setting preventing openvpn system.d service from creating tun/tap device

Greets,

I am using the "/storage/.config/system.d/openvpn.service.example" as the basis for auto launching OpenVPN at boot.

However, when used in conjunction with LibreELEC's Custom Firewall setting in Kodi, my "/storage/.config/iptables/rules.v4" configuration is preventing OpenVPN from creating its tunX/tapX device (i.e. it's missing from `ifconfig').

My "/storage/.config/iptables/rules.v4" constitutes a VPN kill switch, only allowing traffic in and out of the VPN connection, or across the LAN:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --sport 1197 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
-A OUTPUT -j DROP
COMMIT

Oddly, if I flush iptables (`iptables -F'), I can restart OpenVPN (`systemctl restart openvpn.service"), which successfully creates the "tun0" device, and then run the exact same `iptables' commands to create the VPN kill switch. Both OpenVPN and the iptables VPN kill switch work as expected with this execution order.

It seems that the iptables rules must not be implemented before executing OpenVPN?

How can I ensure this at boot?

I solved the order of execution by:

1) Altering this section in my "openvpn.service":

[Install]
#WantedBy=kodi.target
WantedBy=multi-user.target

2) By scripting the desired modification of the iptables rules, and then using the "--up" option of `openvpn' to run the script (which executes scripts after the OpenVPN device tunX/tapX has been enabled).