Centos 7 OpenVPN - FirewallD keeps putting tun0 in the wrong zone on reboot

I have a fresh install of Centos 7 and I have several things running on it. One of them is OpenVPN. Everything works fine, I have tun0 in the trusted zone and my nic (eno1) is public. Server is behind a router/firewall so I do not need to setup anything complicated and all traffic goes over eno1. tun0 has a masquerade to public (eno1). VPN Clients work fine. If I reboot, FirewallD puts the tun0 interface in the public zone instead of the trusted zone although I used the --permanent option. This causes the entire network stack to fail for some reason and the only way I can get back in to make the change is over the local console. How do I get FirewallD to keep the tun0 interface in trusted over a reboot? Thanks!

It sounds like you might be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1112742.

Try adding ZONE=trusted to /etc/sysconfig/network-scripts/ifcfg-tun0.