What I've currently got going on is that all of my traffic on my lan from my local clients is going straight out to the internet from the RSP, with an IP of 72.209.203.184
Here's my current setup:
VPS ( RouterStation Pro (RSP) )
openvz<---------{ external ip: 72.209.203.184 (eth0) }<-------local clients
( internal ip: 192.168.1.10 (eth1/br-lan) ) 192.168.1.x
( openvpn ip: 10.9.0.10 (tun0) )A little more detail:
-The RSP is acting as the DHCP server for the clients, giving out IPs 192.168.1.x
-The VPS is set up as the OpenVPN Server giving out IPs in the 10.9.0.x range
-The RSP is set up as an OpenVPN client
-The RSP is connecting to the VPS without error. I have verified that the server is setup correctly with other clients.
Here's what I would ideally like:
The RSP will continue to act as DHCP and hand out IPs on the 192.168.1.x subnet. All traffic destined for the internet will be routed through the tunnel. It seems to me that all I would need is a rule on the RSP that says that "all traffic destined for the default gateway (192.168.1.10) should be forwarded through the tunnel." This way all of my local clients will still be able to see each other.
Is this possible? I know enough about this to be dangerous, but not enough to actually get things done 
Can you help me get my internet traffic into that tunnel?
OpenVPN Server Config File
local 187.63.22.57
port 443
# TCP or UDP server?
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/serverconfig.crt
key /etc/openvpn/keys/serverconfig.key
dh /etc/openvpn/keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist serverdefault-ipp.txt
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
client-config-dir ccd
route 192.168.1.0 255.255.255.0
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
.
persist-key
persist-tun
status /var/log/openvpn/serverdefault-status.log
log-append /var/log/openvpn/serverdefault.log
verb 3
mute 20OpenVPN client configuration
config openvpn sample_client
# Set to 1 to enable this instance:
option enable 1
option client 1
option dev tun
option proto tcp
list remote "187.63.22.57"
option resolv_retry infinite
option nobind 1
option persist_key 1
option persist_tun 1
option mute_replay_warnings 1
option ca /etc/openvpn/keys/ca.crt
option cert /etc/openvpn/keys/owrt.crt
option key /etc/openvpn/keys/owrt.key
option ns_cert_type server
option tls_auth "/etc/openvpn/keys/ta.key 1"
option cipher AES-256-CBC
option comp_lzo 1
option verb 7
option log /tmp/openvpn.log
option mute 20OpenWRT network config
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.1.10'
option 'netmask' '255.255.255.0'
option 'gateway' '192.168.1.1'
option '_orig_ifname' 'eth1'
option '_orig_bridge' 'true'
option 'ifname' 'eth1 tun0'
config 'interface' 'wan'
option 'ifname' 'eth0'
option 'proto' 'dhcp'
config 'switch'
option 'name' 'eth1'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '1'
option 'ports' '0 1 2 3 4'
option 'vid' '1'
config 'switch_port'
option 'pvid' '1'
option 'port' '0'
config 'switch_port'
option 'pvid' '1'
option 'port' '1'
config 'switch_port'
option 'pvid' '1'
option 'port' '2'
config 'switch_port'
option 'pvid' '1'
option 'port' '3'
config 'switch_port'
option 'pvid' '1'
option 'port' '4'
config 'switch_port'
option 'pvid' '1'
option 'port' '5'output of route on the RSP:
root@OpenWrt:/etc/config# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
187.63.22.57 ip72-209-200-1. 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
72.209.200.0 * 255.255.252.0 U 0 0 0 eth0
default ip72-209-200-1. 0.0.0.0 UG 0 0 0 eth0OpenWRT firewall rules
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
option disable_ipv6 1
config zone
option name lan
option network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
config rule
option target ACCEPT
option dest_port 443
option src wan
option proto tcp
option family ipv4