How do I route all traffic from clients connected to the DD-WRT to its OpenVPN tunnel tun0?

I am setting a secondary (DD-WRT) router to act as a OpenVPN client so that all clients would get VPN access simply by connecting to the router. But seems clients traffic is always routed via the main gateway instead of the established VPN tunnel.

SETUP

ISP modem+router(gateway) <--LAN cable--> DD-WRT OpenVPN client <--LAN/WIFI--> clients

This secondary DD-WRT OpenVPN client can connect to the remote OpenVPN server ok.

I can ping hosts in the server side subnet by first telnetting into the DD-WRT.

The OpenVPN server also shows that the DD-WRT client is connected properly.

wget -O - http://icanhazip.com returns the remote server's public IP.

So the tunnel is up properly.

PROBLEM

Traffic from clients connected to my DD-WRT are routed through my gateway router, not through the VPN tunnel tun0.

I think I need to forward traffic from br0 interface to tun0 interface. I have tried following iptables rules and checked that IPv4 forward is enabled.

cat /proc/sys/net/ipv4/ip_forward ==> 1
cat /proc/sys/net/ipv4/conf/tun0/forwarding ==> 1 
cat /proc/sys/net/ipv4/conf/br0/forwarding ==> 1

# These rules are saved by pressing the 'Save firewall' button 
#and rebooting the DD-WRT router.
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

And separately

# These rules are saved by pressing the 'Save firewall' button 
# and rebooting the DD-WRT router.
iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.66.0/24 -d 192.168.2.0/24 -j ACCEPT

SETTINGS

ISP modem+gateway router

No settings modified. It is as ISP has set it.

DD-WRT OpenVPN client

- Firmware: DD-WRT v24-sp2 (08/12/10) vpn
- SPI firewall: Disabled
- WAN: Disabled
- Operating mode: Router   (this disables NAT, right?)
- Gateway: 192.168.2.1
- Local DNS: 8.8.8.8
- NTP client: Enabled

I don't post VPN server/client configs because the client can connect to the server without errors and both ping and wget commands work properly from inside the DD-WRT.

So, my question is:

How do I route all traffic from clients connected to the DD-WRT to its OpenVPN tunnel tun0? Am I using iptables incorrectly? Add a new route perhaps?

If some info is missing please ask. Thank you in advance! :)

P.S. Below more info.

ROUTING TABLE (after VPN tunnel is up)

root@DD-WRT:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
87.219.xxx.xxx  192.168.2.1     255.255.255.255 UGH   0      0        0 br0
192.168.66.1    192.168.66.5    255.255.255.255 UGH   0      0        0 tun0
192.168.66.5    *               255.255.255.255 UH    0      0        0 tun0
192.168.5.0     192.168.66.5    255.255.255.0   UG    0      0        0 tun0
192.168.2 .0    *               255.255.255.0   U     0      0        0 br0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.66.5    128.0.0.0       UG    0      0        0 tun0
128.0.0.0       192.168.66.5    128.0.0.0       UG    0      0        0 tun0
default         192.168.2.1     0.0.0.0         UG    0      0        0 br0

IP ROUTE SHOW

root@DD-WRT:~# ip route show
87.219.xxx.xxx via 192.168.2.1 dev br0
192.168.66.1 via 192.168.66.5 dev tun0
192.168.66.5 dev tun0  proto kernel  scope link  src 192.168.66.6
192.168.5.0/24 via 192.168.66.5 dev tun0
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.160
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 192.168.66.5 dev tun0
128.0.0.0/1 via 192.168.66.5 dev tun0
default via 192.168.2.1 dev br0

IP RULE SHOW

root@DD-WRT:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

OpenVPN CLIENT LOG

root@DD-WRT:~# cat /var/log/messages | grep openvpn
May 24 15:47:21 DD-WRT daemon.notice openvpn[699]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 12 2010
May 24 15:47:21 DD-WRT daemon.warn openvpn[699]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link local: [undef]
May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link remote: 87.219.xxx.xxx:1194
May 24 15:47:23 DD-WRT daemon.notice openvpn[702]: [server] Peer Connection Initiated with 87.219.xxx.xxx:1194
May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: TUN/TAP device tun0 opened
May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: /sbin/ifconfig tun0 192.168.66.6 pointopoint 192.168.66.5 mtu 1500
May 24 15:47:26 DD-WRT daemon.notice openvpn[702]: Initialization Sequence Completed

IFCONFIG

root@DD-WRT:~# ifconfig
br0       
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
inet addr:192.168.2.160  Bcast:192.168.2.255  Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
RX packets:14119 errors:0 dropped:0 overruns:0 frame:0
TX packets:10639 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2068891 (1.9 MiB)  TX bytes:5382302 (5.1 MiB)

br0:0     
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

eth0      
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:13136 errors:0 dropped:0 overruns:0 frame:0
TX packets:10847 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2180726 (2.0 MiB)  TX bytes:5517739 (5.2 MiB)
Interrupt:4

eth1      
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A6
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:210 errors:0 dropped:0 overruns:0 frame:198105
TX packets:3683 errors:14 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41273 (40.3 KiB)  TX bytes:963954 (941.3 KiB)
Interrupt:2 Base address:0x5000

lo        
Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
RX packets:28 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2034 (1.9 KiB)  TX bytes:2034 (1.9 KiB)

tun0      
Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.66.6  P-t-P:192.168.66.5  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:56 errors:0 dropped:0 overruns:0 frame:0
TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4734 (4.6 KiB)  TX bytes:4428 (4.3 KiB)

vlan0     
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:13135 errors:0 dropped:0 overruns:0 frame:0
TX packets:10847 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1944080 (1.8 MiB)  TX bytes:5466622 (5.2 MiB)

Here I'm assuming that the lan and vpn interfaces on the server are br0 and tun0, respectively.

# Enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN.
iptables -t nat -A POSTROUTING -o tun0  -j MASQUERADE

# Enable forwarding from the LAN to the VPN (and back via related and established connections).
# Again, you may want to use "-s".
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

It works for me on openwrt rotuer, and comes from @Xyne https://bbs.archlinux.org/viewtopic.php?pid=1208721#p1208721