You should get used to the concept of vlans, hence "tagged ports".
Just like you do in LEDE, the interface LAN isn't bound to eth0 but eth0.1, and WAN isn't bound to eth1 but eth0.2.
This means: There's only one network interface connected to the CPU (eth0), and its vlan 1 is LAN and its vlan 2 is WAN.
In regular SoHo router setups, there's a vlan aware switch which makes Port0 to expose "vlan 2 untagged" and Port1 through Port4 to expose "vlan 1 untagged".
This results in having one WAN port an 4 LAN ports.
If you make a single port not "vlan n untagged" but "vlan 1 tagged as well as vlan 2 tagged", then you have a stream of all TCP packages for both, LAN and WAN going through the same port.
And that's it. You create a "tagged" backbone (which means every vlan is transported).
Clearly this means you can't just plug a computer to the BananaPis network interface and start configuring, since the computer won't understand tagged packages. But if you use a vlan aware switch to pull the vlans apart you can. And anyway, the first configuration of my BananaPi (as well of my RPi, back wen I tried it) wasn't done through network but through TTL serial interface.
The hardware I use is the BPI-M1.
I'd still put the OpenVPN to the one and only main router. If, due to performance reasons, you decide to make a RPi your mean router: Go for it, should be fine. Having multiple routes and multiple firewall settings on multiple devices is just painful to maintain.
Use a single device that has them all, VPN connections, ISP uplink, firewall rules and routing table.
All other devices in the network are
- either considered being clients (computers, NAS, TV, Hifi, whatever) and therefore should not be bothered with any routing or VPN stuff
- or dumb APs and switches that might do vlan, but not a single bit of routing nor any actual "computing".
That's, imho, the best way to set things up and not get a huge headache in a couple of month if you try to change a tiny bit need several days just to understand what you configured today.
That's the best advice I can give: Single point of configuration for VPN, routing and firewall.