VPN help, IP is still exposed

I have OpenWrt 18.06.0-rc2 on a WRT32X. My problem is that I can't get openvpn to work. I can browse the web fine from my machine, but my IP is exposed and it's not going through my VPN.

In my /etc/config/openvpn file, I have this section ...

config openvpn 'pia_client'
        option dev 'tun'
        option nobind '1'
        option verb '3'
        option comp_lzo 'yes'
        option keepalive '10 120'
        option persist_tun '1'
        option persist_key '1'
        option client '1'
        option auth_user_pass '/etc/openvpn/userpass.txt'
        list remote 'us-houston.privateinternetaccess.com'
        option remote_random '1'
        option proto 'udp'
        option auth_nocache '1'
        option remote_cert_tls 'server'
        option crl_verify '/etc/openvpn/crl.rsa.2048.pem'
        option tls_client '1'
        option resolv_retry 'infinite'
        option ca '/etc/openvpn/ca.rsa.2048.crt'
        option enabled '1'

I've added the following to /etc/config/firewall

config zone                   
        option name 'VPN_FW'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT' 
        option masq '1' 
        option mtu_fix '1' 
        option network 'PIA_VPN'       
                            
config forwarding             
        option dest 'VPN_FW'
        option src 'lan'

And here is the system log ...

Mon Sep  3 13:55:45 2018 daemon.notice openvpn(pia_client)[4109]: Restart pause, 5 second(s)
Mon Sep  3 13:55:50 2018 daemon.notice openvpn(pia_client)[4109]: TCP/UDP: Preserving recently used remote address: [AF_INET]205.251.148.146:1194
Mon Sep  3 13:55:50 2018 daemon.notice openvpn(pia_client)[4109]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Sep  3 13:55:50 2018 daemon.notice openvpn(pia_client)[4109]: UDP link local: (not bound)
Mon Sep  3 13:55:50 2018 daemon.notice openvpn(pia_client)[4109]: UDP link remote: [AF_INET]205.251.148.146:1194
Mon Sep  3 13:55:50 2018 daemon.notice openvpn(pia_client)[4109]: TLS: Initial packet from [AF_INET]205.251.148.146:1194, sid=ddebc8f3 3db33979
Mon Sep  3 13:55:50 2018 daemon.err openvpn(pia_client)[4109]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Mon Sep  3 13:55:50 2018 daemon.err openvpn(pia_client)[4109]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Mon Sep  3 13:55:50 2018 daemon.err openvpn(pia_client)[4109]: TLS_ERROR: BIO read tls_read_plaintext error
Mon Sep  3 13:55:50 2018 daemon.err openvpn(pia_client)[4109]: TLS Error: TLS object -> incoming plaintext read error
Mon Sep  3 13:55:50 2018 daemon.err openvpn(pia_client)[4109]: TLS Error: TLS handshake failed
Mon Sep  3 13:55:50 2018 daemon.notice openvpn(pia_client)[4109]: SIGUSR1[soft,tls-error] received, process restarting
Mon Sep  3 13:55:50 2018 daemon.notice openvpn(pia_client)[4109]: Restart pause, 5 second(s)

I also have an unmanaged tun interface called PIA_VPN.

Anyone see where I'm going wrong?

Post the results of ip route show

$ ip route show
default via 192.168.10.1 dev eno1 metric 2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.10.0/24 dev eno1 proto kernel scope link src 192.168.10.10

The VPN isn't negotiating TLS because of the above error, so the VPN is never established. Are you using the correct certificate for the target server?

See https://www.privateinternetaccess.com/archive/forum/discussion/23146/verify-error-self-signed-certificate-in-certificate-chain-bad-ca-rsa-2048-crt (first result for a Google search for "private internet access" "self signed certificate")

So I had a mismatch of certificates, which I believe is fixed now. It appears to be connecting, however, now I can't get out w/ the browser from the host machine that's connected to the wrt32x. I can still browse the luci pages and make changes.

Here's the new system log ...

Mon Sep  3 15:21:00 2018 daemon.err odhcp6c[1903]: Failed to send DHCPV6 message to ff02::1:2 (Address not available)
Mon Sep  3 15:21:01 2018 daemon.notice openvpn(pia_client)[2295]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Sep  3 15:21:01 2018 daemon.notice openvpn(pia_client)[2295]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Mon Sep  3 15:21:01 2018 daemon.notice procd: /etc/rc.d/S96led: setting up led WAN
Mon Sep  3 15:21:01 2018 daemon.notice procd: /etc/rc.d/S96led: setting up led USB 1
Mon Sep  3 15:21:01 2018 daemon.notice procd: /etc/rc.d/S96led: setting up led USB 2
Mon Sep  3 15:21:01 2018 daemon.notice procd: /etc/rc.d/S96led: setting up led USB 2 SS
Mon Sep  3 15:21:01 2018 daemon.notice openvpn(pia_client)[2295]: TCP/UDP: Preserving recently used remote address: [AF_INET]162.216.46.143:1198
Mon Sep  3 15:21:01 2018 daemon.notice openvpn(pia_client)[2295]: UDP link local: (not bound)
Mon Sep  3 15:21:01 2018 daemon.notice openvpn(pia_client)[2295]: UDP link remote: [AF_INET]162.216.46.143:1198
Mon Sep  3 15:21:01 2018 daemon.warn openvpn(pia_client)[2295]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep  3 15:21:01 2018 daemon.info procd: - init complete -
Mon Sep  3 15:21:01 2018 user.notice firewall: Reloading firewall due to ifup of PIA_VPN (eth0)
Mon Sep  3 15:21:01 2018 daemon.err openvpn(pia_client)[2295]: write UDP: Operation not permitted (code=1)
Mon Sep  3 15:21:01 2018 kern.info kernel: [   17.689334] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
Mon Sep  3 15:21:02 2018 user.notice firewall: Reloading firewall due to ifup of wan (eth1.2)
Mon Sep  3 15:21:03 2018 daemon.notice openvpn(pia_client)[2295]: [939e298938da0802aae153459a41c1b2] Peer Connection Initiated with [AF_INET]162.216.46.143:1198
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[1662]: exiting on receipt of SIGTERM
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: started, version 2.80test2 cachesize 150
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: DNS service limited to local subnets
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq-dhcp[2655]: DHCP, IP range 192.168.10.100 -- 192.168.10.249, lease time 12h
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain test
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain onion
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain localhost
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain local
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain invalid
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain bind
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain lan
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: reading /tmp/resolv.conf.auto
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain test
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain onion
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain localhost
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain local
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain invalid
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain bind
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using local addresses only for domain lan
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using nameserver 209.222.18.222#53
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using nameserver 209.222.18.218#53
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using nameserver 75.75.75.75#53
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: using nameserver 75.75.76.76#53
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: read /etc/hosts - 4 addresses
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq[2655]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Mon Sep  3 15:21:04 2018 daemon.info dnsmasq-dhcp[2655]: read /etc/ethers - 0 addresses
Mon Sep  3 15:21:09 2018 daemon.notice openvpn(pia_client)[2295]: TUN/TAP device tun0 opened
Mon Sep  3 15:21:09 2018 daemon.notice openvpn(pia_client)[2295]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Sep  3 15:21:09 2018 daemon.notice openvpn(pia_client)[2295]: /sbin/ifconfig tun0 10.3.10.6 pointopoint 10.3.10.5 mtu 1500
Mon Sep  3 15:21:09 2018 daemon.notice openvpn(pia_client)[2295]: Initialization Sequence Completed
Mon Sep  3 15:22:58 2018 daemon.err uhttpd[1843]: luci: accepted login on /admin for root from 192.168.10.10

If I try to ping ...

$ ping 8.8.8.8                                 
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.                                   
From 192.168.10.1 icmp_seq=2 Destination Port Unreachable                      
From 192.168.10.1 icmp_seq=3 Destination Port Unreachable

In the LAN interface page, I have 'use custom DNS servers' set to my VPN DNS servers. I also have the DNS nameserver entries in my /etc/resolv.conf.

You have to ping 8.8.8.8 -I <IP_OF_VPN_INTERFACE> to ensure you're testing the VPN.

I should have clarified. The pings I was doing were from my host machine, not the router.

From the router, I can ping on the tun0 interface as well as the eth1.2 (WAN). So my VPN connection does indeed seem to be working, but not sure why my linux machine can't go through.

Shouldn't I be able to ping from the br-lan interface on WRT, which is the gateway for my linux machine. Though I'm confused about the PIA_VPN interface. In "physical settings", the interface shows as "Ethernet switch: "eth0" (PIA_VPN). And I cannot ping 8.8.8.8 via eth0. I can via tun0, though I don't see where I have tun0 setup. I do have an entry for dev tun in Networking of the Overview>>Instance of my "pia_client".

Please post your /etc/config/network file -- that may be the missing link.

Also, you might possibly want to include the following directive to the OpenVPN client config file if you want all traffic to go through the tunnel:
option redirect_gateway 'def1'

Ok, I added the redirect_gateway option, also, here's my network config. If anything doesn't look right, please inform.

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd82:a37a:1fa3::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.10.1'
    option broadcast '192.168.10.255'
    option dns '209.222.18.222 209.222.18.218'

config interface 'wan'
    option ifname 'eth1.2'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth1.2'
    option proto 'dhcpv6'
    option reqaddress 'try'
    option reqprefix 'auto'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 5t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 6t'

config interface 'PIA_VPN'
    option proto 'none'
    option ifname 'eth0'
    option auto '1'

This is very likely your problem. The interface your your VPN is not eth0, it is the tunnel (probably either tun or tun0).

Which VPN are you using?
I'm using CyberGhost VPN which is working great for me never got any issue about it. CyberGhost is one of the best cheap VPN that keeps your identity anonymous and also don't compromise your internet speed. I would recommend you to try it and the best option its giving money back guarantee also. If still, you are confused about VPN than here: https://www.reviewsdir.com/best-vpn-services/ you will get the guide to best VPN service. It would help you choose which VPN have to pick.