This is quite different than the original description, and it appears you have now edited that post for more clarity.
Your printer should remain connected to your main network. You'll actually setup your Pi with OpenVPN server (or you could use Wireguard which is easier and more performant). Your Pi will be a client on your main network and will simply allow LAN access (you can limit the extent of that access, of course). You'll need to forward the VPN port from your main router to your OpenWrt Pi in order to allow external clients to connect to your VPN.
With that in mind, it makes sense to completely reset your Pi now and start over.
I'd recommend using Wireguard in the "road warrior" type configuration:
Your Pi should be purely a vpn server. It will allow LAN access as needed/desired. But nothing should be connecting to the Wifi from the Pi. All of your devices should be connected to your main network
I don't see which machine is the OpenVPN server. The OpenVPN server should be configured to push a route to 192.168.30.0/24 gatewayed by the VPN tunnel endpoint that hosts that network (100.96.1.3). Or these routes can be manually installed on each client. This assumes that the Pi remains at 10.96.1.3-- depending on the order that clients connect to the VPN server, they may receive a different IP via OpenVPN's automatic IP assignment. (That would not be an issue if the Pi itself is the OpenVPN server, but that depends on being able to configure its upstream to have a port open for incoming connections from the Internet.)
Or you might be able to bridge the wifi AP for the printer directly with the VPN tunnel, and make the printer a device on the tunnel itself, e.g. 100.96.1.4. Then the other clients could reach it as a single hop without needing an additional route. I have never actually tried that though.
The usual advice to run Wireguard instead of OpenVPN definitely applies here.
Configure the OpenVPN server to push a route 192.168.30.0/24 via 100.96.0.3.
In the OpenWrt firewall on the Pi, make sure that forwarding from the VPN zone to the printer zone is enabled. Or place both of those networks in the same zone and make sure that forwarding is enabled on the zone. NAT (masquerade) must be turned off on these zones since this is a case of symmetric routing.
Configure the Pi to reserve an easy to remember DHCP IP for the printer. You will need to manually enter this IP into the printer driver on the other endpoints. Automatic discovery does not work across networks.
C:\>tracert google.co.in
Tracing route to google.co.in [172.217.167.227]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms OpenWrt.lan [192.168.30.1]
2 7 ms 4 ms 2 ms 192.168.29.1
3 6 ms 5 ms 6 ms 10.15.216.1
4 19 ms 15 ms 15 ms 172.16.89.153
5 17 ms 14 ms 16 ms 192.168.107.114
6 19 ms 15 ms 14 ms 172.26.110.20
7 20 ms 16 ms 15 ms 172.26.110.34
8 17 ms 15 ms 14 ms 192.168.42.46
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 73 ms 57 ms 56 ms 142.251.77.29
16 72 ms 64 ms 63 ms 172.253.67.91
17 63 ms 60 ms 58 ms del11s04-in-f3.1e100.net [172.217.167.227]
Trace complete.
C:\>tracert 100.96.1.2
Tracing route to 100.96.1.2 over a maximum of 30 hops
1 1 ms 1 ms 1 ms OpenWrt.lan [192.168.30.1]
2 63 ms 56 ms 55 ms 103.26.204.252
3 57 ms 63 ms 56 ms 129.227.217.68
4 388 ms 304 ms 304 ms 100.96.1.2
Trace complete.
C:\>