Hello OpenWRT developer team and the OpenWRT community...
I would like to reach out to all of you for help.
The issue - Setting up packet routing on OpenWRT OS running OpenVPN instance.
There is a multiple guides available on www.openwrt.org, however, most address a very generic set up scenarios mostly applicable to interprise(ish) kinda of a set up when two OpenWRT dev. connect two remote sites via VPN tunnel.
As some one who would like to use the consumer grade hardware at home and be able to use power of linux and open source code... this scenarios described in tech wiki, at the end of the day did not resulted in a properly running router with VPN and correctly set-up routing.
I would argue that average consumer would greatly benefit if some one who knows and understands iptable routing of OpenWRT OS well enough to be able to write one reasonable guide with a clear steps setting up the routing.
I spend over a week reading the guides, felt like all of them available on the i-net... the once by openwrt.org, the off-site guides written by the people that set this up on their own... and it never worked quite right resulting in some frustrating time cursing and getting disappointed at the time waisted?! No, no it was an experience but a bit frustrating one.
Frustration came from the fact that I have a virtual PFsense instance running on the Esxi host at home doing everything I could possibly want/get out of the router. Downside is electrical bill and that's why using OpenWRT OS running on a small energy efficient dev sounded like a good idea.
Here what I wanted to do:
1. To have a mobile/remote client to connect via VPN coming in from the i-net, to WAN interface of OpenWRT in to internal LAN and
1.1 Communicate with a local hosts in LAN;
1.2 Be able to reach back out to the i-net so that it appears as of mobile/remote client's public IP is the one assigned to a cable modem at home.
2. All this using a 'tun' set up and NOT a bridge iface 'tap';
3. All this on using the OpenWRT OS: OpenWrt Chaos Calmer 15.05 - r46767 / LuCI (git-15.248.30277-3836b45).
That's what PFsense are able to do with only one port open for incoming packets for OpenVPN instance.
After spending countless hours reading the guides and settings things up according to the official OpenWRT wiki, all I was able to do.... is to come-in from WAN and be re-routed back to WAN. This means that mobile dev/client by utilizing the secure tunnel, connects to the router at home, and appear to have a public IP of my home ISP.
That was awesome but did not last long. I wanted to also be able to route the VPN 'tun' iface traffic in to a local LAN, and after reading 15+ guides and trying things... the initial routing broke and i never been able to replicate the set up that worked.
Now, I do anticipate the advise to read again, and try it. Trust me, I did not wanted anyone to waist their time reading this for nothing, and so I did attempts to this all of this before reaching out to the forum...
1. Re-set the OS to factory setting (OpenWRT that is) -> Start from clean set up. => Did not worked.
2. Tried to follow to a teeth the guides from OpenWRT WITHOUT modding things to fit my LAN just to see if the original guides actually do work as the written. => Never worked!
3. Followed the 3rd party guide... it worked, sort off but the guy used tap bridging and placed OpenVPN clients pull-list in to the same subnet as the LAN and that was not something I was looking for.
Following the OpenWRT wiki I was able very quickly to get the secure VPN tunnel up and running and be bale to reach the router from WAN but once you are in... the internal routing with in OpenWRT OS, from 10.0.8.0/24 subnet in to WAN and LAN just simply NOT happening. ;(
I tortured OpenVPN server settings up and down, I re-confgured /etc/conf/firewall about million times with the zone forwarding approach (tun0 is iface of VPN zone) and writing 'config rule' directives to firewall. => none of it worked. jsut none!
And yes! 
/etc/firewall.user iptables custom directive approach was one of the configurations I've tried... with no success.
Now I am relevantly savvy with Linux in genera, at least enough to be able to set up PFSesnse on a virtual host, and a custom separate DNS server (bind9) on a Ubuntu instance... so on and so forth, but whats happening with in the OpenWRT OS a routing between subnets... I can't figure out 
... and so that's why I am reaching out to the community. Guys, please help, there is got to be some one out there who have done it successfully and willing to share. And if not, maybe at least clarify if the set-up of the PFsense+OpenVPN I'm trying to replicate with OpenWRT+OpenVPN is something that is not realistic by default?!
Thank you in advance for your time.
PS: OpenWRT OS team - your documentation absolutely horrible!!! But your project and work that you do on your spare time is awesome. Thank you for all the work you do and I do realize that you are not getting paid for any of it. You guys are the once who bring some level of home router security back to the average, less tech advanced consumers. And that's huge and important. Thank you!