OpenVPN with ERPro-8, newbie needs your help

First time poster, long time lurker.

I took the plunge and purchased the top of the range router to hopefully serve my openvpn requirements.

I run a DOCSIS cable connection benching around 115Mbps.  I run the ERP-8 in the WAN+2LAN wizard configuration.  A single HP unmaged switch connects all clients and APs to eth0.

I would like to benchmark numerous commercial VPN hosts, so I have taken the approach of creating /config/auth/openvpn containing subdirs for each VPN provider with a .ovpn for each server they have.  there is a link at /config/auth/openvpn/openvpn.ovpn that points to the config to be tested.

I have tested my connection manually like so:

root@ubnt:/config/auth# openvpn openvpn.ovpn 
Wed Dec 28 12:22:52 2016 OpenVPN 2.3.2 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  5 2014
Wed Dec 28 12:22:52 2016 Control Channel Authentication: tls-auth using INLINE static key file
Wed Dec 28 12:22:52 2016 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 28 12:22:52 2016 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 28 12:22:52 2016 Socket Buffers: R=[294912->1048576] S=[294912->589824]
Wed Dec 28 12:22:52 2016 UDPv4 link local: [undef]
Wed Dec 28 12:22:52 2016 UDPv4 link remote: [AF_INET]45.56.158.14:1195
Wed Dec 28 12:22:52 2016 TLS: Initial packet from [AF_INET]45.56.158.14:1195, sid=b9958d25 822df337
Wed Dec 28 12:22:52 2016 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Wed Dec 28 12:22:52 2016 VERIFY OK: nsCertType=SERVER
Wed Dec 28 12:22:52 2016 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-783-1a, emailAddress=support@expressvpn.com
Wed Dec 28 12:22:52 2016 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-783-1a, emailAddress=support@expressvpn.com
Wed Dec 28 12:22:53 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Dec 28 12:22:53 2016 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 28 12:22:53 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Dec 28 12:22:53 2016 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 28 12:22:53 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Dec 28 12:22:53 2016 [Server-783-1a] Peer Connection Initiated with [AF_INET]45.56.158.14:1195
Wed Dec 28 12:22:55 2016 SENT CONTROL [Server-783-1a]: 'PUSH_REQUEST' (status=1)
Wed Dec 28 12:22:55 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.28.0.1,route 10.28.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.28.1.66 10.28.1.65'
Wed Dec 28 12:22:55 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 28 12:22:55 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 28 12:22:55 2016 OPTIONS IMPORT: route options modified
Wed Dec 28 12:22:55 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Dec 28 12:22:55 2016 ROUTE_GATEWAY xxx.xxx.0.1/255.255.192.0 IFACE=eth1 HWADDR=xx:xx:xx:xx:xx:xx
Wed Dec 28 12:22:55 2016 TUN/TAP device tun0 opened
Wed Dec 28 12:22:55 2016 TUN/TAP TX queue length set to 100
Wed Dec 28 12:22:55 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Dec 28 12:22:55 2016 /sbin/ip link set dev tun0 up mtu 1500
Wed Dec 28 12:22:55 2016 /sbin/ip addr add dev tun0 local 10.28.1.66 peer 10.28.1.65
Wed Dec 28 12:22:57 2016 /sbin/ip route add 45.56.158.14/32 via xxx.xxx.0.1
Wed Dec 28 12:22:57 2016 /sbin/ip route add 0.0.0.0/1 via 10.28.1.65
Wed Dec 28 12:22:57 2016 /sbin/ip route add 128.0.0.0/1 via 10.28.1.65
Wed Dec 28 12:22:57 2016 /sbin/ip route add 10.28.0.1/32 via 10.28.1.65
Wed Dec 28 12:22:57 2016 Initialization Sequence Completed

To my knowledge that means the openvpn config is correct and has connected.

At this point I have googled but do not have the networking knowledge to know what to do next and how to apply other's solutions to my setup.  After benchmarking I will decide how I would like to split the traffic between vpn and unencrypted.

I will post my benchmarks back to the community for those wanting to do the same with this router, if someone can help me get this going.

Cheers,

drvik