help with OpenVPN client setup

Hi,  

I have a very basic WAN + LAN soho setup on an Edgerouter POE with 2 Unifi APs.  All of that is working great (I love it!), but the last thing I'm trying to setup is an OpenVPN client connection to Express VPN.  My WAN is eth0, and eth2 - eth4 are the switch with my LAN and POE APs.  I'd like all of the traffic on eth1 (my TV) to go through the VPN.  

I added the vtun0 using my .ovpn file (the file includes certs) and it seems to be working ok.  At first it was breaking my WAN internet connection, but I added route-nopull and that problem went away.  I'm not seeing obvious error messages in the logs.  

It's just that as soon as I try to route any traffic through the VPN it either doesn't work or it breaks my internet connection.  The main problem is that I don't know what I'm doing.  I have tried following a few different guides, but they all seem to use a different combo of route/nat/firewall and I'm obviously doing something wrong.  

If someone could look at the info below and tell me what to add, I would really appreciate it.  Even more amazing if it came with some comments as to what any additions are actually doing, because I'd really like to learn for next time.  

Hoping someone is able to help me out.  Thanks!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is interfaces:

and config.boot file:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth4 {
        description "Local 2"
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/dallas.ovpn
        replace-default-route {
        }
    }
    switch switch0 {
        address 192.168.2.1/24
        description "Local 2"
        mtu 1500
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    config-management {
        commit-revisions 10
    }
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password $6$uGQ9HE2eM$.YHz1ZIpWF3LWWI4UQygQ3Hx4Yj0sgtS2k/.d/VlbYIQ7SbKUEyK/5EWBAhAXl6oppz9wnm0aw0dDJ.oNmo8R.
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.0.4853089.160219.1607 */