There is a problem with your curl-test, which I know how to solve, and a problem with your scheme at large, to which I can suggest a solution.
curl cannot possibly work this way: after starting the VPN, there is no gateway defined on that interface (eth0): the eth0 NIC has an IP address, and can reach your LAN, but there is no gateway from which the internet, and icanhazip.com in particular, can be reached. For curl to work this way, you will have to instruct your kernel that the specific route to 216.69.252.101 (icanhazip.com) is through the eth0 interface:
ip ro add 216.69.252.101 via your_home_routers_IP_address
Now the curl call will work as you wish.
If you want to communicate both through the VPN and outside it on a stable, complete basis, the correct way to proceed is to install a second routing table by means of policy based routing. You can find a good and concise introduction to the topic by David Schwartz on a sister-site, here. The reason why you need this contraption is that you are envisioning a system with two distinct gateways, which are not allowed unless of course there are two distinct routing tables.
Now, in order to accomplish your goal, i.e., to route packets along different routes according to user identity, you will have to set appropriate rules that select the relevant routing table. So let us suppose you now have two tables, called vpn and novpn. You will have first to use the mangle table of iptables to mark the packets according to user identity, and then supply rules for policy based routing according to the the presence (or absence) of the said mark.
It could work like this:
iptables -t mangle -I OUTPUT -m owner --uid-owner some-user -j MARK --set-mark 100
ip rule add fwmark 100 table vpn
for a user destined to use vpn, and
iptables -t mangle -I OUTPUT -m owner --uid-owner some-other-user -j MARK --set-mark 300
ip rule add fwmark 300 table novpn
for those you want to route outside the VPN. Also, it is always best to set a routing table for anything else, i.e., a default. Hope this helps.
Non-IP traffic is not forwarded over Layer-3 (tun) interfaces, that's the whole beauty of it: you save on broadcast traffic and on ethernet headers. You can read about all of this on the OpenVPN wiki.
I am not sure I understand how arpwake works, the Web page you linked to is more of a ramble than a wiki. But you may try adding this firewall rule,
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
This rewrites all source IP addresses, in the packet headers, with the router IP address. I do not know whether this will trigger arpwake, but you may try.
EDIT:
I have thought of a workaround, which does not use arpwake. Add the following iptables rule,
iptables -A INPUT -i tun0 -s xxx.xxx.xxx.xxx/24 -d 192.168.1.4/32 -m state --state NEW -m state ! --state ESTABLISHED -j LOG --log-prefix "NEW_CONN_ATTEMPT"
where xxx.xxx.xxx.xxx/24 is VPN tunnel's network. Now setup an executable script, running under sudo, with the following content:
tail -f /var/log/firewall.log | awk '/NEW_CONN_ATTEMPT/ {system("/usr/local/bin/myscript")}'
where /usr/local/bin/myscript is a script that sends the magic packet to the NAS. It should work.
Best Answer
Ran
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
on 192.168.24.99 solved the problem.