Some more information to go with this - maybe it will help.
When I say manually configured I mean configured via the DD-WRT GUI. That is to say I haven't used any scripts to automate configuration of the VPN client.
When the client connects the VPN server pushes a load of routing rules which I can see configured when I run the 'route' command.
Heres a small sample:
Destination Gateway Genmask Flags Metric Ref Use Iface
default BThomehub.home 0.0.0.0 UG 0 0 0 ath0
10.1.0.0 10.8.0.205 255.255.254.0 UG 0 0 0 tun1
10.1.10.0 10.8.0.205 255.255.254.0 UG 0 0 0 tun1
10.1.20.0 10.8.0.205 255.255.254.0 UG 0 0 0 tun1
10.8.0.205 * 255.255.255.255 UH 0 0 0 tun1
192.168.1.0 * 255.255.255.0 U 0 0 0 ath0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
ath0 is connected via client mode to my ISP router. Devices connected to the LAN ports of the DD-WRT router are on 192.168.2.0
What seems to be confusing me is the difference between IPTABLES and ROUTES. My understanding is that IPTABLES are used to control traffic going across the NAT but as far as I can tell NAT traversal is already handled since the VPN connection is open and active.
As the VPN client has already created routing rules automatically I don't want to replicate these rules (it's better that they are created automatically, they may change in future).
Why does a ping from a 192.168.2.x device on the LAN ports to 10.1.x.x not get picked up by one of the existing rules? Is this a IPTABLES thing? Disabling the firewall makes not difference as I would expect.
From the command line (having connected via telnet)
The client seems connected as I can ping a host on the remote side from the DD-WRT command line. But no machines on the local LAN can ping through DD-WRT. They stop at 192.168.2.1 (which is the routers local ip).