I have a Ubuntu 12.04/Zentyal 2.3 server configured with WAN NATed on eth0, local interfaces eth1 and wlan0 bridged on br1 on which DHCP runs, and an OpenVPN connection on tun0. I only need the VPN for some things running on the gateway itself and I need to make sure that everything running on the gateway goes through the VPNs tun0.

root:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gw...           0.0.0.0         UG    100    0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 br1
192.168.1.0     *               255.255.255.0   U     0      0        0 br1
A.B.C.0         *               255.255.255.0   U     0      0        0 eth0

root:~# ip route
169.254.0.0/16 dev br1  scope link  metric 1000
192.168.1.0/24 dev br1  proto kernel  scope link  src 192.168.1.1
A.B.C.0/24 dev eth0  proto kernel  scope link  src A.B.C.186

root:~# ip route show table main
169.254.0.0/16 dev br1  scope link  metric 1000
192.168.1.0/24 dev br1  proto kernel  scope link  src 192.168.1.1
A.B.C.0/24 dev eth0  proto kernel  scope link  src A.B.C.D

root:~# ip route show table default
default via A.B.C.1 dev eth0 

How can I configure routing (or otherwise) such that all forwarded traffic for other hosts on the LAN goes through eth0 but all traffic for the gateway itself goes through the VPN on tun0? Also, since the OpenVPN client changes routing on startup/shutdown, how can I make sure that everything running on the gateway itself loses all network access if the VPN goes down and never goes out eth0.