Use pi as a VPN gateway for LAN clients, but not for itself

Add the following script when the tunnel comes up:

#!/bin/sh

ip route add to default via 10.10.10.1 table 100
ip rule add iif lo to 10.10.10.0/24 lookup main prio 16000
ip rule add iif lo to default lookup 100 prio 16010