I did a similar thing without using policy-based routing. I tried it but couldn’t make it work so I solved it using route tables and VLANs, and found it to be much simpler and easier to reason about.
Essentially, for each VPN you’ll have one “wan” interface and one “lan” interface tied to a VLAN.
You can bridge specific wifi SSIDs to each of these VLANs if required. Once you have that set up, you just need to route packets through the VPNs.
For example, say you have allocated VLAN 30 to one of these VPNs, and the interfaces are called tun30
(vpn/wan - this will be created by the VPN software/connection. for OpenVPN you might need to create an Unmanaged
interface in LuCI/uci and point to it) and vpnlan30
(vpn/lan, possibly including wifi interfaces bridged to it). You need 2 things in your network config:
config route
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '30'
option interface 'tun30'
This creates a route table called 30
(I usually use the VLAN ID for this) where everything is routed to and from the tun30
interface, which is connected to the VPN endpoint.
With that set up, you need a rule to make packets that arrive on vpnlan30
use that route table:
config rule
option in 'vpnlan30'
option dest '0.0.0.0/0'
option priority '10'
option lookup '30'
For each of the other VPNs, create a new VLAN and the 2 things above.