I did a similar thing without using policy-based routing. I tried it but couldn’t make it work so I solved it using route tables and VLANs, and found it to be much simpler and easier to reason about.
Essentially, for each VPN you’ll have one “wan” interface and one “lan” interface tied to a VLAN.
You can bridge specific wifi SSIDs to each of these VLANs if required. Once you have that set up, you just need to route packets through the VPNs.
For example, say you have allocated VLAN 30 to one of these VPNs, and the interfaces are called
tun30 (vpn/wan - this will be created by the VPN software/connection. for OpenVPN you might need to create an
Unmanaged interface in LuCI/uci and point to it) and
vpnlan30 (vpn/lan, possibly including wifi interfaces bridged to it). You need 2 things in your network config:
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '30'
option interface 'tun30'
This creates a route table called
30 (I usually use the VLAN ID for this) where everything is routed to and from the
tun30 interface, which is connected to the VPN endpoint.
With that set up, you need a rule to make packets that arrive on
vpnlan30 use that route table:
option in 'vpnlan30'
option dest '0.0.0.0/0'
option priority '10'
option lookup '30'
For each of the other VPNs, create a new VLAN and the 2 things above.