Has anyone gotten a multi-VPN policy routing setup working?

[CODYQX4]

I've recently added a second VPN to my setup, with the hope to setup policy routing between them, and still be able to make certain traffic (SSH) always use WAN.

I've been using PIA for my main VPN, but wanted to try AirVPN as the second.

I have my VPN configured as follows (VPN 1):
https://imgur.com/dbkqao4

I've been using this script to make SSH go over the WAN, and it has worked with the GUI for picking clients.

#!/bin/sh

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#

# SSH Traffic: Bypass VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 22 -j MARK --set-mark 1

The kill switch works as intended. I can VPN my WAN from another location, even after turning off, and curl icanhazip.com fails to connect as expected if I turn off the VPN manually.

I had VPN #2 working, but it was inconsistently working, not applying when it should, etc, or it would just drop out into the WAN leaking my IP outright.

I would need a setup that would let me redirect by IP to either VPN, while still being able to let SSH work, and the kill switch work on either WAN. Has anyone had any luck? It took me forever to get SSH working last time.

 

[CODYQX4]

I've managed to get both VPNs active while maintaining SSH over WAN now.

I used this init-start

#!/bin/sh

# If RPDB name table doesn't exist create the alias entries
# Done before the sleep as wan-start will call IPTablesDump.sh and it helps with documenting tables!

# Tables 111:115 reserved by RMerlin RPDB Selective Policy routing
# Tables 100/200 reserved by ASUS Dual WAN aka Primary and Secondary WAN
if [ ! -d /etc/iproute2/ ]; then
    # Tag the VPN RPDB tables by name!!!
    /usr/bin/logger -s -t "($(basename $0))" $$ "Creating RPDB name table /etc/iproute2/rt_tables"
    mkdir /etc/iproute2
    echo 111 vpn1 >  /etc/iproute2/rt_tables
    echo 112 vpn2 >> /etc/iproute2/rt_tables
    echo 113 vpn3 >> /etc/iproute2/rt_tables
    echo 114 vpn4 >> /etc/iproute2/rt_tables
    echo 115 vpn5 >> /etc/iproute2/rt_tables
    echo 100 wan1 >> /etc/iproute2/rt_tables
    echo 200 wan2 >> /etc/iproute2/rt_tables
    /usr/bin/logger -s -t "($(basename $0))" $$ "         " `cat /etc/iproute2/rt_tables`
    /usr/bin/logger -s -t "($(basename $0))" $$ "Created RPDB name table /etc/iproute2/rt_tables"
fi

... and I modified my openvpn-event

#!/bin/sh

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table wan1
ip route del default table wan1
ip rule del fwmark 200 table wan1
ip rule del fwmark 201 table vpn1
ip rule del fwmark 202 table vpn2
ip rule del fwmark 203 table vpn3
ip rule del fwmark 204 table vpn4
ip rule del fwmark 205 table vpn5
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table wan1 $ROUTE
done
ip route show table main | grep -Ev ^default | grep -Ev tun12 \
  | while read ROUTE ; do
      ip route add table wan1 $ROUTE
done
ip route add default table wan1 via $(nvram get wan_gateway)
ip rule add fwmark 200 table wan1
ip rule add fwmark 201 table vpn1
ip rule add fwmark 202 table vpn2
ip rule add fwmark 203 table vpn3
ip rule add fwmark 204 table vpn4
ip rule add fwmark 205 table vpn5
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#

# SSH Traffic: Bypass VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 22 -j MARK --set-mark 200
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 22 -j MARK --set-mark 200
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark 200
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 22 -j MARK --set-mark 200

I then abused the DNS Filtering feature to force the needed DNS (this should allow a 3rd VPN if needed), and that works.

The only problem I've having now, is the kill switch doesn't work. If I turn off the VPN or do anything that would cause the VPN to drop/fail/disconnect, the clients just go over the WAN.