domain-based traffic routing through VPN

[Kriggx]

Hi everyone,

I have a setup with two VPN containers (DE-VPN and CH-VPN), each using a tun0 interface internally. On the host, these containers are represented by the interfaces veth900i0 and veth901i0.

My goal is to route specific traffic (domain based) through the respective VPNs. Because I don't want to care about the ip-lists/routing tables manually, I wan to use my reverse Proxy and dnsmasq for keeping the server ips up to date. Here’s what I’ve done so far:

1. Created routing tables:
   • de-vpn with ID 190
   • ch-vpn with ID 191
2. Added mangle rules to mark the traffic:
   • Traffic for DE-VPN: iptables -t mangle -A PREROUTING -m set --match-set de-vpnset dst -j MARK --set-mark 0x1
   • Traffic for CH-VPN: iptables -t mangle -A PREROUTING -m set --match-set ch-vpnset dst -j MARK --set-mark 0x2
3. Created routing rules to route the marked traffic through the respective VPNs:
   • ip rule add fwmark 0x1 table 190
   • ip route add default via 192.168.187.190 dev veth900i0 table 190
   • ip rule add fwmark 0x2 table 191
   • ip route add default via 192.168.187.191 dev veth901i0 table 191
4. Configured NAT rules to NAT the traffic through the VPNs:
   • iptables -t nat -A POSTROUTING -o veth900i0 -j MASQUERADE (for DE-VPN)
   • iptables -t nat -A POSTROUTING -o veth901i0 -j MASQUERADE (for CH-VPN)

Despite the seemingly correct configuration, the setup isn't working as expected. The marked traffic is not being routed through the corresponding VPN interfaces. It seems like there might be an issue with either the NAT configuration or the routing rules. I know some Firewall and killswitch functions are not adressed so far, but that's a second step. I'm hanging at the first step of setting it up and gettin it to work.

Does anyone have any idea what might be wrong or what I may have missed?

Thanks a lot!