Dual WAN with (Dual?) VPN Load Balancing RT-AC88U

[ToeStub]

I got a second DSL connection to improve bandwidth, and I got Dual WAN setup and working well in load-balancing mode with a 1:1 ratio. Download speeds with multi-connection apps (torrents, download "accelerators") are double what they were with a single connection, so it seems to be working well.

Before adding the second WAN, I was using an OpenVPN connection through the RT-AC88U router for whole-home VPN. From what I've read, a VPN connection needs to be tied to a single interface, which makes sense. Since I can configure multiple clients, I'm thinking I could use one client on each interface, hopefully with the same load balancing behavior. Does anyone have any experience with this?

I'm not terribly familiar with creating routes beyond defining a policy for routing traffic through the tunnel (which was just sending my entire LAN subnet to the VPN Interface). I don't mind getting my hands dirty with JFFS and custom configs, but the routing rules are beyond my competence level. Any help would be appreciated.

 

[ToeStub]

So I succeeded in configuring 2 VPNs connected and bound to each WAN (ppp) interface. I noticed that the router is using CONNMARK to load balance, and rule-matching matching marks to use the wan0 and wan1 routing tables respectively. Using that knowledge, I inserted rules for tun11 into wan0 using the same specificity trick that OpenVPN uses when set as the default gateway:

First I added a static route to the VPN server 1.2.3.4 via the p-t-p IP 10.45.10.221 through ppp0. Confirmed that route works.

Next I added the following to the wan0 route table
0.0.0.0/1 via 10.8.8.1 dev tun11
128.0.0.0/1 via 10.8.8.1 dev tun11

The packets selected for wan1 (ppp1) still seem to be making it to the internet without issue. Also, I see far more bytes on tun11 than tun12, which makes sense because tun11 is ostensibly in use through the route in table wan0 while tun12 has nothing routed to it. That said, connections selected to be sent through tun11 are getting stuck somewhere. I've reviewed the NAT table to ensure forwarding is enabled, and the MANGLE table to ensure rules are present.

So I'm not sure exactly where the problem lies at this point. I've reviewed the iptables rules to the best of my ability, and everything looks ok there. Perhaps responses aren't getting de-NATed properly, but I'm not sure why that would be.