I personally found this helpful:
On OpenWrt you typically need the 'ip-full' package.
I think you might need to place wan and your VPN interface in a new namespace then veth pair with one end in new namespace and other end in normal namespace. The link above provides everything you need on how to do that once you have ensured you have the 'ip-full' package installed or otherwise have namespace support.
See this script here for veth stuff:
That provides an example way to set up veth:
## set up veth devices to handle inbound and outbound traffic
ip link show | grep veth0 || ip link add type veth
## get new veth interfaces up
ip link set veth0 up
ip link set veth1 up
## trun on promisc mode,sometimes it's needed to make bridge work
ip link set veth1 promisc on
## add veth1 to bridge
brctl addif br-lan veth1
## just to make sure there's nothing inside this table
ip rule del priority 100
ip route flush table 100
## add routing for veth0 this will handle all traffic
ip route add default dev veth0 table 100
ip rule add iif $WANIF table 100 priority 100
#########
#Veth end
#########
I tried myself to do this but failed to make it all work so I'd really like to know how you manage it if you do. In particular, I managed to set up the namespace and veth pair particulars, but I could not work out how to set up the routing on both sides, and then gave up. My use case is different to yours, namely I just want a single interface on which to apply CAKE to both VPN and non-VPN traffic. I ended up using the 'ifb' approach, but would still be interested to try this namespace/veth approach if I can see how to make it all work.
In your case, unless I am mistaken it would allow you to:
but I may be mistaken.
@dlakelan has expertise in this area.