Can you better describe "work" and "not work"? I still do not fully understand the purpose of these routes.
Work = they drop traffic?
Not work = they pass traffic?
Some more thoughts:
In your policy routing setup you redirect all traffic from 192.168.2.25x
to a separate routing table exvpn
where the flows encounter a sole terminal default via 192.168.10.1 dev eth0
route.
The main
routing table which among the standard interface subnet routes etc. contains your static 8.8.8.8
/ 8.8.4.4
"blackhole" (I'll call them this way since this appears to be the intent) is entirely bypassed so it is expected that exvpn
eligible hosts are not affected by them.
You could either duplicate those static exception routes into the exvpn
table or use rules to make routing decisions or use iptables to block the traffic.
Edit:
Yet another possible way would be moving these block-routes into the local
routing table which precedes the exvpn
and main
ones, but I didn't actually test that.
IMHO the cleanest solution to block traffic would be this:
config rule
option in lan
option dest 8.8.8.8/32
option action prohibit
which would be roughly equivalent to iptables -I FORWARD -i br-lan -d 8.8.8.8 -j REJECT
The cleanest solution to make traffic to these IPs always bypass VPN would be
config rule
option in lan
option dest 8.8.8.8/32
option lookup exvpn