vLANs, MultiSSIDs, multiple dnsmasq instances and OpenVPN split tunnelling woes

I have been using open source router firmware for a number of years but more or less in a very vanilla configuration. In the last couple of months I have been trying to set up a more complicated configuration. I started using OpenWRT 18.06.1 but had a few problems with running multiple DHCP server instances for the various vLANs, the issues were resolved when I started using OpenWRT 18.06.4.

I did the obvious by searching this forum and online for related posts and articles. I seem to have become stuck with the VPN split tunneling using different gateways/static routes on the main router.

I installed the following additional packages onto OpenWRT: dnsmasq-full, luci-app-openvpn and openvpn-openssl in order to get my configuration working. I believe this version of OpenWRT comes with iproute2 pre-installed as standard.

The end goal is to have the following:

  1. Six vLANs with related SSIDs:
    (a) Children - Censored content and time restricted wireless access
    (b) Normal - Unrestricted access, but blocking illegal sites and services
    (c) Secure - traffic in this vLAN will be routed through encrypted VPN tunnel
    (d) Streaming - region specific video streaming through unencrypted VPN tunnel
    (e) IoT - for Internet enabled devices
    (f) Guests - Limited access web only access, only enabled when guests are visiting

I have got vLAN tagging and related SSID (where required) successfully working. Each vLAN uses a different private address subnet.

  1. OpenVPN Client - I managed to get a VPN configuration working diverting ALL Internet traffic through the VPN, this involved using additional scripts invoked by OpenVPN which change the default ISP assigned DNS servers to the VPN assigned DNS servers.

  2. At this stage, I decided to add multiple dnsmasq instances so each vLAN subnet supports individual internet gateway, DHCP server and DNS servers settings.

I managed to configure the above but became stuck when trying to get the static routes and DNS for the VPN tun interface working.

I am happy to provide further information if required, any help to solve this problem appreciated!