VPN on external device + policy-based routing?

Hi everyone!
I need a pointer on how I can achieve this kind of setup.

So currently, I have this setup running on my network.

I want to install VPN but not on my OpenWRT because my OpenWRT cannot handle 200Mbps full speed through VPN. My requirement is

  1. The VPN must be installed on my DNS Server ( NanoPi running Ubuntu )
  2. The VPN connection only will be used for website traffic only & only if I access specific websites/servers (I know the IP list ). All other websites, except what I listed, will NOT use a VPN.

Is there any way that I can achieve this? If yes, can you give me reading material for it, or even a tutorial would be nice. so far I only knew VPN Policy-Based Routing.

Well ... there is a question

packet coming into OWRT, PBR need to handle IP List, make a decision for pass trough, or if there is a match, route them to ubuntu
OK for now
then Ubuntu need to make VPN trough OWRT WAN

maybe this will be a problem
you want 200Mbps VPN, which is in this case:
200Mbps IN, 200 Mbps PBR, and then 200 Mbps masquerading to WAN

maybe i am wrong, but ... i have a bad feeling about this

Why so? Can you enlighten me, please?
Correct me if I'm wrong, but as far as I understand, PBR will be handled by nftables + Ipset. VPN Traffic encrypts & decrypts will be handled by my Ubuntu Nano Pi.