DNAT UDP redirect from L2TP VPN Zone return packets going down the wrong interface on TRB500

I have set up a DNAT UDP port forward from a L2TP VPN tunnel to the LAN zone.

config redirect '29'
	option src_dport '51820'
	option dest_ip '192.168.21.2'
	option name 'WireGuard'
	option target 'DNAT'
	option priority '1'
	option dest 'lan'
	option enabled '1'
	list proto 'udp'
	option src 'vpn'

The problem is the return packets go down the WAN interface and not the VPN interface

root@remote:~# tcpdump -i any port 51820
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:28:12.551954 l2tp-VPN In  IP 31.94.72.223.45647 > 40.71.52.25.in-addr.arpa.51820: UDP, length 148
12:28:12.552140 br-lan Out IP 31.94.72.223.45647 > gateway-pro.lan.51820: UDP, length 148
12:28:12.552170 eth0  Out IP 31.94.72.223.45647 > gateway-pro.lan.51820: UDP, length 148
12:28:12.553929 eth0  In  IP gateway-pro.lan.51820 > 31.94.72.223.45647: UDP, length 92
12:28:12.553929 br-lan In  IP gateway-pro.lan.51820 > 31.94.72.223.45647: UDP, length 92
12:28:12.554900 rmnet_data0 Out IP 40.71.52.25.in-addr.arpa.51820 > 31.94.72.223.45647: UDP, length 92

I tried to create a route

config table '1'
	option id '1'
	option name 'vpn'

config route '2'
	option table '1'
	option netmask '0.0.0.0'
	option target '0.0.0.0'
	option interface 'vpn'

config rule '3'
	option action_group 'lookup'
	option tos '0'
	option src '25.52.71.40/32'
	option invert '0'
	option lookup '1'

The problem seems to be that it looks like the routing rules are applied and the source IP at this point is a LAN ip. Then the DNAT changes the src ip and the interface is already chosen. So I can’t work out how to get the packets to return along the same path. One would expect this to happen automatically. Why assign the L2TP src IP but not send it down the L2TP interface?

Any thoughts on how to get this to work would be appreciated.

Version below


BusyBox v1.34.1 (2024-11-28 08:20:07 UTC) built-in shell (ash)

     ____        _    ___  ____
    |  _ \ _   _| |_ / _ \/ ___|
    | |_) | | | | __| | | \___ \
    |  _ <| |_| | |_| |_| |___) |
    |_| \_\\__,_|\__|\___/|____/
--------------------------------------
     Teltonika TRB500 series 2024
--------------------------------------
   Device:     TRB500
   Kernel:     4.14.336
   Firmware:   TRB500_R_00.07.11.1
   Build:      66c12082e5f
   Build date: 2024-11-28 12:43:43
--------------------------------------
root@TRB500:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='21.02.0'
DISTRIB_REVISION='r16279-5cc0535800'
DISTRIB_TARGET='sdxprairie/generic'
DISTRIB_ARCH='arm_cortex-a7_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt 21.02.0 r16279-5cc0535800'
DISTRIB_TAINTS='no-all busybox'