Setup: (names changed with generic phrases)
“Vendor” requires a vpn to entry their sources. A number of of our folks require entry to Vendor sources. As a way to ease overhead on Vendor’s vpn server, we’ve agreed so as to add the tunnel to our top-level router, and statically route site visitors to Vendor’s subnet by the tunnel with strange NAT, whereas all different site visitors goes out the conventional approach. The static route is pushed from Vendor’s server, so all I (the web/sysadmin) needed to do was launch openvpn with their config file, and every thing works swimmingly, till…
Final week, Vendor’s vpn server erroneously pushed a default gateway rule, which our router obeyed by including route guidelines equal to the
redirect-gateway def1 config. Since site visitors to non-Vendor addresses is just not forwarded by Vendor, this prompted an outage. Vendor “has fastened the difficulty”, however I’m in search of a repair I can apply on our facet to forestall this from occurring once more. Our use of non-Vendor addresses mustn’t depend on Vendor configuring something appropriately. I desire a cli or config file possibility to inform the openvpn consumer to disregard any route pushes, so I can manually add the singular route rule that is speculated to be there. I do not see something promising within the openvpn guide, and most openvpn gateway posts I am seeing right here are attempting to perform the alternative of this.
Temp repair: For the quick time period I threw up a cron job that kills any
openvpn 2.3.10, ubuntu 18 server w/ low latency kernel.