Setup: (names replaced with generic terms)
"Vendor" requires a vpn to access their resources. Multiple of our people require access to Vendor resources. In order to ease overhead on Vendor's vpn server, we have agreed to add the tunnel to our top-level router, and statically route traffic to Vendor's subnet through the tunnel with ordinary NAT, while all other traffic goes out the normal way. The static route is pushed from Vendor's server, so all I (the net/sysadmin) had to do was launch openvpn with their config file, and everything works swimmingly, until...
Problem:
Last week, Vendor's vpn server erroneously pushed a default gateway rule, which our router obeyed by adding route rules equivalent to the redirect-gateway def1 config. Since traffic to non-Vendor addresses is not forwarded by Vendor, this caused an outage. Vendor "has fixed the issue", but I am looking for a fix I can apply on our side to prevent this from happening again. Our use of non-Vendor addresses should not rely on Vendor configuring anything correctly. I want a cli or config file option to tell the openvpn client to ignore any route pushes, so I can manually add the singular route rule that's supposed to be there. I don't see anything promising in the openvpn manual, and most openvpn gateway posts I'm seeing here are trying to accomplish the opposite of this.
Temp fix: For the short term I threw up a cron job that kills any 0.0.0.0/1 and 128.0.0.0/1 routes.
Versions:
openvpn 2.3.10, ubuntu 18 server w/ low latency kernel.
