OpenVPN CLI客户端阻止推送默认GW

设置:(用通用术语替换名称)

“供应商”需要VPN来访问其资源。我们的多个员工需要访问供应商资源。为了减轻Vendor的vpn服务器的开销,我们同意将隧道添加到顶级路由器,并使用普通NAT通过隧道将流量静态路由到Vendor的子网,而其他所有流量则以正常方式流出。静态路由是从供应商的服务器推送的,所以我(net / sysadmin)要做的就是用其配置文件启动openvpn,并且一切正常进行,直到...

问题:

Last week, Vendor's vpn server erroneously pushed a default gateway rule, which our router obeyed by adding route rules equivalent to the redirect-gateway def1 config. Since traffic to non-Vendor addresses is not forwarded by Vendor, this caused an outage. Vendor "has fixed the issue", but I am looking for a fix I can apply on our side to prevent this from happening again. Our use of non-Vendor addresses should not rely on Vendor configuring anything correctly. I want a cli or config file option to tell the openvpn client to ignore any route pushes, so I can manually add the singular route rule that's supposed to be there. I don't see anything promising in the openvpn manual, and most openvpn gateway posts I'm seeing here are trying to accomplish the opposite of this.

Temp fix: For the short term I threw up a cron job that kills any 0.0.0.0/1 and 128.0.0.0/1 routes.

版本:

openvpn 2.3.10,带有低延迟内核的ubuntu 18服务器。

评论