“供应商”需要VPN来访问其资源。我们的多个员工需要访问供应商资源。为了减轻Vendor的vpn服务器的开销，我们同意将隧道添加到顶级路由器，并使用普通NAT通过隧道将流量静态路由到Vendor的子网，而其他所有流量则以正常方式流出。静态路由是从供应商的服务器推送的，所以我（net / sysadmin）要做的就是用其配置文件启动openvpn，并且一切正常进行，直到...
Last week, Vendor's vpn server erroneously pushed a default gateway rule, which our router obeyed by adding route rules equivalent to the
redirect-gateway def1 config. Since traffic to non-Vendor addresses is not forwarded by Vendor, this caused an outage. Vendor "has fixed the issue", but I am looking for a fix I can apply on our side to prevent this from happening again. Our use of non-Vendor addresses should not rely on Vendor configuring anything correctly. I want a cli or config file option to tell the openvpn client to ignore any route pushes, so I can manually add the singular route rule that's supposed to be there. I don't see anything promising in the openvpn manual, and most openvpn gateway posts I'm seeing here are trying to accomplish the opposite of this.
Temp fix: For the short term I threw up a cron job that kills any
openvpn 2.3.10，带有低延迟内核的ubuntu 18服务器。