I set up an OpenVPN server and I have several OpenVPN clients (Windows) connecting already.
The clients are configured with this option in the .ovpn file:
redirect-gateway def1
which in my understanding forwards all the traffic through the VPN tunnel.
What I want to achieve is to send only specific traffic through the VPN, by using push-routes. However, no matter what option I try on the OpenVPN server, it always pushes all clients’ traffic through the VPN, including the Internet.
I guess this is because of the client configuration. I cannot modify that setting, since I do not have access to the remote computers.
Is there any option to ignore this config in the client’s .ovpn file and to instruct the client to use the local default gateway for Internet traffic?
The case I have is the opposite: I have full access to the OpenVPN server and no access to OpenVPN clients. I would like to use the server configuration on MikroTik to override the client setting “redirect-gateway def1”, so that the Internet traffic from the client is not pushed through the VPN tunnel.
I don’t think that’s actually possible. The client has all sorts of possibilities to not accept what the server pushes, such as nopull, pull-filter, route-nopull, etc. But according to the openvpn security model, it is assumed that the client and server may be controlled by different people/orgs, and the client config is ultimately responsible for deciding what routes are added or not, the server can only make suggestions.
What you can do: First ask / remind / plead with / threaten the people who control the client config to remove the redirect-gateway directive. Ultimately you can filter the traffic from your clients that are not to the subnets that you push (in the firewall). This will of course lead to the clients’ access to subnets outside of your subnets to cease working until they are willing to modify their config.
This is according to the best of my (incomplete) knowledge. Ultimately you should ask this on the openvpn forums to get a positive answer.
It is unfortunate that for a long time it was not possible to push routes from the Mikrotik version of the server, but lately the implementation has received quite a bit of love (including udp mode, multiple servers, vrf support, etc.) so nowadays I find it enough for even moderately complex setups. For this reason it was common in the past to just configure clients with the redirect-gateway option. And yes, even though Mikrotik has stepped up, it’s a bit of a pain to weed out these effects from your setups Best of luck in tackling it.
Best of luck in tackling it.