My workplace has a Sophos VPN solution which is using OpenVPN. It allows connectivity back to the main LAN, by pushing routes to the LAN and pushing internal DNS servers to resolve internal systems hostnames, it doesn't use redirect-gateway, but when connecting to internal system and the DNS resolves it this will of course go through the VPN.
I recently noticed that when connected to my work VPN it was adding a gw route into my routers routing table that essentially forcing the specified remote server via a WAN interface I didn't want. It appeared to be consistently selecting this WAN interface but with no real way to control it and I'm not really sure what is determining it to use this WAN, but not really the main issue.
I was looking at the OpenVPN docs and information and couldn't see or find a way to bind the client to a specific interface. OpenVPN only seems to be able to do this via IP address.
I narrowed down the issue of where the gw route was being added from to route remote_host 255.255.255.255 net_gateway
. This was being pushed by the server but interestingly also present in the supplied client configuration, although this seems strange, given it's a push directive looking at the logs. I'm not sure it needs to be in the client configuration and could be an oversight, given it's essentially trying to add the same gw route twice. I had infact noticed some route errors in syslog around this.
Using pull-filter I prevented this directive from being used and also commented it out in the configuration file. This seems to have stopped the gw route being added automatically. I then setup a static route to the WAN interface I wanted and this seems to have now let me control what interface the VPN connects over.
My question, is this the best way to control what WAN interface is used by the VPN client or is there a better way?