I'm messing with 22.03 on my test RPI router. I've got OVPN installed but I've noticed that it is trying to force a connection through the OVPN client even when I don't have my firewall set up to do this.
What this means is if I don't have LAN forwarding to VPN while the OVPN client is connected, I don't have connectivity at all. I'm trying to eventually get policy based routing working so I'm testing everything else first but I can only get straight to WAN if I'm going through the VPN while it's connected.
Am I missing something obvious? I was able to get this to work on the previous version in case my VPN went down. I could just redo my firewall and get around it without having to change a bunch of VPN settings.
Well that seems to have gotten me half way there. I changed my ovpn file configuration as it said. Now, I can't connect to anything when I'm forwarding the LAN traffic through the vpn. I CAN ping the gateway IP address of my VPN end point, though.
Just a quick update. I set my LAN to forward to both VPN and WAN and enabled a policy based route for one IP address. It appears that everything works like this. The IP address that is affected by the policy is showing that it's going through the tunnel while the others are not.
Because I have policy based routing installed, is it forcing it even when I have the service turned off? But when I have it turned off, it can't actually use the policies I've set?.
Edit: Nevermind. There seems to be no consistency.
Use policy routing if you want to designate some users (e.g. a guest network) to always go VPN and others such as the regular LAN to always go WAN.
It sounds like you only have one group of users and want to be able to turn VPN on and off, and have them reach the Internet either by WAN if VPN is down, or VPN if it is up. The simplest way to do this is put the VPN tunnel in the wan zone and allow OpenVPN to install the default route when it is running (and if you make an orderly service stoppage, it will remove it when it stops). This is basically a standard whole house VPN with no "kill switch"-- because you want to be able to stop the VPN and have regular Internet.
Not quite. I'm ultimately wanting to have policy routing set so certain clients go through the VPN with a kill switch and the rest don't. I'm just trying to test things for consistency before I commit so I can understand what's going on in the background.
Just another update. I finally got to the point that I understood what all was going on with setting the default routing. Got it set to have WAN as default and then figured out how policy based routing works. It all does exactly what I want it to do on this test set up and I feel that I can implement this into my main network when I jump over to openwrt on everything.