on another network, somewhere else, I enter the client certificate on a device with Openwrt ...
by connecting the PC to this device all the traffic I produce will exit within the VPN tunnel (since the OpenVPN server is the default gateway) ...
I would like to be able to access the network resources within the network on which the VPN server is located but I would like the traffic directed to the internet (any public ip address) not to pass through the vpn but to leave the wlan connection of the Opnewrt device (outside the vpn tunnel): so as not to overload the VPN server
I thank you for the support, I apologize if I have expressed myself wrong or if the question is not really inherent in the forum, but I believe that at this moment it is difficult to solve this question may also be useful to someone else.
My noob solution: OpenVPN in default gateway and then change the route for internet in the openwrt device:
yes, the split tunnel was the first solution I had thought of ...
however, the split tunnel only sends the traffic to the VPN to the VPN subnet (the 10.8.0.0/8 because I'm lazy) ...
in this scenario I have to put myself in the server to map the devices, managing the routing, and the client in order to access a remote resource must know its address...
I don't have to manage all these things with the openvpn default gateway and I'm happy!
on the device with Openwrt (and the client certificate) I have 2 interfaces: the wlan that goes out in its gateway and the tun0 that goes out in the VPN tunnel, my reasoning is "I keep all the advantages of a vpn in default gateway, but I turn the internet traffic on the wlan "...
if it is useful this is the routing table of the device with Openwrt:
Currently the VPN server is sending to the clients the prefixes 0.0.0.0/1 and 128.0.0.0/1 to bypass the local default gateway.
You have two options.
Either the server will only advertise the office subnet, or the client will ignore the default gateway and install the routes only for the office.
in this way the split tunnel goes great and does what I need ...
however!
by inserting the certificate in the device with Openwrt the connected clients can access the resources in the remote LAN (where the VPN server is located) but canno't surf the web ...
I'm using a glinet firmware and I don't know if that is the problem ...
or if I have to go to manage the routing in the device ...
even if the server should impose the route on the device ...
do I have to put everything in bridge and cut the bull's head?
You'll need to verify that the OpenWrt has the proper routes in the routing table. Since the VPN works properly, then the route for 192.168.1.0/24 works fine. Is there still a default route via your ISP?
solved the problem, I am using a Glinet product that sets a check on the VPN connection, i.e. when the VPN does not send me on the internet traffic on the Wlan is prevented ... it should be a security system to protect user privacy, and to end also makes sense ...