how to route initiating client through alt gateway

[clarkbriggs101@gmail.com]

I need to get the openvpn server to not use the default gateway while negotiating with the client. Heres why.
I had Ubuntu openvpn server going with openvpn clients on cell phones and tablets when out of the house roaming out in the wild so they could see inside the house. all fine.
I signed up for a paid VPN service for the outbound traffic. Put in a flashrouter with tomato and openvpn. Took out my original router. all fine.
Except that tomato can't do both openvpn client and openvpn server at the same time. (OBTW, this would be the right answer here.) It seems my VPN provider PIA doesn't offer inbound port forwarding on its US vpn servers. And the tomato doesn't monitor the local outside IP for inbound port forward requests. (I think this is odd, but can't figure out how or why simply putting a tomato port forward doesn't work with the outbound VPN client connected. It works with it is not connected.)
I set up my old router that worked in parallel with the new tomato router. (ok here's what in parallel means. Both are below the ISP modem/router. Both are connected to the inside lan. I don't have separate inside lans. the tomato is the default gateway. All inside PCs go out the tomato thru VPN. Only inbound VPN is to go through the old router.) I can get inbound vpn client requests to be forwarded through the old router to the Ubuntu openvpn server, but the server doesn't know to route back through the old router for those early client negotiation packets. (This is while the initiating client is using its outside IP before the tunnel is up.) The openvpn server routes replies back through the default gateway so the packets get lost out the VPN. At least that what I think is going wrong. (The openvpn server logs sees the initial client request. it hears client ping and replies with a ping, but that cycle repeats until a timeout ."TLS key negotiation failed to occur within 60 seconds (check your network connectivity)")
I know its both unusual (all the support desks disavow me and googling this set up gets no hits) and complex (makes my head hurt trying to follow the packets in and back out) but I think this will work.
Seems like I need a special purpose routing rule on the Ubuntu (openvpn) server or in the openvpn config itself that says clients that are out in the wild trying to connect aren't to be reached behind the default gateway but behind the alternate gateway. is there an openvpn server config stanza that says all clients are behind the alt gateway and not the default gateway?
I don't want to just tell the hosting Ubuntu that its default gateway is the alt router because it does several other otherwise-normal things like be the entertainment center box that want to go out the new VPN service.
Ideas? Got questions for clarification of the setup? I know its unusual and hard to describe.
Thanks in advance. Clark

[TinCanTech]

If you read this and post some relevant details, somebody may be able to help.

[clarkbriggs101@gmail.com]

hmm. I thought I was pretty verbose. Lets see what more I can add using that guide.
server is Ubuntu 17.04 Linux 4.10.0-20-generic
openvpn server is apparently CE ver 2.4.0-4ubuntu1.2
clients are typically Android phones using openVPN Connect 1.1.17(build 76) May24 2016
server log says things like
Sun May 14 11:29:02 2017 us=24038 70.211.13.207:2036 SENT PING
Sun May 14 11:29:08 2017 us=43542 70.211.13.207:2036 UDPv4 WRITE [14] to [AF_INET]70.211.13.207:2036: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun May 14 11:29:38 2017 us=849609 70.211.13.207:2036 SENT PING
Sun May 14 11:29:38 2017 us=849642 70.211.13.207:2036 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 14 11:29:38 2017 us=849663 70.211.13.207:2036 TLS Error: TLS handshake failed
client log says things like
connecting to [it gets the external DDNS IP correct]
server poll timeout.
It never gets any packets back.
server conf includes active lines like
server 10.8.0.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 192.168.10.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 7
The server is using other defaults like udp and port 1194.

[TinCanTech]

I thought I was pretty verbose

Verbose yes .. use full no

server is Ubuntu 17.04 Linux 4.10.0-20-generic
openvpn server is apparently CE ver 2.4.0-4ubuntu1.2

Apparently ..

server log says things like
Sun May 14 11:29:02 2017 us=24038 70.211.13.207:2036 SENT PING
Sun May 14 11:29:08 2017 us=43542 70.211.13.207:2036 UDPv4 WRITE [14] to [AF_INET]70.211.13.207:2036: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun May 14 11:29:38 2017 us=849609 70.211.13.207:2036 SENT PING
Sun May 14 11:29:38 2017 us=849642 70.211.13.207:2036 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Mine says .. connected.

Help us to help you ..

[TinCanTech]

signed up for a paid VPN service for the outbound traffic. Put in a flashrouter with tomato and openvpn. Took out my original router. all fine.
Except that tomato can't do both openvpn client and openvpn server at the same time. (OBTW, this would be the right answer here.) It seems my VPN provider PIA doesn't offer inbound port forwarding on its US vpn servers. And the tomato doesn't monitor the local outside IP for inbound port forward requests. (I think this is odd, but can't figure out how or why simply putting a tomato port forward doesn't work with the outbound VPN client connected. It works with it is not connected.)

Google "policy based routing"