Hello,
I understand, you have a unique situation that is not covered by our normal use-cases. So some manual messing around might be needed. I still think it can be done without messing with client and server config directives manually. Perhaps the information in this reply provides you with 2 ways to achieve what you want.
I am writing this sentence just so future readers understand: the information below is NOT the way you are normally supposed to do things with Access Server. But in your specific case, you can go to VPN Settings and then Advanced VPN and input parameters that can be embedded in client config files when they are generated on the Access Server, or pushed by the server when a client connects. Again this is in almost all cases never necessary, but in your unique situation, it seems the most elegant way. To convert those 2 settings to values in Server Config Directives and Client Config Directives you can do this:
Server config directives:
Code: Select all
push "route 172.27.224.0 255.255.240.0"
Client config directives:
Code: Select all
pull-filter ignore redirect-gateway
Please note that if you make a mistake with the server config directives, you will end up crashing your Access Server. To resolve that you can use the command line to remove the entries in the server config directives and restart AS and then try again.
To remove incorrect server config directives run these commands as root user:
Code: Select all
/usr/local/openvpn_as/scripts/sacli --key "vpn.server.config_text" ConfigDel
/usr/local/openvpn_as/scripts/sacli start
Regarding this part:
However adding 0.0.0.0/0 to "Allow Access To networks and services" did not make sense, all clients from Network B can connect to Network A, but have a direct access to Internet, not thru VPN server possibly because of higher metrics.
Yes that would create a conflict route between your default gateway and what the VPN adapter wants to get routed. They'll be at the same subnet size in the routing table, and then only the routing metric will decide the winner here. It is better to use 0.0.0.0/1 and 128.0.0.0/1. Those two together is the same subnet space as 0.0.0.0/1 but because smaller subnets win over bigger ones the 2 smaller ones will naturally win without competing with the default gateway rule.
I hope that helps.
Kind regards,
Johan