How to exclude localhost 127.0.0.1 from VPN when running VPN via a commercial service config (route issue?)

[tiredlady]

Hello!
Basically, I have dnscrypt running on localhost and acting as resolver

127.0.0.1:53

resolv.conf is edited accordingly

And I want to use OpenVPN to, well, use VPN

Problem: when OpenVPN goes up localhost is only available as long as connectivity persists for VPN server or socks-proxy through which VPN is being successfully connected.

If either socks proxy or - as I learned the hard way later - VPN server goes down, full OpenVPN shutdown is required to re-allow connectivity to localhost

(e.g. if I pull the LAN cable out, OpenVPN will lose connectivity and start trying to reconnect, but resolving won't work even for cached domain names.
I've tested this by shutting down OpenVPN without reconnecting the cable and nslookup can immediately resolve many previously known domain names again.)

The routing tables look like this:

WITH OPENVPN ACTIVE AND RUNNING
user@vpnbox:~$ sudo ip route list
0.0.0.0/1 via 10.16.0.1 dev tun0
default via 10.137.5.1 dev eth0
default via 10.137.2.1 dev vif3.0
10.16.0.0/16 dev tun0 proto kernel scope link src 10.16.0.2
10.137.2.19 dev vif3.0 scope link metric 32749
10.137.5.1 dev eth0 scope link
128.0.0.0/1 via 10.16.0.1 dev tun0
141.98.255.92 via 10.137.5.1 dev eth0

user@vpnbox:~$ sudo ip ro sh table local
broadcast 10.16.0.0 dev tun0 proto kernel scope link src 10.16.0.2
local 10.16.0.2 dev tun0 proto kernel scope host src 10.16.0.2
broadcast 10.16.255.255 dev tun0 proto kernel scope link src 10.16.0.2
local 10.137.2.1 dev vif3.0 proto kernel scope host src 10.137.2.1
local 10.137.5.17 dev eth0 proto kernel scope host src 10.137.5.17
broadcast 10.255.255.255 dev eth0 proto kernel scope link src 10.137.5.17
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1

AFTER FULL OPENVPN SHUTDOWN (CTRL-C)

user@vpnbox:~$ sudo ip ro sh table local
local 10.137.2.1 dev vif3.0 proto kernel scope host src 10.137.2.1
local 10.137.5.17 dev eth0 proto kernel scope host src 10.137.5.17
broadcast 10.255.255.255 dev eth0 proto kernel scope link src 10.137.5.17
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1


user@vpnbox:~$ sudo ip route list
default via 10.137.5.1 dev eth0
default via 10.137.2.1 dev vif3.0
10.137.2.19 dev vif3.0 scope link metric 32749
10.137.5.1 dev eth0 scope link


OpenVPN config is:
client
dev tun
resolv-retry infinite
nobind
verb 4
remote-cert-tls server
ping 10
ping-restart 120
sndbuf 524288
rcvbuf 524288
cipher AES-128-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
proto udp4
auth-user-pass /home/user/userpass.txt
ca /home/user/m_ca2.crt

script-security 2

fast-io
remote-random
remote 185.213.154.135 1302
remote 185.213.154.134 1302
remote 141.98.255.83 1302

What I want:
To make it so that 127.0.0.1 is always routed as, well, localhost - and accessible independent of OpenVPN state.

So, basically, exclude localhost out of VPN altogether and in all cases.

I suspect that some route being pushed by VPN service provider is interfering with that but don't know how to fix