This is usually due to an OpenVPN misconfiguration.
For example, including "user nobody" and "group nogroup" in a configuration that relies on OpenVPN doing the routing (as yours apparently does). The problem is that with "user nobody", OpenVPN is running as "nobody" when the disconnect occurs, and "nobody" does not have the permissions needed to restore the routes. (Without "user nobody", OpenVPN continues running as "root", so when the disconnect occurs, OpenVPN can restore the routes.
You can solve that problem by removing "user nobody" and "group nogroup" from the OpenVPN configuration file. (A computer administrator must do this.)
Another solution that usually works, and which can be done by a non-computer-administrator, is to have Tunnelblick reset the primary interface when there is a disconnect:
- In older versions of Tunnelblick (prior to 3.7.5beta03), use the "Reset the primary interface after disconnecting" checkbox on the "Settings" tab on the "Configurations" panel of Tunnelblick's "VPN Details" window.
- On newer versions of Tunnelblick, 3.7.5beta03 and higher), set both the "On expected disconnect" and the "On unexpected disconnect" settings to "Reset Primary Interface". They are on the "Settings" tab on the "Configurations" panel of Tunnelblick's "VPN Details" window.
Note that when making a change to almost any Tunnelblick setting, the change will be applied to all configurations that are selected in the list on the left side of the "Configurations" panel, so you can change the settings for multiple configurations at one time.