Hello,
We use Tunnelblick and a self-managed OpenVPN server to connect to a private network in AWS. This has been working fine for a few years.
A new corporate policy will enforce usage of a different VPN for all internet traffic using a managed SaaS VPN provider. This also works fine on its own, although it doesn't provide access to our AWS network. Connecting to the AWS network requires connecting Tunnelblick over top of the SaaS VPN. I'm seeing a strange but reproducible issue when using the two VPN's together.
My goal is to route all internet-bound traffic over the SaaS VPN, and route only AWS bound traffic through the Tunnelblick VPN. Here's the steps I'm seeing which reproduce the problem:
1. Connect the SaaS VPN
2. Connect the Tunnelblick AWS VPN, which does connect successfully, and it pushes a route to the AWS network (
10.7.0.0/16) and a route for the SaaS VPN (
10.255.0.0/16).
3. HTTP traffic to AWS won't work.
4. In Tunnelblick, enable the setting for Route All IPv4 Traffic Through the VPN, even though I don't actually want to route all traffic through AWS.
5. Reconnect Tunnelblick to enable that setting.
6. HTTP traffic to AWS will now work.
7. Disable the setting for Route All IPv4, since I don't really want that anyway.
8. Reconnect Tunnelblick to lock in that setting
9. HTTP traffic to AWS will still work.
10. Anytime I disconnect from the SaaS VPN, I have to redo steps 2-9 to get AWS-bound HTTP traffic to work, including the enable/disable dance on the Route All IPv4 setting.
Can anybody tell me why enabling/disabling the Route All IPv4 setting is seemingly required to get traffic flowing over the Tunnelblick VPN? I'm happy to share any relevant configuration bits from the OpenVPN server or from Tunnelblick.
Thanks.