OpenVPN "redirect-gateway def1 bypass-dhcp" setting kills SSH access but is needed for internet access

I am running an OpenVPN server on Ubuntu on AWS with the following server.conf:

local x.x.x.x
port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.0.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.43.1.12"
push "dhcp-option DNS 10.43.1.44"
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

I have OpenVPN clients installed on several AWS instances, some of which are Ubuntu and some of which are Windows. They all use the following client configuration:

client
dev tap
proto tcp
remote y.y.y.y 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3

I have noticed that when I remove the push "redirect-gateway def1 bypass-dhcp" line from the server.conf file, the Windows clients are no longer able to access the internet (they cannot ping any external sites and the browser is stuck on "Resolving host"). But I can SSH to the Ubuntu clients' private IP addresses (10.109.x.x) fine and they can still access the internet.

But when I add the push "redirect-gateway def1 bypass-dhcp" line back to the server.conf file, the Windows clients are able to access the internet, but I can no longer SSH to the Ubuntu clients' private IP addresses (10.109.x.x) from my PC. Oddly enough, I can still SSH to the Ubuntu clients' private IP addresses from the Windows clients.

How can I change the server configuration to allow the Windows clients to access the internet AND the Ubuntu clients to accept SSH connections?


Easiest way is to SSH to the Ubuntu clients using their IP address in the VPN.

Another option is to use client-specific configuration files in OpenVPN, where you send push "redirect-gateway def1 bypass-dhcp" to clients.

Third option is to modify client configuration files for Windows clients and add redirect-gateway def1 bypass-dhcp in the client configurations.