openvpn: Monitoring gateway usage

all

Is there any way to determine if the openvpn server is being used "as intended" by everyone? Company rule is to only allow the local network through the vpn, not the "full" internet. But sometimes some users set it up wrong and as far as I know you can't even force this from the server side, right? So I'd like to at least monitor it.

Company rule is to only allow the local network through the vpn, not the "full" internet.

I assume you mean users should only use the VPN to access internal resources, not the Internet (which they can access without using the VPN).

This is known as split tunneling.

If this is the case, you can actually enforce this on the OpenVPN server:

How do I set it up in OpenVPN Access Server?

In the Admin Web UI, you can start split tunneling with a simple click of a toggle button. Under Configuration > VPN Settings > Routing, switch “Should client Internet traffic be routed through the VPN?” to No. Once set to ‘no’, traffic destined to your private networks will traverse the VPN. Other traffic will bypass the VPN.

In addition to this setting, you also need to define the private subnets clients need access. You can do this under Configuration > VPN Settings > Routing by specifying the subnets in the input field with the label: “Specify the private subnets to which all clients should be given access (one per line)”

Even if this weren't possible, or split tunneling was not actually what you meant, you can always monitor or drop this kind of usage with a firewall rule which blocks (or just logs) any traffic through the VPN server to the Internet.