Allow OpenVPN while not allowing access to local network

TravisFleming — Mon, 02 Jun 2025 16:57:00 GMT

Hello, we have the need to stop split-tunneling all networks, and send all through GlobalProtect. However we notice when we connect, the local network a device is on is still added to the route table on a mac, and is accessible. We do see the option in GP to "No direct access to local network", and that works. However we have a business case to allow some sanctioned OpenVPN profiles outside of GlobalProtect. However with that "no direct access to local network" checked, all routing for those OpenVPN's when joined, are added to the GlobalProtect interface in our MAC routing tables.

Is there a solution where we do not allow even local network traffic, but can allow a user to join a VPN outside of GlobalProtect, or within GlobalProtect, and allow that traffic to occur?

Re: Allow OpenVPN while not allowing access to local network

OtakarKlier — Mon, 02 Jun 2025 19:33:35 GMT

Hello,

The only way I can see it being done is to do it on the OpenVPN systems individually. A more drastic approach would be to force all users to VPN into your environment and control traffic flow that way.

https://skrzsecurity.net/zero-trust

Regards,

topic Re: Allow OpenVPN while not allowing access to local network in GlobalProtect Discussions

Allow OpenVPN while not allowing access to local network

Re: Allow OpenVPN while not allowing access to local network