Regarding the routing: I am assuming that the reason for the 'anything goes into VPN' - in the routing table - are the below entries:

0.0.0.0/1
128.0.0.0/1

Both of those have VPN gw and Netif as the tun interface

Questions:

. Is it correct that the above entries by OpenVPN in routing table overrides anything I try to do with FW rules and other gateways?
Remember that I specifically tried to direct traffic using FW rules and LoadBalance pool when having those entries therein - didn't work

. How can I most easily remove those entries - and also: is that the way to do it!? - to be able to direct traffic to gw/LoadBalance pool of my chosing?
If I have say 3 VPN tunnels the same way (assigned to interfaces) I cannot have any of those set that 'route-all' settings, I have to make sure I can policy route to any of them. And also, if server(s) are pushing those route entries I have to be able to override them locally in some robust fashion.

AFAICT those entries are not there when no tunnel is up so it's OpenVPN that puts them in. I'm also assuming provider won't edit the settings for my specific tunnel(s).

Should I have some cron running removing any 128.0.0.0/1 or 0.0.0.0/1 present using some 'reoute del' command or is it possible run some script just after every tunnel is established to clean up?

Some other way to do this?

TIA,