IPv6 routing to frontend shouldn't leave network
With the current lilypad there's a funny routing bug: when connected to the VPN, you can't access internal services (fetch new cert, admin panel..).
https://community.openvpn.net/openvpn/ticket/1161 explains why it's not working with current OpenVPN: See also leap/bitmask_android#8996 (closed)
The valid use case is when the VPN server is part of an internal network of which you want to route through the tunnel itself. For example:
VPN client network: 172.28.128.0/24
VPN server network address: 172.28.128.254
VPN server public address: 1.2.3.94/28, making the server part of network 1.2.3.80-1.2.3.95.
In this case it makes sense to push the following routes:
push "route 1.2.3.80 255.255.255.240 172.28.128.254"
push "route 1.2.3.94 255.255.255.255 net_gateway"
That allows VPN clients to communicate with 1.2.3.80/28 through the secure tunnel they've established without accidentally breaking access to the VPN server itself, as VPN clients must always reach this through their default gateway "net_gateway".
As mike_SF pointed out the use case with IPv6 is identical. Let's look at an example for IPv6:
VPN client network: 2a02:1234:5678:128::/64
VPN server network address: 2a02:1234:5678:128:fff:ffff:ffff:ffff
VPN server public address: 2a02:1234:5678:1:fff:ffff:ffff:ffff
As with the IPv4 case it makes sense to push the following routes:
push "route-ipv6 2a02:1234:5678:1::/64 2a02:1234:5678:128:ffff:ffff:ffff:ffff"
push "route-ipv6 2a02:1234:5678:1:fff:ffff:ffff:ffff net_gateway"