NetworkManager OpenVPN creates extra/incorrect route to VPN server

I'm connecting to an OpenVPN server in Ubuntu using networkmanager. The connection establishes fine, but a route is being created that routes the vpn server's IP out the wrong interface.

default via 192.168.101.1 dev enxc8f750d7f457 proto dhcp src 192.168.101.212 metric 100107.152.8.72 via 192.168.101.1 dev enxc8f750d7f457 proto static metric 50172.16.0.0/12 dev vpn0 proto static scope link metric 50not needed and incorrect >>>> 172.16.140.182 via 192.168.101.1 dev enxc8f750d7f457 proto static metric 50 <<<<172.28.12.0/24 dev vpn0 proto kernel scope link src 172.28.12.117 metric 50192.168.101.0/24 dev enxc8f750d7f457 proto kernel scope link src 192.168.101.212 metric 100192.168.101.1 dev enxc8f750d7f457 proto static scope link metric 50192.168.140.0/24 via 192.168.141.1 dev tun0 proto static metric 50192.168.141.0/24 dev tun0 proto kernel scope link src 192.168.141.2 metric 50

If I delete the route manually, everything is good. Also, if I run openvpn from the command line that route is not created and all is good....

default via 192.168.101.1 dev enxc8f750d7f457 proto dhcp src 192.168.101.212 metric 100107.152.8.72 via 192.168.101.1 dev enxc8f750d7f457 proto static metric 50172.16.0.0/12 dev vpn0 proto static scope link metric 50172.28.12.0/24 dev vpn0 proto kernel scope link src 172.28.12.117 metric 50192.168.101.0/24 dev enxc8f750d7f457 proto kernel scope link src 192.168.101.212 metric 100192.168.101.1 dev enxc8f750d7f457 proto static scope link metric 50192.168.140.0/24 via 192.168.141.1 dev tun0192.168.141.0/24 dev tun0 proto kernel scope link src 192.168.141.2

Per the request in the comments, here is the nmcli output before the openvpn connection is started...

***1 VPN connection        master enxc8f750d7f457, VPN        inet4 172.28.12.114/24        route4 172.16.0.0/12 metric 50        route4 172.28.12.0/24 metric 50        inet6 fe80::b0fd:7457:8bb9:645a/64        route6 fe80::/64 metric 256enxc8f750d7f457: connected to Dock (DHCP)"Realtek RTL8153"        ethernet (r8152), C8:F7:50:D7:F4:57, hw, mtu 1500        ip4 default        inet4 192.168.101.212/24        route4 default via 192.168.101.1 metric 100        route4 192.168.101.0/24 metric 100        route4 192.168.101.1/32 metric 50        route4 107.152.8.72/32 via 192.168.101.1 metric 50        inet6 fe80::9f9c:d780:b443:a93c/64        route6 fe80::/64 metric 1024lo: connected (externally) to lo"lo"        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536        inet4 127.0.0.1/8        inet6 ::1/128        route6 ::1/128 metric 256vpn0: connected (externally) to vpn0"vpn0"        tun, sw, mtu 1390        inet4 172.28.12.114/24        route4 172.16.0.0/12 metric 50        route4 172.28.12.0/24 metric 50        inet6 fe80::b0fd:7457:8bb9:645a/64        route6 fe80::/64 metric 256wlo1: disconnected"Intel Cannon Lake PCH CNVi"        3 connections available        wifi (iwlwifi), 04:EA:56:3A:81:67, autoconnect, hw, mtu 1500p2p-dev-wlo1: disconnected"p2p-dev-wlo1"        wifi-p2p, hweno2: unavailable"Intel I219-LM"        ethernet (e1000e), C8:F7:50:5D:7B:CE, hw, mtu 1500DNS configuration:        servers: 172.16.5.50 172.16.6.50        interface: vpn0        type: vpn        servers: 192.168.101.1        domains: home        interface: enxc8f750d7f457

...and after....

***2 VPN connection        master enxc8f750d7f457, VPN        inet4 192.168.141.2/24        route4 192.168.141.0/24 metric 50        route4 192.168.140.0/24 via 192.168.141.1 metric 50        inet6 fe80::ac80:5ff7:3635:5611/64        route6 fe80::/64 metric 256***1 VPN connection        master enxc8f750d7f457, VPN        inet4 172.28.12.114/24        route4 172.16.0.0/12 metric 50        route4 172.28.12.0/24 metric 50        inet6 fe80::b0fd:7457:8bb9:645a/64        route6 fe80::/64 metric 256enxc8f750d7f457: connected to Dock (DHCP)"Realtek RTL8153"        ethernet (r8152), C8:F7:50:D7:F4:57, hw, mtu 1500        ip4 default        inet4 192.168.101.212/24        route4 default via 192.168.101.1 metric 100        route4 192.168.101.0/24 metric 100        route4 192.168.101.1/32 metric 50        route4 107.152.8.72/32 via 192.168.101.1 metric 50        route4 172.16.140.182/32 via 192.168.101.1 metric 50        inet6 fe80::9f9c:d780:b443:a93c/64        route6 fe80::/64 metric 1024lo: connected (externally) to lo"lo"        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536        inet4 127.0.0.1/8        inet6 ::1/128        route6 ::1/128 metric 256tun0: connected (externally) to tun0"tun0"        tun, sw, mtu 1500        inet4 192.168.141.2/24        route4 192.168.141.0/24 metric 50        route4 192.168.140.0/24 via 192.168.141.1 metric 50        inet6 fe80::ac80:5ff7:3635:5611/64        route6 fe80::/64 metric 256vpn0: connected (externally) to vpn0"vpn0"        tun, sw, mtu 1390        inet4 172.28.12.114/24        route4 172.16.0.0/12 metric 50        route4 172.28.12.0/24 metric 50        inet6 fe80::b0fd:7457:8bb9:645a/64        route6 fe80::/64 metric 256wlo1: disconnected"Intel Cannon Lake PCH CNVi"        3 connections available        wifi (iwlwifi), 04:EA:56:3A:81:67, autoconnect, hw, mtu 1500p2p-dev-wlo1: disconnected"p2p-dev-wlo1"        wifi-p2p, hweno2: unavailable"Intel I219-LM"        ethernet (e1000e), C8:F7:50:5D:7B:CE, hw, mtu 1500DNS configuration:        servers: 172.16.5.50 172.16.6.50        interface: vpn0        type: vpn        servers: 192.168.101.1        domains: home        interface: enxc8f750d7f457

I'm not sure what master enxc8f750d7f457, VPN means exactly or how you set that, but it would seem more correct if it were master vpn0, VPN. The ***2 vpn connection is inside of the ***1 vpn connection.