You have Rocky on the metal and you have libvirt’s “default” network. The Rocky does route between the “default” subnet and the physical subnet that the metal is wired to. That is, the libvirt must enable net.ipv4.ip_forward
for you. The default (without libvirt) is to not route.
The “default” subnet is also hidden with masquerade – with sNAT.
You have a program in VM (the VPN) that connects to some external (VPN) server. For that to work, the host must route traffic from the VM into outside subnet, probably to the router that connects the outside subnet into WLAN/“Internet”. If the host does not have routes to do that, then the VM cannot connect. If the VPN connection now depends on the host to have the outside router as the gateway, as the default route, then pointing default route to the VM will break things.
There are bit different VPN solutions. The VPN probably modifies the routing table (of the VM). It keeps explicit routes for reaching the router (the baremetal host in case of VM), but quite often sets the default route to point into address inside (and at the other end) of the VPN “tunnel”.
That is, before starting VPN the VM is in one subnet, the “default”. After starting VPN it is in two subnets: the “default” and a subnet created by the VPN service.
In “old-school VPN” the VPN tunnel is a subnet that links two physically separated subnets together. For example, company has offices at two towns. The machines in offices see each other. The traffic passes over internet between the towns, but the traffic is encrypted in packets that the VPN-applications pass to each other. A virtual private network.
Another old-school is “roadwarrior”. Single machine connects to office. Only the office-side has subnet. Furthermore, the default gateway of the roadwarrior is via the office.
Now, you want your baremetal host to send traffic to the VM so that the VM sends it through its “VPN subnet” to office. You can’t set the default route of the host to point to VM trivially, but it might be possible. Bigger question is whether the VPN client allow a subnet at your end, or does it limit strictly to the “localhost”, the VM?
Note: the ‘route’, ‘ifconfig’, and ‘netstat’ are tools that got a better alternative: iproute2 package two decades ago.
Alas, the ‘ip route …’, ‘ip address …’, and ‘ss’ are now only for temporary ad hoc and debugging.
One should configure network with the service that by default in Rocky is NetworkManager. That is, with ‘nmcli’, ‘nmtui’, or some GUI gadget.