Description
Without DCO, OpenVPN servers configure a /30 subnet on the tun interface, and --route routes (with no explicit next-hop set) will be installed to point at "the other end" - so the system is ifconfiged the .1, and the route points to .2. This will make the kernel send packets into the tun interface (which includes windows tap6, in "tun mode"), and the OpenVPN server will pick up the packet and route according to --iroute table.
With DCO, the system interface gets the full netmask configured with --server (like, a /24), and --iroutes get installed to the system routing table, with the correct next hop set to "the client that needs to receive it".
Now, the --route routes are still installed the same way, with a next-hop of ".2" - but with the different interface / routing logic, this is typically "just a client", not the one where the packets should go to. The actual intent of the --route statement is also different with DCO - it's no longer needed to make the packets go "into the server tun (dco)", but it can serve as a hold-down route to ensure that "packets to that subnet do not get routed elsewhere while the openvpn server runs", or even "can be picked up by a BGP daemon and propagated into the network, to pull traffic for that network to the server".
This purpose is better signalled and easier to understand with a real "null route" - that is, a route that is active and grabs packet, but sends them not into the DCO interface but "into something that returns host unreachable".
On a router, this would be ip route 192.0.2.0/24 null0.
I have no idea how to do that on Linux, FreeBSD and Windows, but we should try to find out ;-)
Precondition: no gateway/route-gateway set that would point this particular route elsewhere.
Implementation: we could use something like --route-gateway 127.0.0.2 as an internal marker for "this should be a nullroute", setting this as default if (dco is enabled && (linux||freebsd||windows) and then figure out the right magic in the platform specific routing code.
Also, documentation in the Wiki...