The way a VPN works is quite simple, a client connects to a server, a ciphered tunnel is created between the client and the server. And as soon as this tunnel is up and running, the client and the server start to exchange their network traffic trough that tunnel. There are many possible applications to create with a such tool, this article focus on the following(s):
- Avoiding to forward the entire traffic through the VPN tunnel
This kind of configuration may be really useful when several hosts need to work like they were in the same LAN. Especially if the different hosts are at different geographical place, behind a firewall or a NAT. Tunnelling the traffic through a VPN will allow to securely exchange data between these hosts through internet.
Table of contents
- An installed and working OpenVPN server >= 2.4.0 (latest 2.4.x stable is recommended)
- The OpenVPN server is already able to exchange the entire IPv4 traffic, IPv6 traffic or both through the tunnel
It is possible to accomplish that in many ways, with a lot of custom options. Here is the main methods.
Method 1: avoiding all traffic for all users
Just remove lines starting with
redirect-gateway from file
/etc/openvpn/server.conf. If no line exists, that mean the server is already configured to avoid clients full traffic to transit through the tunnel.
Examples of lines that could exist through the configuration file:
redirect-gateway def1 redirect-gateway ipv6 bypass-dhcp
Then restart the OpenVPN server to apply the configuration updates.
email@example.com:~# sudo systemctl restart openvpn@server
By doing so, clients will only send traffic to the configured private networks through the tunnel. (E.G
fd42:feed:feed:feed::/64) The rest of the clients traffic will be forwarded depending their local settings.
Method 2: avoiding all traffic for a specific user though its local configuration files
Add this line in ovpn client file
pull-filter ignore "redirect-gateway"
Then restart the local OpenVPN client.
For obvious security reasons, the following files are not provided: ca.crt, crl.pem, dh.pem, server.crt, server.key, ta.key
Remember, these are two different methods, there is no need to apply changes on both the client and server sides.
By simply removing some of the server configuration or by adding filtering rules on the client side it is possible to avoid full traffic to goes into the VPN tunnel.