Configuring a 2.4 OpenVPN infrastructure to avoid carrying the entire traffic


The way a VPN works is quite simple, a client connects to a server, a ciphered tunnel is created between the client and the server. And as soon as this tunnel is up and running, the client and the server start to exchange their network traffic trough that tunnel. There are many possible applications to create with a such tool, this article focus on the following(s):

  • Avoiding to forward the entire traffic through the VPN tunnel

This kind of configuration may be really useful when several hosts need to work like they were in the same LAN. Especially if the different hosts are at different geographical place, behind a firewall or a NAT. Tunnelling the traffic through a VPN will allow to securely exchange data between these hosts through internet.

Table of contents


How to

It is possible to accomplish that in many ways, with a lot of custom options. Here is the main methods.

Method 1: avoiding all traffic for all users

Just remove lines starting with redirect-gateway from file /etc/openvpn/server.conf. If no line exists, that mean the server is already configured to avoid clients full traffic to transit through the tunnel.
Examples of lines that could exist through the configuration file:

redirect-gateway def1
redirect-gateway ipv6 bypass-dhcp

Then restart the OpenVPN server to apply the configuration updates.

user@openvpn.server:~# sudo systemctl restart openvpn@server

By doing so, clients will only send traffic to the configured private networks through the tunnel. (E.G or fd42:feed:feed:feed::/64) The rest of the clients traffic will be forwarded depending their local settings.

Method 2: avoiding all traffic for a specific user though its local configuration files

Add this line in ovpn client file

pull-filter ignore "redirect-gateway"

Then restart the local OpenVPN client.

Configuration files

For obvious security reasons, the following files are not provided: ca.crt, crl.pem, dh.pem, server.crt, server.key, ta.key

Remember, these are two different methods, there is no need to apply changes on both the client and server sides.


By simply removing some of the server configuration or by adding filtering rules on the client side it is possible to avoid full traffic to goes into the VPN tunnel.



No Comments, Be The First!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.