date: 2008-07-18 20:47:31+00:00

'OpenVPN : routing all traffic through the VPN tunnel'

- Apache
- Debian/Ubuntu
- Howto
- Linux
- Security

I'm really into OpenVPN these days, see my two previous posts about it:

Setting up OpenVPN for your road warriors:

Setting up a VPN between two sites:

Today : how to route all traffic through the OpenVPN tunnel

On the server side:

First of all, if you want to route all your traffic through the VPN tunnel, you need to turn on IP forwarding (also called routing) and add a masquerading rule on the server (where eth0 is the device connecting you to the internet):

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

To make routing persistent, see

Then, here's the OpenVPN configuration:

port    10000
proto   udp
dev     tun
ca      ca.crt
cert    server.crt
key     server.key
dh      dh1024.pem
push    "dhcp-option DOMAIN"
push    "dhcp-option DNS"
push    "redirect-gateway def1"
keepalive       10 120
user nobody
group nogroup
log     vpn.log
verb    1
chroot /tmp

You can see the option redirect-gateway that is responsible for creating all the routes on the client computer when the connection is set up.

The two other push options are only taken into account by Windows clients (to my knowledge). If you want to change the DNS resolution of your linux clients, you need to use the up and down options on the client (see below).

Client configuration:


dev tun
proto udp
port 10000
ca ./ca.crt
cert ./user.crt
key ./user.key 
verb 5
up ./
down ./
ping 60
ping-restart 120

mv /etc/resolv.conf /etc/resolv.conf.bak
echo "search" > /etc/resolv.conf
echo "nameserver" >> /etc/resolv.conf

mv /etc/resolv.conf.bak /etc/resolv.conf

When connecting to the server (with verbose option set to 5), we can see the server pushing the route settings to the client.

Fri Jul 18 23:22:19 2008 us=838005 ifconfig tun0 pointopoint mtu 1500
Fri Jul 18 23:22:19 2008 us=843211 route add -net 72.x.x.x netmask gw
Fri Jul 18 23:22:19 2008 us=845178 route add -net netmask gw
Fri Jul 18 23:22:19 2008 us=848568 route add -net netmask gw
Fri Jul 18 23:22:19 2008 us=850460 route add -net netmask gw

On the client, the routes :

<code>$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
72.x.x.x UGH   0      0        0 wlan0 UH    0      0        0 tun0   U     0      0        0 wlan0   UG    0      0        0 tun0       UG    0      0        0 tun0       UG    0      0        0 tun0         UG    0      0        0 wlan0</code>