Ensuring all traffic goes over an OpenVPN connection

By default, the setup guide described here if you follow the simple server and simple client setup instructions will get you a connection to your VPN server that allows you to tunnel connections through to your VPN server itself, but without any additional settings, you won’t be able to route all your traffic through the VPN.

There’s a number of other steps described in the Advanced section, but from trial and error I’ve found these are the minimum you need.

First, on your Ubuntu server, you need to enable ip_forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Next, you need to enable a forwarding rule for your iptables firewall so that traffic on your network used (by default) on your VPN connection gets routed through from the tun0 interface to the eth0 interface:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Lastly, add this command to your /etc/openvpn/server.conf file to force all traffic from the client to get directed to the VPN server:

push "redirect-gateway def1 bypass-dhcp"

Restart your OpenVPN service:

/etc/init.d/openvpn restart

Now you should be good. You can test where your traffic is going by doing a traceroute to a server (www.google.com for example) before and after starting your OpenVPN connection and you should be able to see your traffic going via two different routes.

3 Replies to “Ensuring all traffic goes over an OpenVPN connection”

  1. Thanks for this post! I am running a client in an ubuntu vm (in a subnet

    server is in a subnet

    the client, and others in the 192.169.x subnet can ping anything in the 10.x subnet, and anything in the 10.x subnet can ping the client.

    but others in the 10.x subnet and vpn server cannot ping others in the 192.169.x subnet.

    I’m attempting to add the iptables rule in the ubuntu 18.04 client as you describe, but it doesn’t seem to update.

    user@ubuntu:~$ sudo iptables -t nat -A POSTROUTING -s -o ens33 -j MASQUERADE
    user@ubuntu:~$ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.