OpenVPN and routing

Solution 1:

In order to route all traffic through the VPN server, the VPN client sets the default route for the client machine to the tunnel device. However, the outgoing encrypted packets created by the VPN client need to be routed directly to the VPN server (and not back into the VPN client), and so there is a specific route created to the VPN server going out the local gateway. The routing table looks something like this (where 1.2.3.4 is the VPN server's public IP):

192.168.0.0/24 dev eth0     # Local network
1.2.3.4/32 via 192.168.0.1  # Route to VPN server
default via 10.8.0.2        # Everything else via VPN client

When you access another service on the VPN server it is matched by that specific route and routed directly onto the Internet.

There are a couple ways to address this:

  1. Use the VPN server's private IP when accessing the other services on it (e.g. 10.8.0.1 instead of 1.2.3.4). Ideally this would be done with a DNS server on the VPN server providing split DNS to VPN clients.
  2. Use a dedicated IP address for the VPN server.
  3. Configure port based policy routing on the client so only packets destined for the VPN server on the VPN port number are routed directly onto the Internet.