How can I configure openvpn to proxy traffic only for processes that bind to the tun interface?

route-nopull

http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html

When used with --client or --pull, accept options pushed by server EXCEPT for routes. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

So add route-nopull to your OpenVPN config file. I wrote a post on how to use an OpenVPN VPN with cURL/PHP.


You can achieve it by using a different routing table for packet coming from your tun0 interface.

# ip route add $VPN_NETWORK dev tun0
# ip route add default via $VPN_GATEWAY_IP table 1
# ip rule add iif tun0 table 1

The first route goes into the default table (table 254), the 2nd goes into table 2, the third line bind packets from the tun0 interface to the 2nd routing table, you can give this table a name in /etc/iproute2/rt_tables:

# echo '1 vpn' >> /etc/iproute2/rt_tables

If your VPN Gateway is 10.8.0.1/16, you will have to type:

# ip route add 10.8.0.0/16 dev tun0
# ip route add default via 10.8.0.1 table vpn
# ip rule add iif tun0 table vpn

This is called Policy Routing and you must have CONFIG_IP_MULTIPLE_TABLE enabled in your kernel configuration for this to work.