In OpenVPN, there is the --redirect-gateway option that does this for a client. With tinc, there is no such option, but the behaviour can be replicated with a host-up and host-down script. First there is an explaination of the theory behind redirecting the default gateway, then example scripts will follow.

Let me explain : OpenVPN is working like a charm but my main problem is that ALL of the traffic goes through the tunnel. I want local traffic ( e.g. browsing the web) to NOT go through the tunnel. As "redirect gateway " was ticked , I thought unticking it would solve my problem. Well.. after unticking "redirect gateway" nothing worked anymore. Set OpenVPN to push a gateway configuration, so all clients send internet traffic through it. cat >> /etc/openvpn/server.conf << END # Clients are to use this server as a network gateway. push "redirect-gateway def1 bypass-dhcp" END Push DNS resolvers to client devices. OpenDNS is provided by OpenVPN’s client.ovpn template file. --redirect-gateway flags Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option. This option performs three steps: (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop. From the OpenVPN man page:--route network/IP [netmask] [gateway] [metric] This tells the server config to "push" to the client, the route command which sets a networking route of the subnet via the gateway with a metric of 1. Metrics are used to give "preference" if multiple routes exist (such that the lowest cost wins). When no IPv4 default route exists, the "redirect-gateway" routine aborts even if the sub-option "local" was specified. This is not expected because in this case OpenVPN should not bother checking the existence of the default route at all (as specified in the documentation).

Jun 30, 2017 · Then I push "redirect-gateway def1" to the clients ovpn configuration file and now the internet traffic goes via VPN. I add in iptables of the server: sudo iptables -A FORWARD -i tun0 -o ens3 -s -j ACCEPT Get Started with OpenVPN Connect. OpenVPN Connect is the free and full-featured VPN Client that is developed in-house. It is the official Client for all our VPN solutions. Any other OpenVPN protocol compatible Server will work with it too. Our desktop client software is directly distributed from our Access Server User portal. The 3rd redirects the real VPN endpoint IP address to use the original gateway, and will be used for the encrypted VPN packets: dest mask gw This neat trick allows setting up the VPN without touching the default gateway route.

Remove redirect-gateway def1 in your OpenVPN server config file (server.conf). In the client config (client.ovpn or client.conf), add a line similar to: route vpn_gateway This routes the subnet through the VPN connection and everything else out of the non-VPN connection.

Note: By the time of editing, in 2.2.4-RELEASE version of pfSense the only way to route traffic through OpenVPN client seems to be "redirect-gateway def1" advanced option, which redirects absolutely all traffic and pfSense default gateway becomes the same thing with OpenVPN client's gateway and not the ISP's one. There is a way to still route Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. # Configure firewall uci rename firewall. @ zone [0] = "lan" uci rename firewall. @ zone [1] = "wan" uci rename firewall. @ forwarding [0] = "lan_wan" uci del_list firewall.lan.device= " ${OVPN_DEV} " uci add_list firewall.lan.device= " ${OVPN_DEV} " uci -q So, at the end there is two things extra that I needed to end up with a working openvpn with fully "redirect-gateway" I have to create the tun/tap device and add the iptable rule, every time the system starts. See the openvpn docs; using static keys adds 4 lines per VM to the above total (generate key, scp it to client, add one line to .conf files). OpenVPN doesn't support broadcast. Maybe that breaks some Windows things. The redirect-gateway in the client config reroutes all traffic through the VPN tunnel.