How to Route Specific IP Traffic Outside OpenVPN Tunnel on Linux (Trisquel/Ubuntu)


2 views

When using OpenVPN for privacy protection, there are cases where you might need to exclude certain IP addresses from going through the VPN tunnel. This is particularly useful when:

  • Accessing local network resources
  • Connecting to region-locked services
  • Maintaining direct connections to critical servers

Before making changes, examine your current routing table:

route -n
# or the newer alternative:
ip route show

You'll typically see two default routes when connected to VPN - one through your physical interface (eth0/wlan0) and another through tun0 (VPN interface).

Method 1: Using route-up Script

Edit your OpenVPN config file (usually in /etc/openvpn/):

client
dev tun
proto udp
remote vpn.example.com 1194
# ... other config options ...
route-nopull
route-up /etc/openvpn/route-up.sh

Create /etc/openvpn/route-up.sh:

#!/bin/sh
# Add specific route for IP to bypass VPN
/sbin/ip route add 192.168.1.100 via 192.168.1.1 dev eth0
# Then add default route through VPN
/sbin/ip route add default via 10.8.0.1 dev tun0

Method 2: Using Policy-Based Routing

More advanced method using iproute2:

# Create new routing table
echo "200 vpnexclude" >> /etc/iproute2/rt_tables

# Add rule to use this table for specific IP
ip rule add from all to 192.168.1.100 lookup vpnexclude

# Add route to the new table
ip route add default via 192.168.1.1 dev eth0 table vpnexclude

For persistent changes across reboots, add these commands to /etc/network/interfaces or create a systemd service unit.

Verify your setup works correctly:

# Check which interface handles traffic to your IP
ip route get 192.168.1.100

# Confirm traffic actually bypasses VPN
traceroute 192.168.1.100
curl --interface eth0 ifconfig.me
  • Route conflicts: Check for duplicate routes with 'ip route show'
  • DNS leaks: Ensure DNS queries for the excluded IP also bypass VPN
  • Firewall rules: iptables/nftables might interfere with traffic

Remember that bypassing VPN for specific IPs means:

  • Your real IP might be exposed to that destination
  • The excluded traffic won't benefit from VPN encryption
  • Monitor routing changes periodically for consistency

html

When using OpenVPN with most commercial VPN providers, all traffic gets routed through the encrypted tunnel by default. This creates a challenge when you need to:

  • Access local network resources (printers/NAS)
  • Connect to region-locked services while maintaining VPN privacy
  • Whitelist specific IPs for latency-sensitive applications

The Linux kernel's advanced routing capabilities allow creating exceptions through these components:

# Required packages (Trisquel/Ubuntu)
sudo apt-get install iproute2 iptables

Step 1: Identify Your Network Interfaces

Run this before connecting to VPN:


ip route show | grep default
# Example output:
# default via 192.168.1.1 dev eth0 proto static

Step 2: Create Routing Table for Direct Traffic

Add to /etc/iproute2/rt_tables:


200 direct

Then initialize the table:


ip route add default via YOUR_DEFAULT_GW dev YOUR_DEVICE table direct
ip rule add from YOUR_LOCAL_IP lookup direct

Step 3: Whitelist Specific IP

For this example, let's exclude 192.0.2.100:


# Add route for the specific IP
ip route add 192.0.2.100 via YOUR_DEFAULT_GW dev YOUR_DEVICE

# Persistent version for /etc/network/interfaces:
post-up ip route add 192.0.2.100 via 192.168.1.1 dev eth0

For dynamic VPN connections, use this up/down script (save as /etc/openvpn/whitelist-route.sh):


#!/bin/bash
GW=$(ip route show | grep default | grep -v tun | awk '{print $3}')
DEV=$(ip route show | grep default | grep -v tun | awk '{print $5}')

case "$1" in
    up)
        ip route add 192.0.2.100 via $GW dev $DEV
        ;;
    down)  
        ip route del 192.0.2.100
        ;;
esac

Add to OpenVPN config:


script-security 2
up /etc/openvpn/whitelist-route.sh
down /etc/openvpn/whitelist-route.sh

Test with:


traceroute 192.0.2.100
# Should show your normal gateway, not VPN endpoint