When your internal websites are bypassing the VPN tunnel (showing 192.168.0.1 gateway instead of 10.8.0.1 in traceroute), this indicates either:
- Split tunneling is enabled in your OpenVPN configuration
- Missing proper route directives in server config
- Windows routing table not properly updated
Edit your OpenVPN server config (typically /etc/openvpn/server.conf on Ubuntu):
push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.8.0.1" push "route 192.168.0.0 255.255.255.0" dev tun proto udp server 10.8.0.0 255.255.255.0 keepalive 10 120 cipher AES-256-CBC
After connecting, verify routes on Windows:
route print
You should see two special routes for 0.0.0.0/1 and 128.0.0.0/1 pointing to your VPN gateway (10.8.0.1). These override the default route while preserving your local network access.
Add these to your client.ovpn file:
block-outside-dns register-dns
For Windows specifically, you may need to disable IPv6:
netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global state=off
Create a Windows firewall rule to block non-VPN traffic:
netsh advfirewall firewall add rule name="Block Non-VPN Traffic" dir=out action=block interface="Wi-Fi" remoteip=any profile=any netsh advfirewall firewall add rule name="Allow VPN Traffic" dir=out action=allow interface="Local Area Connection*" remoteip=any profile=any
Use these commands to verify full tunnel:
tracert 8.8.8.8 nslookup example.com curl https://ifconfig.me
All outputs should show your VPN server's IP, not your local network gateway.
When using OpenVPN, you might encounter situations where certain traffic bypasses the VPN tunnel despite being connected. This typically happens due to:
- Incomplete route configuration in the OpenVPN server
- Missing or incorrect push directives in server config
- Windows routing table maintaining local network preferences
- DNS leaks occurring outside the VPN tunnel
On your Ubuntu server (10.04), modify your OpenVPN server configuration file (usually at /etc/openvpn/server.conf) to include these critical directives:
push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.8.0.1" push "route 192.168.0.0 255.255.255.0"
For OpenVPN Connect client on Windows 7, you'll need to ensure these settings:
# Add to client.ovpn or client.conf: redirect-gateway def1 route-method exe route-delay 2
To verify your routing table after connection:
route print
Look for 0.0.0.0 routes pointing to your VPN gateway (10.8.0.1) rather than your local gateway (192.168.0.1).
If specific internal sites still bypass the VPN, implement explicit routes:
# For specific internal IP ranges route 192.168.1.0 255.255.255.0 10.8.0.1 route 192.168.2.0 255.255.255.0 10.8.0.1 # Or for individual problematic hosts route 192.168.1.25 255.255.255.255 10.8.0.1
Configure Windows Firewall to only allow VPN interface traffic:
netsh advfirewall firewall add rule name="Block Non-VPN Traffic" dir=out action=block interface="Ethernet" remoteip=any netsh advfirewall firewall add rule name="Allow VPN Traffic" dir=out action=allow interface="TAP-Windows Adapter V9" remoteip=any
Use these commands to test your VPN tunnel integrity:
tracert example.com nslookup example.com curl ifconfig.me
All should show your VPN server's IP, not your local network information.
If you still experience leaks:
- Check for DNS leaks with
nslookupor online tools - Verify your TAP adapter has higher priority than physical NICs
- Ensure no third-party firewall is intercepting VPN traffic
- Test with different MTU sizes if experiencing packet fragmentation