How to Make OpenVPN’s redirect-gateway Optional for Specific Clients


2 views

When running an OpenVPN server with redirect-gateway def1 in the server configuration, all client traffic gets routed through the VPN by default. This creates problems for server clients that need to:

  • Maintain both WAN and LAN accessibility
  • Keep certain services LAN-only
  • Preserve existing network routing rules

There are two primary approaches to make gateway redirection optional:

1. Using Client Configuration Overrides

Add this to your client's OpenVPN configuration file (.ovpn):


# Disable automatic routing modifications
route-noexec

# Manually specify routes you want to push
route 10.8.0.0 255.255.255.0
route 192.168.1.0 255.255.255.0

2. Server-Side Conditional Pushing

Modify your server configuration (server.conf) to conditionally push routes:


client-config-dir /etc/openvpn/ccd

# In /etc/openvpn/ccd/client1 (filename matches client cert name)
ifconfig-push 10.8.0.101 255.255.255.0
iroute 192.168.1.0 255.255.255.0

For more complex scenarios, use a client-connect script:


#!/bin/bash
# /etc/openvpn/client-connect.sh

case $common_name in
  "server-client1")
    echo "push \"route 10.8.0.0 255.255.255.0\"" > $1
    ;;
  *)
    echo "push \"redirect-gateway def1\"" > $1
    echo "push \"route 10.8.0.0 255.255.255.0\"" > $1
    ;;
esac

Then reference it in server.conf:


client-connect /etc/openvpn/client-connect.sh

After implementation, verify with:


# On Linux clients:
ip route show

# On Windows clients:
route print

The output should show your VPN routes without a default gateway override for your special cases.

When running an OpenVPN server with redirect-gateway def1, all client traffic gets routed through the VPN tunnel by default. While this works perfectly for most end-user devices, it becomes problematic for servers that need to:

  • Maintain both WAN and LAN accessibility
  • Host services with LAN-only restrictions
  • Preserve direct internet connectivity for certain functions

The most effective approach is to modify the client configuration to ignore the server's route directives. Here's how to implement it:

# Sample client.ovpn configuration
client
dev tun
proto udp
remote your.vpn.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
comp-lzo no

# Critical directives to bypass gateway redirect
route-nopull
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

<ca>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</ca>
<cert>
[...]
</cert>
<key>
[...]
</key>

For more granular control, you can implement selective routing using custom route directives:

# Only route specific subnets through VPN
route 192.168.1.0 255.255.255.0
route 10.8.0.0 255.255.255.0

# Explicitly bypass VPN for local network
route 192.168.100.0 255.255.255.0 net_gateway

While the solution primarily resides client-side, server operators should consider:

# In server.conf - avoid pushing routes to specific clients
client-config-dir /etc/openvpn/ccd

# Then in /etc/openvpn/ccd/client1
ifconfig-push 10.8.0.101 10.8.0.102
iroute 192.168.1.0 255.255.255.0

When implementing this configuration, watch for:

  • DNS leakage - ensure proper resolv.conf handling
  • Firewall conflicts - adjust both host and network firewalls
  • Route metric conflicts - check with ip route show

For a web server needing both WAN and VPN access:

# Web server's openvpn client config
route-nopull
route 10.8.0.0 255.255.0.0 vpn_gateway
route 192.168.100.0 255.255.255.0 net_gateway