Force all traffic through OpenVPN connection

This is a really quick one, as we use this trick a lot when working remotely, but we always have to scrabble around to find the info!

We use the open source OpenVPN for our office VPN. In general it’s great, however when working away from the office, it’s configured such that any request for a resource first checks outside of the firewall to see if it can access it. If it can, it does, no VPN involved. If it can’t, it then tries inside the VPN tunnel.

For example, with the VPN connected, if I try to go to http://blog.sellorm.com, access occurs out side of the VPN as the resource is on the open internet. If I try to access something like http://rstudio.office.local, that isn’t on the open internet, access takes place through the VPN. This is a really great way of reducing traffic through the VPN to include only access to essential resources. We know this isn’t the most secure option, but it works for us for the moment.

There is one interesting exception to this however, and that is systems on public cloud providers like Amazon’s AWS. These systems are by necessity available on the public internet, but we generally use firewalls to only permit access from the office.

Unfortunately, this breaks the configuration above because as the hostname of the resource can be looked up on the open internet, the client thinks it should be able to access it outside of the VPN. As access is not permitted outside of the office though, this request will eventually fail. This means that we need to temporarily push all traffic through the VPN while we work with that AWS resource.

As a Mac user, using the excellent TunnelBlick OpenVPN client, this is easy for me, as they helpfully provide a ‘Route all IPv4 traffic through the VPN’ tick box. For my Windows using colleagues however, it’s not quite so simple. They must edit their OpenVPN config file and manual add the following line to the end, before restarting their VPN connection.

redirect-gateway def1

This file is often just called client.ovpn.

Hopefully this quick post make this easier to find for me next time someone asks about it as well as helping someone else facing the same issue in the future.