OpenVPN Split Tunnel

08-27-2022 2 minutes

VPN is often configured to route all client traffic through it. However, there may be cases where you only want to route specific traffic through the VPN. In this scenario, you must set up split tunneling.

VPN split tunneling allows selective routing of Internet traffic through a VPN, allowing for efficient use of bandwidth and improved user experience by reducing the load on the VPN connection. It also allows users to access both local and VPN network resources while connected to the VPN.

Split tunneling can be configured on the OpenVPN server as well as the client. Let’s see how it can be achieved!

Server configuration

In an OpenVPN server configuration file server.conf you may see a line like this:

push "redirect-gateway def1 bypass-dhcp"

This directive sets up all clients to route their default network gateway via the VPN, causing all IP traffic, including web browsing and DNS lookups, to go through the VPN.

To enable split tunneling you have to remove the above line and add something like this:

push "route 10.3.0.0 255.255.240.0"

It will instruct the clients to use VPN only for the traffic that is within 10.3.0.0/20 IP CIDR range. You can add multiple push directives.

Make sure to restart the OpenVPN server every time you update the config file for the changes to take effect.

Client configuration

Here’s two lines you can add to the client file *.ovpn to enable split tunneling:

route-nopull
route 10.8.0.0 255.255.0.0

The first line makes the client ignore the routing configuration that server sends to it by default. The second line instructs the client to only route the Internet traffic that is within 10.8.0.0/16 IP address range.

As long as the VPN server has access to the 10.8.0.0/16 network, the client will be able to access it as well.

Don’t forget to reconnect to the VPN after you update your client file to enable the changes.