My home router is a custom built Arch linux box. For some additional privacy/security I have it set up as an OpenVPN client to an OpenVPN server, running on a VPS I operate. All of my home traffic goes through this VPN tunnel 24/7. This setup works perfectly.

On occasion, I would like to have some traffic bypass the vpn tunnel and use my regular, un-VPN'd connection. The destination ip addresses are numerous and varied, so it's not feasible to simply hardcode static routes.

Instead, I thought I would set up an openvpn server instance on the router, available to clients on the LAN, and then use policy based routing to route all traffic from that vpn subnet (of connected clients) directly through my internet connection, bypassing the tunnel that all other internet traffic goes through. This way, clients on my home network could connect to this internal vpn and reach the internet without going through the router's vpn tunnel.

Does this sound like feasible? Am I correct in thinking I could use source based routing through a separate routing table to bypass the router's client vpn tunnel? Any pitfalls or details (related to iptables, or routing tables) to be aware of to make this work?

Thanks in advance.

  • "On occasion, I would like to have some traffic bypass the vpn tunnel and use my regular, un-VPN'd connection. The destination ip addresses are numerous and varied, so it's not feasible to simply hardcode static routes." Sounds like either you need to look into split tunneling perhaps or else use the unfeasible static routes since that need is only on "occasion" and figure out a way to script so you can just plug in what changes per each occasion you have this need. Otherwise look into split tunneling with OpenVPN and do some research on that just in case.... Quick ideas only for you archie. Commented Feb 25, 2018 at 20:08
  • This is feasible, but not trivial to do.
    – davidgo
    Commented Feb 26, 2018 at 5:15

2 Answers 2


If I understand correctly, the normal operation of a host on your network is to just use the Internet with its DHCP, or similarly supplied, LAN configuration, and its default route is out through the VPN service, say interface tun0

However, occasionally, you'd like to not use the default tun0 route for network activity on one or more hosts. Rather than turn off the VPN service for your entire network, you propose to instead establish a VPN tunnel from the LAN host to your linux server, say tun1, with its own subnet, say subnetB, different from the ordinary LAN host network, say subnetA. You'd like to have traffic from subnetA be default routed through tun0, but traffic from the local VPN's subnetB to not exit via the tunnel, but leave through eth0, untunnelled.

I suggest, rather than make a source-based policy route based on subnetA or subnetB, that you use the inbound interface to assign the policy: Traffic inbound on eth1 leaves on tun0. Traffic inbound on tun1 leaves on eth0.


So to follow up, I was successful following my initial plan.

I set up an openvpn server on the router, accessible only from the home LAN. If a client on my home LAN wants to access the internet and bypass the vpn'd connection that the router normally routes all internal traffic through out to the Internet, it connects to this internal VPN. This vpn server is set up to hand out static IP addresses based on the client certificate. Then, the cl-connect.sh script creates a separate routing table, and routing rules so that the specific, predetermined IP addresses assigned to clients on the internal vpn, are routed through an alternative routing table, which tells all those connections to go out to the Internet using not the router-wide tun0 interface, but the unvpn-d eth0 interface that connects directly to my ISP. When LAN clients disconnect, the cl-disconnect.sh script deletes the routes as well.

This way, all my home LAN traffic still goes out to the wider Internet through the router and its tun0 interface to the router-wide VPN, by default. But clients connecting to this new internal vpn server have their traffic routed out to the Internet, bypassing the router-wide VPN, and with the IP address assigned by my ISP.

I guess I wonder if somehow using openvpn is overkill, and a simple proxy server setup (squid?) might be less overhead for the router. But nevertheless, this is working. Thanks to all who chimed in.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .