Selected trafic which goes into the VPN

How to customize and extend your OpenVPN installation.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 08, 2010 3:57 am

Selected trafic which goes into the VPN

Post by glloq » Fri Oct 08, 2010 4:13 am


I'm a new Open VPN user. I've just order a VPN service to
Then I download the Open VPN client and run it properly. Work as expect.

I would like to choose which application use the VPN to reach Internet and which one use the classic ethernet connection to reach Internet or locals ressources.

Exemple, my internet browser using VPN for privacy and a FTP client using the default connection when I don't need privacy but high throughput.

Is it possible to configure the open VPN client for this type of usage ?
I had already set a configuration like that with and SSh Server and Putty in proxy Socks mode.

Thanks in advance

My configuration:

Code: Select all

dev tap 
proto udp 
; Cert
ca ..\\keys\\ca.crt
ns-cert-type server
cipher BF-CBC
remote 1194
remote 10010
remote 10020

resolv-retry infinite

verb 2

User avatar
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Selected trafic which goes into the VPN

Post by krzee » Fri Oct 08, 2010 12:32 pm

OpenVPN does not work like that. Your system decides what to send over the vpn and what not to based on your routing tables. Routing tables work based on subnet, not application. If you controlled the server you could run a socks daemon inside the vpn and use that to selectively route applications over the vpn... but since you dont, you cant.

Feel free to give us your thoughts on your new vpn provider here: viewforum.php?f=21

OpenVpn Newbie
Posts: 1
Joined: Tue Oct 19, 2010 4:27 am

Re: Selected trafic which goes into the VPN

Post by mark555 » Tue Oct 19, 2010 4:59 am

Hi, I'm exactly in the same situation of glloq and I'm desperate because it is more than one week that I'm trying to find a solution without any result. I need my ISP connection and Vpn connection available at the same time depending from the kind of application. Once a vpn connection has been established my entire computer run over VPN and my ISP connection is no more available.
For now the only solution I found is to create a virtual machine, but is it possible that a so much heavy approach is the only one solution?
I started the first experiments through a application using the RAS api provided with the .Net framework. I can establish connection, get all required infos of interfaces programmatically using the System.Net.NetworkInformation namespace, but I still didn't found a way.
At the end I found OpenVPN, tried it, but the situation is the same as the RAS api.
Can anyone give me at least directions on where I should focus to accomplish what I'm trying to do ?

Many thanks

OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

Re: Selected trafic which goes into the VPN

Post by libove » Tue Oct 26, 2010 5:20 am

As krzee said, OpenVPN - and most VPNs - do not work that way. Traffic is routed by the host (on which the OpenVPN client is running) based on routing tables.
If the OpenVPN configuration (which could be selected by the Client, or pushed by the Server) sets the OpenVPN connection as the Default route, then traffic will go through the OpenVPN connection. (The exception to this is the advanced "SSL VPNs" - misnomers, but that's how they were marketed six or so years ago, such as that offered by the F5 Firepass device - which set up shims in the network stack and typically don't work for all apps).

If the initial problem is that the OpenVPN Server is pushing the Default route to be through the VPN tunnel (and if you have admin rights on the Client), you could probably set up an after-connect script to UN-do the Default route setting. That's part-way to what you're looking for, maybe.

The big question you have to ask yourself is "Is it really the *application* which selects the way the traffic should route, or is it the *destination*?" It's most likely to be the destination. For example, your email program isn't what defines that that application's calls to the TCP/IP stack should go through the VPN tunnel - it's the fact that your email server is / is not only reachable through the VPN tunnel.

If it is the destination, and if you can set up specific routes to those few destinations which require going through the OpenVPN (or, conversely, those few destination which require NOT going through the OpenVPN), then you can do this.
To reach only mysmallcompany' only through the VPN is easy.
To reach only mymassivecompany' only through the VPN may be very difficult. One way to do so is to add an after-connect script which resolves the set of destination addresses and creates custom routes for them at that time, and re-runs from time to time to re-adjust those routes as the dynamic addresses change over time.

A key problem you may encounter if you have a very large number of custom routes required is that many clients have a limit to the effective size of their routing table. (I think on Windows XP it was around 40 routes? My memory here is VERY rusty. Not sure what Vista and Windows 7 can do; UNIX clients likely can be configured to take much larger number of static routes).

Good luck, I hope this is helpful.

Post Reply