Forcing OpenVPN Traffic for Clients through Server

This guide is intended as a framework for expanding the capability of OpenVPN and also as a method for manual settings which force VPN traffic through the ClearOS firewall. This is useful if you need to have road warrior traffic originate from the corporate site in order to use systems which require security related to remote access from specific IPs.

This can be useful if you need traffic to 'originate' from a different location for security reasons.

Configuration of OpenVPN files

The /etc/openvpn/clients.conf file should be modified to include the following line:

push "redirect-gateway def1"


push "redirect-gateway def1 bypass-dhcp"

The bypass-dhcp stops DHCP messages going through the VPN as the local DHCP server should be resolving them.

After you make the change to the openvpn clients.conf file, restart the OpenVPN service:

service openvpn restart                  # ClearOS 5.x or 6.x
systemctl restart openvp@clients.service # ClearOS 7.x

Configuration of the firewall

No particular firewall rules are needed for ClearOS 6.x or 7.x

ClearOS 5.x may need:

iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow VPN client traffic back in if established
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT # Allow VPN clients out
iptables -t nat -I POSTROUTING -s -o eth0 -j MASQUERADE # nat for VPN


content/en_us/kb_o_forcing_openvpn_traffic_for_clients_through_server.txt · Last modified: 2018/09/14 18:00 by NickH