By default, OpenVPN (and most other VPN clients) only directs traffic that is addressed to the overlay to the tunnel. All other traffic is routed according to the machine's local route table.  This article will help you set up your VNS3 clients to direct all traffic through the overlay.

For the purposes of this article, we will assume that your VNS3 server is configured with the default overlay subnet of, and your client's local subnet is

If you'd like all traffic to be passed through VNS3, you'll need to add

redirect-gateway def1
route net_gateway

to the configuration file downloaded from the VNS3 Clientpacks page.  After doing so, all of the client's outbound traffic will be directed to VNS3 - except packets that are specifically addressed to the client's local subnet.

You'll also need to provide your client a DNS server to be used while the connection is active.  This can be any DNS server that is reachable by the client while connected.  For example, [dhcp-option DNS] can be added to the clientpack configuration file to direct that client to use Google's DNS.

In VNS3, in order to give VPN clients access to, you'll need to add [MACRO_CUST -o eth0 -s ! -d -j MASQUERADE] to the firewall (again without brackets).


NOTE: This will not provide your VPN clients access to the AWS (underlay) subnet. They will be able to access their local subnet normally, the overlay network via the VPN, and the internet via the VPN.  If you need your VNS3 clients to have access the AWS subnet, add the following rules to the VNS3 firewall (assuming your AWS subnet is

FORWARD_CUST -i eth0 -s -d -j ACCEPT

FORWARD_CUST -i eth0 -s -d -j ACCEPT