By default, OpenVPN (and most other VPN clients) only direct traffic that is addressed to the overlay to the tunnel. All other traffic is routed according to the machine's local route table.  This article will help you set up your VNS3 clients to direct all traffic through the overlay.


For the purposes of this article, we will assume that your VNS3 server is configured with the default overlay subnet of 172.31.1.0/22, and your client's local subnet is 192.168.100.0/24:


If you'd like all traffic to be passed through VNS3, you'll need to add


redirect-gateway def1
route 192.168.100.0 255.255.255.0 net_gateway


NOTE: The config above will lock you out of the host UNLESS your are remoted into it from the 192.168.100.0/24 subnet.   IFF you have a "NOC" or wellknown public IP that you use to access hosts from - enter it as well - for example:


route 55.55.55.55 255.255.255.255 net_gateway


to the configuration file downloaded from the VNS3 Clientpacks page.  After doing so, all of the client's outbound traffic will be directed to VNS3 - except packets that are specifically addressed to the client's local subnet.


You'll also need to provide your client a DNS server to be used while the connection is active.  This can be any DNS server that is reachable by the client while connected.  For example, [dhcp-option DNS 8.8.8.8] can be added to the clientpack configuration file to direct that client to use Google's DNS.


In VNS3, in order to give VPN clients access to 0.0.0.0/0, you'll need to add [MACRO_CUST -o eth0 -s 172.31.1.0/22 ! -d 172.31.1.0/22 -j MASQUERADE] to the firewall (again without brackets).


 


NOTE: This will not provide your VPN clients access to the AWS (underlay) subnet. They will be able to access their local subnet normally, the overlay network via the VPN, and the internet via the VPN.  If you need your VNS3 clients to have access the AWS subnet, add the following rules to the VNS3 firewall (assuming your AWS subnet is 10.10.10.0/22):


FORWARD_CUST -i eth0 -s 172.31.1.0/22 -d 10.10.10.0/22 -j ACCEPT


FORWARD_CUST -i eth0 -s 10.10.10.0/22 -d 172.31.1.0/22 -j ACCEPT