This can be achieved through the use of iptables, by blocking traffic headed from the OpenVPN network interface to the network interface with internet access.

openvpn-install creates a few iptables configuration files that manage the rules for you.

The following instructions assume that:

• tun0 is the network interface of OpenVPN
• eth0 is the network interface with internet access

Cleaning Initial Rules

First, we need to disable the current rules loaded by openvpn-install by running the following command:

systemctl stop iptables-openvpn

Configuration Files

Note: using DROP instead of REJECT is also valid, it just doesn't return an error to the VPN client. See the iptables man page for more info.

add-openvpn-rules.sh

In /etc/iptables/add-openvpn-rules.sh, change the line from:

iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT

to:

iptables -I FORWARD 1 -i tun0 -o eth0 -j REJECT

rm-openvpn-rules.sh

In /etc/iptables/rm-openvpn-rules.sh, change the line from:

iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT

to:

iptables -D FORWARD -i tun0 -o eth0 -j REJECT

Applying The Changes

Run the following command and your changes should be saved and in effect:

systemctl start iptables-openvpn

Split Tunneling

Pushing routes to the VPN clients can then be used to request they send internet traffic through their own network. Here are the lines I added to my OpenVPN server.conf file to achieve this (my VPN network is at 10.8.0.0/24):

push "route 10.8.0.0 255.255.255.0 vpn_gateway"
push "route 0.0.0.0 0.0.0.0 net_gateway"