This can be achieved through the use of
iptables, by blocking traffic headed from the OpenVPN network interface to the network interface with internet access.
openvpn-install creates a few
iptables configuration files that manage the rules for you.
The following instructions assume that:
tun0 is the network interface of OpenVPN
eth0 is the network interface with internet access
Cleaning Initial Rules
First, we need to disable the current rules loaded by openvpn-install by running the following command:
systemctl stop iptables-openvpn
DROP instead of
REJECT is also valid, it just doesn't return an error to the VPN client. See the iptables man page for more info.
/etc/iptables/add-openvpn-rules.sh, change the line from:
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth0 -j REJECT
/etc/iptables/rm-openvpn-rules.sh, change the line from:
iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -D FORWARD -i tun0 -o eth0 -j REJECT
Applying The Changes
Run the following command and your changes should be saved and in effect:
systemctl start iptables-openvpn
Pushing routes to the VPN clients can then be used to request they send internet traffic through their own network. Here are the lines I added to my OpenVPN
server.conf file to achieve this (my VPN network is at
push "route 10.8.0.0 255.255.255.0 vpn_gateway"
push "route 0.0.0.0 0.0.0.0 net_gateway"