Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Split Tunneling (site-to-site, client, server)

When the OpenVPN tunnel is established between the two endpoints, by default, only the VPN traffic is routed through the tunnel. Other traffic, such as packets going to other places on the Internet, is still routed using the normal default route, not through the VPN tunnel. This split tunneling occurs because two tunnels (are considered) to exist: the normal traffic route and the VPN tunnel.

On the one hand, split tunneling is very efficient because non-VPN traffic (for example, Internet traffic) travels through the normal route. In a remote access VPN setup, for example, split tunneling means that Internet traffic from a remote user travels to and from the user ISP directly without going to the VPN server, company network, firewall, and so on. On the other hand, bypassing these functions can be considered a security issue because, in such cases, the Internet traffic is not filtered or protected according to a company policy.

To disable split tunneling, use the configuration shown in the following example.

Configuration options related to split tunneling

interfaces {
    openvpn if_name {
        replace-default-route {
  • replace-default-route: This argument tells OpenVPN that the default route should be replaced by a route through the VPN tunnel, that is, split tunneling should be disabled. Note that, when set, this option has different effects depending on the OpenVPN mode in which the endpoint operates.
    • If the endpoint is in site-to-site mode or client mode, using replace-default-route replaces the default route on this endpoint with a route through VPN tunnel. In other words, it disables split tunneling on this endpoint.
    • If the endpoint is in server mode, using replace-default-route causes the clients connecting to this server to replace their default route. In other words, it disables split tunneling on the clients.
  • local: This keyword under replace-default-route must be set if and only if the two tunnel endpoints are directly connected, i.e., on the same subnet.

Of course, because the OpenVPN tunnel interface is routable, static routes can be added, with or without split tunneling, to override the default behavior.