OpenVPN Client pass all the VLAN10 traffic to the OpenVPN Tunnel

Hi guys!

Does anyone know how to route all traffic of the VLAN10 to the OpenVPN Client Tunnel ? I don’t know how to achieve that.

My tunnel is up, but I want to route everything from VLAN10 to the VPN.


Sure! It’s quite easy.

First you setup a policy.
This policy says "If I see any traffic with a source address of (your VLAN10 clients) then I am going to put that traffic into routing table 100. You can use any table ID, it doesn’t have to be 100.

me@vyos# show policy
     rule 10 {
         source {
             address <Subnet of VLAN10> (i.e.
         set {
             table 100

Next you setup routing table 100 so it says “My default route for all traffic is out the OpenVPN Interface”

me@vyos# show protocols static
 table 100 {
     interface-route {
         next-hop-interface vtunX { (change the X to your OpenVPN Tunnel ID)

Finally you need to apply the policy to your VLAN10 interface. This is so traffic coming into VLAN10 is pushed to be inspected by the policy. Without it, nothing above will work.

[edit interfaces ethernet eth1]
me@vyos# show
  vif 10
    address x.x.x.x/y
    description "XXX Network"
    policy {

So to summarise:
You apply a policy to your traffic leaving vif10 that’s a policy route.
You setup a policy route that says “all traffic from this source is sent to this routing table”
And then you setup a routing table that says “the default route for this routing table is out the OpenVPN Interface”

The only other thing to watch out for is you don’t have strict source-validation enabled - doing policy based routing will “break” the checks and traffic won’t flow.

1 Like

Thanks for the explaination!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.