Routing All Traffic Through a VPN Gateway on Linux



When you connect to a VPN, the VPN gateway may not become the default gateway for all of your Internet traffic. Instead, your default gateway remains the gateway of your local LAN. The VPN gateway is used only for routing traffic through specific hosts.

If this happens, it’s probably because your VPN provider configured the default connection settings so that only certain traffic goes through the VPN. For example, if you have a company VPN, the default setting might be to route traffic through the VPN gateway only when connecting to your company’s apps or sites. This configuration dramatically reduces the amount of traffic that ends up going through the VPN. It keeps the load on the company’s VPN server light.

But sometimes, you want all of your traffic to go through the VPN, even if that is not how it is set up by default. Fortunately, it’s easy enough to change your default gateway on Linux by manually reconfiguring routing tables. Here’s how.


The steps below assume that you are already logged in to your VPN service. It doesn’t matter which client you use to connect, or which type of VPN server you’re connecting to.

For the record, I’ll also note that I only tested these steps on Ubuntu Linux. They should work on any other mainstream Linux distribution, too, since we are working from the command line and nothing in this guide is Ubuntu-specific. Still, I can’t guarantee that this will work for you if you run an obscure, ultra-customized distribution.

Find your VPN gateway

The first thing you need to do is identify the IP address of your VPN gateway. This involves a bit of guesswork. But that’s what makes things fun.

To get a list of IP addresses to guess from, run a command like the following while you are connected to your VPN:

sudo tcpdump -n -i tun0

(I assume your VPN interface is called tun0. If it’s different, adjust the command accordingly. Running ifconfig after logging in to the VPN will give you a list of all interfaces on your system.)

Wait a few seconds. If you don’t get any output, connect to an app or website that you know is routed through the VPN by default to generate some VPN traffic. After you get a little bit of output, press control-C to kill the program.

You should now have a fair amount of information in your terminal, which shows how packets are being routed on your VPN connection. The output will look something like this (though it may be much longer than this tiny snippet):

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:49:24.216553 IP > UDP, length 173
18:49:25.072940 IP > 17371+ A? (31)

Notice from the example that traffic going to the site was routed through a host with the IP address Since we know that gateways usually (though not necessarily) have IP addresses ending in 1, there’s a good chance that this is the VPN gateway. We’ll assume it is in the following steps.

If you’re not positive what the IP address of your gateway is, feel free to try the steps below with multiple candidates. The worst thing that could happen is that you will temporarily break your networking. In that case, simply rebooting the computer will set everything back to normal.

Delete your default gateway

Now comes the easier part. You want to delete your current default gateway so that you can set the VPN gateway in its place. This will tell your system to route all Internet traffic through the VPN gateway.

To identify your current default gateway, run:


The output will look something like:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    600    0        0 eth0
link-local      *          U     1000   0        0 eth0     *        U     600    0        0 eth0

Notice the line that begins with the word “default.” The number in the Gateway column there is your current default gateway. In this case (and most cases when you’re dealing with a residential network), it’s

Now that we’ve found the default gateway, we tell the system to delete it with:

ip route del default via

Adding a new gateway

And now comes the easiest part of all. With the local default gateway deleted, set the VPN gateway (again, that’s in our example) as the new default with:

ip route add default via

That’s it. Now any websites, apps or other Internet-connected things you use on your system will route their traffic through your VPN service.

Fixing the routes after disconnecting the VPN

One last thing you should know is that if you disconnect from the VPN, your network connection will be broken (as in, you won’t be able to connect to anything) because the system will keep trying to route traffic through the VPN gateway, which will no longer be connected.

The fix is simple. Just reverse the two previous steps by deleting the VPN gateway as your default route and adding your local gateway in its place:

ip route del default via
ip route add default via

If your VPN client lets you configure post-session scripts, you can easily put these commands in so that they run automatically whenever you disconnect from the VPN.

Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO.


Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar