Implementation
Add the following directive to the server configuration file:
push "redirect-gateway def1"
If your VPN setup is over a wireless network, where all clients and the
server are on the same wireless subnet, add the local flag:
push "redirect-gateway local def1"
Pushing the redirect-gateway option to clients will cause all IP
network traffic originating on client machines to pass through the
OpenVPN server. The server will need to be configured to deal with this
traffic somehow, such as by NATing it to the internet, or routing it
through the server site's HTTP proxy.
On Linux, you could use a command such as this to NAT the VPN client
traffic to the internet:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
This command assumes that the VPN subnet is 10.8.0.0/24 (taken from
the server directive in the OpenVPN server configuration) and that the
local ethernet interface is eth0.
When redirect-gateway is used, OpenVPN clients will route DNS queries
through the VPN, and the VPN server will need handle them. This can be
accomplished by pushing a DNS server address to connecting clients
which will replace their normal DNS server settings during the time
that the VPN is active. For example:
push "dhcp-option DNS 10.8.0.1" will configure Windows clients (or
non-Windows clients with some extra server-side scripting) to use
10.8.0.1 as their DNS server. Any address which is reachable from clients
may be used as the DNS server address.
Best Answer
This is a routing question, so using iptables may not suitable. Here we will use iproute2, which, fortunately, included with DD-WRT.
Suppose 1.1.1.1 is the IP address of the default gateway of the DD-WRT (you have to figure it out, may be by ways of disable OpenVPN so that the default gateway will be set to normal and issue a route -n command to see the normal - before OpenVPN-get-connected default gateway).
Now set up another route table like that (we will use table 10):
And set up rules so that traffic from some IPs in the LAN will get routed using this new table:
Or from individual IPs:
You can verify with:
Read more here on startup scripts on DD-WRT if you want all of these to survive on reboot.