How to Ensure All Your Traffic Goes through a VPN on Linux

by Tracy Knauer •

Is your VPN protecting all of your online activity? Depending on how the software is configured, it may not be. But if you’re using Linux, it’s easy enough to force the VPN to encrypt all of your traffic. Here’s how.

Some VPN servers and clients are configured by default to route only certain traffic through the VPN server. That’s often the case if you’re using a company or university VPN that is intended to allow users to access internal apps and services from remote locations, rather than encrypt all of their online activity.

Using a VPN in such situations can provide a false sense of security. You think the VPN is encrypting all of your traffic, but it actually only protects information exchanged with certain sites.

With a little work, however, you can force your Linux system to route all of your Internet traffic through the VPN connection. That ensures that the sites you visit, as well as the data you upload and download, remain invisible to people who do not have access to your computer or to the VPN server you’re using.

Here are the steps for configuring complete VPN routing on a Linux system. These are tested on Ubuntu 14.04 but should apply to any modern Linux system.

Configuring Your VPN for Full-Traffic Encryption

First of all, of course, you need to have you VPN set up and be logged into it. The steps for installing VPN software on Linux will vary according to the VPN service you use.

Next, with the VPN up and running, follow these steps to route all traffic through it:

1. Determine your current default gateway IP address by running the command “netstat -r” You should see a table that contains a line similar to this:

default UG 0 0 0 wlan0

The IP address to the right of the word “default” is your default gateway. In this case, it’s

2. Delete the default gateway from your routing table with a command like this:

sudo ip route del default via

Replace “” in the example above with the IP address of your default gateway that you found in step 1.

3. Find the IP address of your VPN’s gateway. You may be able to look this up in your VPN provider’s documentation. If not, here are a couple of ways to try to figure it out on your own:

  • Run this command:
    sudo dhclient -v tun0

    You should get output containing a line that reads something like “DHCPOFFER of a.b.c.d from x.y.w.z.” “x.y.w.z” is the address of the VPN gateway. (You may need to reboot your computer after running this command, because it will have temporarily reconfigured your network connection in a way that prevents it from working.)

  • Run this command:
    sudo tcpdump -n -i tun0

    then immediately browse to a site that you can only reach while logged in to your VPN, such as a company Web portal. After the site loads, press Press control-C in the terminal to kill the command.

    A string of IP addresses and other information will have appeared in the terminal where you ran the command. One of those IP addresses — most likely one beginning with the number 128 or 10 — will be for your VPN’s gateway. Using informed trial and error, you should be able to figure out which one.

4. Once you have determined your VPN’s gateway, change the routing settings on your computer in a way that forces all traffic to route through the VPN gateway with a command like this:

sudo ip route add default via

“” is the VPN gateway in the example above. Replace that string with your VPN’s gateway.

That’s it. Now, all traffic will route through your VPN.

By the way, if you stop using the VPN, you will need to reverse the steps above in order to route traffic through your default gateway again. Refreshing your connection in Network Manager will probably also do this for you automatically.

Comments 3

  1. Hi. I am running linux in a virtualbox. But, I still need to stop regular traffic if the vpn is down. In Virtualbox the default gateways are, and they will not delete. How would I go about achieving this goal, in the virtualbox?


  2. Hello,
    here is the outpout of route under ubuntu :
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default UG 600 0 0 wlp2s0
    link-local * U 1000 0 0 wlp2s0 * U 0 0 0 vmnet8 * U 0 0 0 vmnet1 * U 50 0 0 tun0 * U 600 0 0 wlp2s0
    host-196-47-189 UGH 600 0 0 wlp2s0

    After following your tutorial, i am still not able to access local lan
    I would like to know what does the last line show ?

Leave a Reply

Your email address will not be published.