Add Routes to OpenVPN Client Config

OpenVPN supports per-network route directives in the client config. NetRoute Pro generates these directives from any website's domains — add them to your .ovpn and you have split tunneling in minutes.

Command Syntax

Syntax:

route <NETWORK> <NETMASK>

Example:

route 1.1.1.0 255.255.255.0

Add directives to your client .ovpn file. With route-nopull set, only these routes are pushed via VPN. See the OpenVPN 2.6 manual.

Prerequisites

OpenVPN 2.4 or newer
Access to the .ovpn client configuration file
An OpenVPN client — CLI (openvpn), OpenVPN GUI for Windows, Tunnelblick for macOS, or the official mobile apps
NetRoute Pro Chrome extension installed

Step 1. Generate route directives in NetRoute Pro

Open the target website in Chrome
Click the NetRoute Pro icon in your extensions
Select the OpenVPN platform
Choose aggregation mask (recommended /24)
Click Analyze Website
Copy the generated output — one directive per line:

route 104.21.32.0 255.255.255.0
route 172.67.182.0 255.255.255.0
route 162.159.135.0 255.255.255.0

Tip: enable RIPE BGP optimization — it emits announced BGP prefixes that remain valid across CDN IP rotations. Caveat: RIPE BGP returns all prefixes announced by the destination AS — for multi-tenant CDNs (Cloudflare AS13335, AWS AS16509, DigitalOcean AS14061) that’s tens of thousands of IPs covering unrelated sites. Use BGP optimization for single-tenant ASes; keep plain /24 CIDR aggregation for shared CDNs.

Step 2. Edit your .ovpn config

Open your .ovpn file in a text editor
Remove any redirect-gateway def1 line — it routes everything through the VPN and defeats split tunneling
Remove any push "redirect-gateway def1" line if present
Paste the route directives at the end of the file, above any inline <cert>, <key>, <ca>, or <tls-auth> blocks
Save the file

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

# Split tunneling — routes only specific subnets through the VPN
route 104.21.32.0 255.255.255.0
route 172.67.182.0 255.255.255.0
route 162.159.135.0 255.255.255.0

<ca>
...
</ca>

Step 3. Reconnect the VPN

Disconnect and reconnect the OpenVPN client so it reloads the config and applies the new routes.

Alternative: server-side routes

If you're the VPN administrator and want to push routes to all clients automatically, add this to the server config:

push "route 104.21.32.0 255.255.255.0"
push "route 172.67.182.0 255.255.255.0"

Clients receive the routes on connect — no client-side edits needed.

DNS leak — required reading

This guide routes traffic by IP. It does not route DNS. Your browser still asks the system resolver (usually your ISP’s) for example.com first — only the resulting IP traffic flows through the tunnel. With route-nopull the situation is worse: server-pushed DNS is also dropped, so all DNS goes via your default resolver.

Three options, by threat model:

Hide DNS from ISP via VPN’s resolver. Use selective pull-filter instead of full route-nopull — drop only the all-traffic redirect, keep the DNS push:
```
pull-filter ignore "redirect-gateway"
pull-filter accept "dhcp-option DNS"
```
On Windows, also add block-outside-dns to prevent the OS from querying DHCP-provided DNS in parallel.
Reduce ISP visibility (public DoH/DoT). Configure a public encrypted resolver at the OS level (Cloudflare 1.1.1.1, AdGuard, Quad9). ISP no longer sees domain queries; the public resolver does.
Accept the leak. If your goal is content access, not surveillance avoidance, this is fine — the data path is still encrypted.

Verify with dnsleaktest.com or browserleaks.com/dns — the resolver shown should match what you configured, not your ISP.

IPv6 dual-stack bypass

The route directive is IPv4-only. If a destination has an AAAA record (most popular sites do), the OS prefers IPv6 over IPv4 per RFC 6724 — that traffic skips the tunnel and exits via your ISP’s default v6 route.

Two fixes:

Mirror your routes for v6 (if your VPN supports IPv6) using route-ipv6:
```
route-ipv6 2606:4700::/32
route-ipv6 2001:4860::/32
```
For full v6 traffic via tunnel: add redirect-gateway ipv6 (or push it server-side).
Block v6 entirely if your VPN has no IPv6 endpoint — either disable IPv6 on the OS, or add a firewall rule rejecting IPv6 outbound. Otherwise dual-stacked sites silently leak.

Verify

After reconnecting, check that the routes are installed:

Windows: route print
Linux / macOS: ip route (Linux) or netstat -rn (macOS)

The added subnets should route via your OpenVPN adapter (typically tun0 or similar — use whatever interface your OpenVPN client creates).

Common issues

route directives ignored

Common causes:

The server pushes redirect-gateway def1 — this overrides your local route lines (everything goes through the VPN). Add pull-filter ignore "redirect-gateway" to your client config to drop just that push without losing other server pushes.
Your route directives are placed inside an inline <cert>, <key>, or similar block — move them outside.
Wrong syntax — the directive takes NETWORK NETMASK in dotted octets, not CIDR. Use route 1.1.1.0 255.255.255.0, not route 1.1.1.0/24.

Note: route-nopull does not cause local route directives to be ignored — it only drops routes pushed by the server. Local route lines in the client config still apply, which is exactly what you want for split tunneling.

DNS leaks on Windows

Windows can still query DNS outside the tunnel. Add this to the client config:

block-outside-dns

Routes added but traffic doesn't go through VPN

The routes are correct, but the VPN server isn't NAT-ing your traffic for those destinations. This is a server-side fix — the administrator needs to enable masquerade/NAT for the client subnet on the VPN interface.

Example Configuration File

Ready-to-edit template with inline comments. Replace the example routes with output from NetRoute Pro for your target sites.

openvpn-routes.ovpn — OpenVPN client config snippet with route directives


# Example OpenVPN client config snippet for split tunneling.
# Generated by NetRoute Pro: https://alexander2k.github.io/netroute-site/
#
# Append these directives to your existing client .ovpn file. With route-nopull
# the server's pushed routes are ignored — only the explicit `route` lines below
# go through the VPN. Reconnect the client after editing.

route-nopull

# Format: route <NETWORK> <NETMASK>
# Replace these example networks with output from NetRoute Pro.
route 1.1.1.0   255.255.255.0
route 8.8.8.0   255.255.255.0
route 162.159.0.0 255.255.0.0

# Verify after reconnect: openvpn3 sessions-list  (or)  netstat -rn

Tip: Need a config without these comment lines? In NetRoute Pro options, uncheck “Include comments in exported files” — the extension will export only the route commands. Useful for routers that don’t tolerate comment lines.

View all example configs on GitHub →

Official Documentation

Keenetic — Routes from .bat file upload
MikroTik — RouterOS .rsc script import
WireGuard — split tunneling with AllowedIPs
Linux — ip route via shell script

Ready to try?

NetRoute Pro — a free Chrome extension to generate routes from any website.

Install Extension