I have a small Ubuntu box that runs some services used on my local network and on the internet. The default gw on this box is clearly my cable modem and all works fine... the relevant port forwarding entries are in the router for the external services.

However, I wish to use this box to also route some traffic via VPN to another country (like the Netflix type scenario but not in this case). I have setup openvpn and used --route-noexec as I don't want to route anything from the box through the VPN so my VPN link is up and my routing table is unchanged.

All good so far.. now I wish to change the gateway address on other hosts on my network to be this host running openvpn and have them route over the VPN tunnel. I believe I need to have a separate routing table to make this work - so I setup a dummy virtual interface on the same nic. With a different MAC address and assigned a static IP. - let's say 192.168.1.252 eth0:1 (instead of 192.168.1.200 eth0)

I setup a new routing table with the default gateway being the IP address of the VPN tun0 interface and I enabled IP Masquerade.

If I add a rule (say I want 192.168.1.61) to route via VPN and not my cable modem directly.. it works setting the rule on source IP but I don't want to do this..

ip rule add from 192.168.1.61 table 4 (where table 4 is the routing table to the VPN IP)

And changing the default gateway on 192.168.1.61 to 192.168.1.252

I don't want to add this rule - I only want to change the devices gateway address to this virtual interface on my host.

So the question is, how, using iproute2 or iptables do I detect packets that have been routed to this virtual interface? It feels like I've tried everything but I'm sure there is a solution to this problem.