I don't understand all the parameters of your problem. If the application servers are all on a secure LAN, and the "proxy" machine is on that LAN, and it also has access to the internet, then it sounds like NAPTing ("masquerading" is the old Linux name) would do what you want. The "proxy" would then be the LAN's gateway (in a routing sense). If the application servers are not on a LAN, it isn't clear what you want. In particular, why would you want *all their traffic* to go through the "proxy". Or do you mean *all their traffic that reaches the proxy* to go through the proxy? If the application servers are not on a LAN, how would the traffic be authenticated by the "proxy"? Without authentication, you are just destroying the (admittedly weak) security mechanism of the firewall and the servers behind it. BTW, VPNs and routing are not opposites. FreeS/WAN IPSec actually used Linux routing to select packets for VPN processing. It turned out to be a reasonable choice. Note: NAPTing is generally limited to protocols with ports: UDP and TCP essentially. It doesn't really handle "all traffic". You probably only care about those protocols.