diff --git a/include/NetworkManagerVPN.h b/include/NetworkManagerVPN.h
index d792847d6a..f4ef93d3d4 100644
--- a/include/NetworkManagerVPN.h
+++ b/include/NetworkManagerVPN.h
@@ -166,6 +166,9 @@ typedef enum {
  */
 #define NM_VPN_PLUGIN_IP4_CONFIG_ROUTES      "routes"
 
+/* boolean: prevent this VPN connection from ever getting the default route */
+#define NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT "never-default"
+
 /* Deprecated */
 #define NM_VPN_PLUGIN_IP4_CONFIG_GATEWAY   NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY
 
diff --git a/src/nm-policy.c b/src/nm-policy.c
index ddf48ad877..a9b0eeaabb 100644
--- a/src/nm-policy.c
+++ b/src/nm-policy.c
@@ -138,7 +138,8 @@ get_best_ip4_device (NMManager *manager, NMActRequest **out_req)
 			continue;
 
 		/* 'never-default' devices can't ever be the default */
-		if (s_ip4 && nm_setting_ip4_config_get_never_default (s_ip4))
+		if (   (s_ip4 && nm_setting_ip4_config_get_never_default (s_ip4))
+		    || nm_ip4_config_get_never_default (ip4_config))
 			continue;
 
 		prio = nm_device_get_priority (dev);
@@ -482,6 +483,13 @@ update_ip4_routing_and_dns (NMPolicy *policy, gboolean force_update)
 		/* If it's marked 'never-default', don't make it default */
 		vpn_connection = nm_vpn_connection_get_connection (candidate);
 		g_assert (vpn_connection);
+
+		/* Check the active IP4 config from the VPN service daemon */
+		ip4_config = nm_vpn_connection_get_ip4_config (candidate);
+		if (ip4_config && nm_ip4_config_get_never_default (ip4_config))
+			can_default = FALSE;
+
+		/* Check the user's preference from the NMConnection */
 		s_ip4 = (NMSettingIP4Config *) nm_connection_get_setting (vpn_connection, NM_TYPE_SETTING_IP4_CONFIG);
 		if (s_ip4 && nm_setting_ip4_config_get_never_default (s_ip4))
 			can_default = FALSE;
@@ -493,7 +501,6 @@ update_ip4_routing_and_dns (NMPolicy *policy, gboolean force_update)
 
 			ip_iface = nm_vpn_connection_get_ip_iface (candidate);
 			connection = nm_vpn_connection_get_connection (candidate);
-			ip4_config = nm_vpn_connection_get_ip4_config (candidate);
 			addr = nm_ip4_config_get_address (ip4_config, 0);
 
 			parent = nm_vpn_connection_get_parent_device (candidate);
diff --git a/src/vpn-manager/nm-vpn-connection.c b/src/vpn-manager/nm-vpn-connection.c
index 16fa64d007..227932adc5 100644
--- a/src/vpn-manager/nm-vpn-connection.c
+++ b/src/vpn-manager/nm-vpn-connection.c
@@ -382,6 +382,9 @@ print_vpn_config (NMIP4Config *config,
 		             ip_address_to_string (nm_ip4_route_get_next_hop (route)));
 	}
 
+	nm_log_info (LOGD_VPN, "Forbid Default Route: %s",
+	             nm_ip4_config_get_never_default (config) ? "yes" : "no");
+
 	num = nm_ip4_config_get_num_nameservers (config);
 	for (i = 0; i < num; i++) {
 		nm_log_info (LOGD_VPN, "Internal IP4 DNS: %s",
@@ -527,6 +530,10 @@ nm_vpn_connection_ip4_config_get (DBusGProxy *proxy,
 		g_slist_free (routes);
 	}
 
+	val = (GValue *) g_hash_table_lookup (config_hash, NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT);
+	if (val && G_VALUE_HOLDS_BOOLEAN (val))
+		nm_ip4_config_set_never_default (config, g_value_get_boolean (val));
+
 	print_vpn_config (config, priv->ip4_internal_gw, priv->ip_iface, priv->banner);
 
 	/* Merge in user overrides from the NMConnection's IPv4 setting */