diff --git a/docs/debug.rst b/docs/debug.rst
index 49a2c03934109ca2b6d6fc3802f9dcfa67ba9a2c..21eca1e92b23c9e9a6135c6edf98485b768671b9 100644
--- a/docs/debug.rst
+++ b/docs/debug.rst
@@ -111,5 +111,13 @@ environment variable that contains the hostname of the gateway:
 
   LEAP_GW=hostname.riseup.net ./riseup.vpn
 
+Dry run
+-------
+
+To avoid setting up the routes, you can pass the LEAP_DRYRUN variable:
+
+.. code:: bash
 
+  LEAP_DRYRUN=1 ./riseup.vpn
 
+We should probably restrict this to non-release versions only.
diff --git a/pkg/pickle/helpers/bitmask-root b/pkg/pickle/helpers/bitmask-root
index e704bd9f8c7cfdccdb370ec1a9c68062e1024e3e..a0ae746ee1bb3fe6ce8b0489244a7acc5de8693e 100644
--- a/pkg/pickle/helpers/bitmask-root
+++ b/pkg/pickle/helpers/bitmask-root
@@ -89,7 +89,7 @@ def is_ipv6_disabled():
 def tostr(s):
     return s.decode('utf-8')
 
-VERSION = "17"
+VERSION = "18"
 SCRIPT = "bitmask-root"
 NAMESERVER_TCP = "10.41.0.1"
 NAMESERVER_UDP = "10.42.0.1"
@@ -151,6 +151,7 @@ if is_ipv6_disabled():
         "--pull-filter", "ignore", "ifconfig-ipv6",
         "--pull-filter", "ignore", "route-ipv6"])
 
+
 ALLOWED_FLAGS = {
     "--remote": ["IP", "NUMBER", "PROTO"],
     "--tls-cipher": ["CIPHER"],
@@ -168,6 +169,7 @@ ALLOWED_FLAGS = {
     "--management-client": [],
     "--tun-ipv6": [],
     "--log": ["LOGFILE"],
+    "--pull-filter": ["ignore", "route"],
 }
 
 PARAM_FORMATS = {
@@ -183,6 +185,8 @@ PARAM_FORMATS = {
     "NETGW": lambda s: s == "net_gateway",
     "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s),
     "LOGFILE": lambda s: s == "/tmp/leap-vpn.log",
+    "ignore": lambda s: s == "ignore",
+    "route": lambda s: s == "route",
 }
 
 # Determine Qubes OS version, if any
diff --git a/pkg/vpn/launcher_linux.go b/pkg/vpn/launcher_linux.go
index 57bbe78be81c4dd76755fa00b859e5af7326d00c..1fbcd6fbe0321a4919fb7b8f318bb48971394f72 100644
--- a/pkg/vpn/launcher_linux.go
+++ b/pkg/vpn/launcher_linux.go
@@ -167,11 +167,16 @@ func (l *launcher) openvpnStop() error {
 }
 
 func (l *launcher) firewallStart(gateways []bonafide.Gateway) error {
+	if os.Getenv("LEAP_DRYRUN") == "1" {
+		log.Println("dry-run: skip firewall start")
+		return nil
+	}
 	log.Println("firewall start")
 	arg := []string{"firewall", "start"}
 	for _, gw := range gateways {
 		arg = append(arg, gw.IPAddress)
 	}
+
 	return runBitmaskRoot(arg...)
 }
 
@@ -214,8 +219,8 @@ func runBitmaskRoot(arg ...string) error {
 		return err
 	}
 	arg = append([]string{bitmaskRoot}, arg...)
-
 	cmd := exec.Command("pkexec", arg...)
+
 	out, err := cmd.Output()
 	if err != nil && arg[2] != "isup" {
 		log.Println("Error while running bitmask-root:")
diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go
index 567b9121f2752bd5f7866839f5c743713454d45b..fcd4aee0798918db2514529b0dd611c040257222 100644
--- a/pkg/vpn/openvpn.go
+++ b/pkg/vpn/openvpn.go
@@ -180,6 +180,10 @@ func (b *Bitmask) startOpenVPN() error {
 	if err != nil || verb > 6 || verb < 3 {
 		openvpnVerb = "3"
 	}
+	// TODO we need to check if the openvpn options pushed by server are
+	// not overriding (or duplicating) some of the options we're adding here.
+	log.Println("VERB", verb)
+
 	arg = append(arg,
 		"--verb", openvpnVerb,
 		"--management-client",
@@ -190,7 +194,14 @@ func (b *Bitmask) startOpenVPN() error {
 		"--persist-tun",
 		"--float")
 	if verb > 3 {
-		arg = append(arg, "--log", "/tmp/leap-vpn.log")
+		arg = append(
+			arg,
+			"--log", "/tmp/leap-vpn.log")
+	}
+	if os.Getenv("LEAP_DRYRUN") == "1" {
+		arg = append(
+			arg,
+			"--pull-filter", "ignore", "route")
 	}
 	/* persist-tun is needed for reconnects */
 	return b.launch.openvpnStart(arg...)