Here's an interesting reading: http://blogs.igalia.com/dpino/2016/04/10/network-namespaces/ With network namespaces you can completely isolate any program from normal network stack, routing table etc... That is, no matter how much you mess with it, your original network settings stay intact while your network "chrooted" application sees only what you want to see. This Linux feature can be exploited to build very rudimentary, native OpenVPN killswitch Here's what you need: - Linux (obviously) - OpenVPN client - Some VPN target server to test this with - My "fancy" openvpn-netns.sh script that basically just automates all the stuff mentioned in the above link (download from here: https://www.orwell1984.today/openvpn-netns.sh). - down.sh script that handles the cleanup of the routing table in case OpenVPN dies (download from here: https://www.orwell1984.today/down.sh and put it into /etc/openvpn directory). Usage: 1) From terminal, start the openvpn inside network namespace: Example: ./openvpn-netns.sh vpn eth0 v-eth1 Then open another terminal and do all the following stuff there: 2) Try to ping google dns ip netns exec vpn ping -c3 8.8.8.8 3) Check the routing table (you should see tun0 or something like that) ip netns exec vpn ip route show 4) If it works start firefox/midori/etc in the shiny new network namespace named "vpn" ip netns exec vpn firefox 5) Go to any number of "what is my ip" sites to confirm that OpenVPN works 6) Now, kill the openvpn-netns.sh that you previously started in the first terminal with Ctrl + C 7) Again in your second terminal, try to surf with your browser. (you should not be able). Also, giving command "ip netns exec vpn ip route show" again should now give you totally empty routing table. So now, your vpn namespace has no routing table, no network connection, and any browser/application/etc that used that particular vpn network namespace is now completely isolated because OpenVPN was killed/terminated. And all this while your normal network stack is completely intact The reason we can't simple delete the above mentioned vpn namespace and have to resort to cleaning router table inside the namespace is that the namespace will be completely removed only after the last application that uses it (in this example, the browser) exists.
If just using network namespaces they are functionally pretty equivalent, except of course that with network namespaces you have totally separate network stack. But if you add other namespaces that linux offers like pid namespace (openvpn would see only it's own process pid) and/or mount namespace (equivalent like chroot filesystem isolation?) then what you have is an light weight OS-level virtual machine for that application. I believe those Linux containers and applications that use them (Docker?) use namespaces as building blocks. Something like what Tor and Tor browser is going to do with it's coming sandbox Tor
According to this post from december, there are no official binaries released yet(?) https://lists.torproject.org/pipermail/tor-dev/2016-December/011753.html But if you are in really hurry and ready for pain (Captain Freedom from running man movie ) you can try to compile the alpha version of it and see if it works https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux EDIT: sandbox Tor is still in alpha state so use it only for testing purposes and helping developers to find bugs
Here's also some interesting info about Linux namespaces, Linux containers (basically OS-level virtual machines that use namespaces and some other stuff like seccomp and capabilities) and also some little comparison how OS-level virtual machine compares against full virtual machines. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-10pdf/ One advantage that OS-level VM's have is performance and reduced bloat (you don't need virtualized hardware and don't need to install full OS into VM). For machines with low resources (like Raspberry Pi) OS-level VM is only possible choice.