Here's an interesting reading: http://blogs.igalia.com/dpino/2016/04/10/network-namespaces/ With network namespaces you can completely isolate any program from normal network stack, routing table etc... That is, no matter how much you mess with it, your original network settings stay intact while your network "chrooted" application sees only what you want to see. This Linux feature can be exploited to build very rudimentary, native OpenVPN killswitch Here's what you need: - Linux (obviously) - OpenVPN client - Some VPN target server to test this with - My "fancy" openvpn-netns.sh script that basically just automates all the stuff mentioned in the above link (download from here: https://www.orwell1984.today/openvpn-netns.sh). - down.sh script that handles the cleanup of the routing table in case OpenVPN dies (download from here: https://www.orwell1984.today/down.sh and put it into /etc/openvpn directory). Usage: 1) From terminal, start the openvpn inside network namespace: Example: ./openvpn-netns.sh vpn eth0 v-eth1 Then open another terminal and do all the following stuff there: 2) Try to ping google dns ip netns exec vpn ping -c3 126.96.36.199 3) Check the routing table (you should see tun0 or something like that) ip netns exec vpn ip route show 4) If it works start firefox/midori/etc in the shiny new network namespace named "vpn" ip netns exec vpn firefox 5) Go to any number of "what is my ip" sites to confirm that OpenVPN works 6) Now, kill the openvpn-netns.sh that you previously started in the first terminal with Ctrl + C 7) Again in your second terminal, try to surf with your browser. (you should not be able). Also, giving command "ip netns exec vpn ip route show" again should now give you totally empty routing table. So now, your vpn namespace has no routing table, no network connection, and any browser/application/etc that used that particular vpn network namespace is now completely isolated because OpenVPN was killed/terminated. And all this while your normal network stack is completely intact The reason we can't simple delete the above mentioned vpn namespace and have to resort to cleaning router table inside the namespace is that the namespace will be completely removed only after the last application that uses it (in this example, the browser) exists.