top | item 46075208

(no title)

dontdoxxme | 3 months ago

> And netns is for single-host isolation. This is a router forwarding LAN→WAN. Different problem

Not at all. Put the LAN interface in a network namespace that is different to the host (ip link set ... netns ...).

This gives you your "kill switch" without even needing firewall rules, it happens on a lower level.

discuss

yoloshii|3 months ago

In this setup the "kill switch" works in tandem with the VPN server failover logic. Maybe a netns would be good for redundancy.