[jjnoakes]

There ought to be a way, at the OS level, to configure a machine so no network traffic goes in or out over an unsecured link except for the VPN application's traffic.

Then, if you configure secure links to be WPA at work, WPA at home, and your VPN, there should be little risk to joining an open network to bring up a VPN.

[nickpsecurity]

In high-assurance security, they go further by putting that functionality into a dedicated device with minimal components, a separation kernel (or RTOS), and strong isolation of networking. Idea being it always, by static design, forces networking traffic to go through the encryptor with almost no attack surface from external network. External network stack usually in own partition, too.

Examples:

http://www.friendsglobal.com/papers/High_Assurance_Wireless_...

http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=BF0...

[dec0dedab0de]

You can do that with the routing table.

[u02sgb]

Interesting - links/details?

[theossuary]

This is a must read if you're interested in non-standard Linux networking: http://lartc.org/lartc.html

Look for "Split access", it's pretty similar to what you're talking about. Basically you'd just send all your traffic on your default routes table to 127.0.0.1 (nowhere), and all the traffic on your VPN routes table to the VPN. That way when the VPN isn't active all your traffic gets blackhole'd, when your VPN is active it'll all get sent over the encrypted tunnel though.

[u02sgb]

Thanks

[dec0dedab0de]

Have the default route point to your VPN client, and a static route for the VPN server pointing to the internet. Most VPN clients do this already.

[spydum]

I think OP means prior to connecting to VPN so you are minimally exposed during the interim VPN setup.

Same technique could work, just more annoying (static route for VPN provider IP to your LAN gateway, and static routes for your trusted DNS provider, then only allow a default route to be established once VPN is connected).

[Wilya]

It's pretty easy (at least on Linux) to firewall all inbound/outbound traffic on your physical network interfaces, allowing only the bare minimum necessary to connect to the VPN server (DHCP to get a local ip + an udp/tcp connection to a single ip:port).

Last I checked, it was a bit more difficult to do on Windows, because it didn't allow interface-specific rules, and because software installers had a habit of opening holes for themselves in the firewall without asking you.

[secabeen]

The OpenVPN client on android has something like this. See "Seamless Tunnel" in the preferences. I've used it at DefCon on the secure network in the past.