Hacker News new | ask | show | jobs
by dontdoxxme 199 days ago
> And netns is for single-host isolation. This is a router forwarding LAN→WAN. Different problem

Not at all. Put the LAN interface in a network namespace that is different to the host (ip link set ... netns ...).

This gives you your "kill switch" without even needing firewall rules, it happens on a lower level.
1 comments
yoloshii 199 days ago
In this setup the "kill switch" works in tandem with the VPN server failover logic. Maybe a netns would be good for redundancy.
link