Are you saying that they are trying to use a kernel module to by-pass root user?
Because otherwise I don't understand the problem, because what I think your talking about is
Say your on a network 192.168.1.0 with a gateway 192.168.1.1 and you want to connect to a VPN
on a mystical internet address 10.1.1.2 with the vpn network being 172.16.23.0 and the gateway
on 172.16.23.1.. So..
(this is with openvpn with it's client-to-client and topology subnet)
> openvpn --config client.conf
> read -p 'press enter when connected'
> ip route del default dev eth0
> ip route del 192.168.1.0/24 dev eth0
> ip route add 192.168.1.1/32 dev eth0
> ip route add 10.1.1.2 via 192.168.0.254 dev eth0
> ip route add default via 172.16.32.1 dev tun0
Then setup a simple iptables firewall to block all traffic coming in and out of eth0, except
for the vpn traffic.
Then, viola, no information going in or out into the local ethernet network.