2026-09-12 –, D.0.03
A challenge when setting up VPNs is the proper modification of the routing table. This is needed, so that all traffic goes through the VPN interface and is encrypted, except the encrypted traffic generated by the VPN interface. Even so, this approach has its pitfalls, which can cause leaking unencrypted traffic[[1]].
Network namespaces offer a way to categorically solve this problem. Network namespaces partition the network interfaces present in a host. A process running in a given network namespace only sees the interfaces present within that network namespace. If only the VPN interface is present, traffic will have to go through this interface, making it impossible to send traffic through another interface by accident.
On OpenBSD network namespaces are called routing domains. Combine routing domains with Wireguard, which is routing domains aware out of the box, offer safer VPNs, while also simplifying configuration. A similar effect can be achieved for other VPNs by using virtual machines.
In this talk we go over the problems when just modifying the routing table, how routing domains work and can be used.
Martin is a PhD student at the University of Basel. He first came into contact with BSD when he wanted to build a firewall.