VPN kill switch with Linux network namespaces

openvpn-client.conf

# . . .
script-security 2
up '/etc/openvpn/vpn-init start'
down '/etc/openvpn/vpn-init stop'
down-pre

sysctl.conf

# . . .
net.ipv4.ip_forward=1

transmission-vpn

#!/bin/sh
gksudo "ip netns exec vpn sudo -u $(whoami) transmission-gtk"

vpn-init

#!/bin/sh
case "$1" in
	start)
		iptables -t nat -A POSTROUTING -o "$2" -j MASQUERADE
		iptables -P FORWARD DROP
		iptables -A FORWARD -i veth-vpn-ex -o "$2" -j ACCEPT
		iptables -A FORWARD -i "$2" -o veth-vpn-ex -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
		iptables -A FORWARD -i "$2" -o veth-vpn-ex -m conntrack --ctstate INVALID -j DROP
		;;
	stop)
		iptables -t nat -D POSTROUTING -o "$2" -j MASQUERADE
		iptables -D FORWARD -i veth-vpn-ex -o "$2" -j ACCEPT
		iptables -D FORWARD -i "$2" -o veth-vpn-ex -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
		iptables -D FORWARD -i "$2" -o veth-vpn-ex -m conntrack --ctstate INVALID -j DROP
		;;
esac

vpn-ns-start

#!/bin/sh
ip netns add vpn
ip netns exec vpn ip addr add 127.0.0.1/8 dev lo
ip netns exec vpn ip link set lo up
ip link add veth-vpn-ex type veth peer name veth-vpn
ip addr add 192.168.5.1/24 dev veth-vpn-ex
ip link set veth-vpn-ex up
ip link set veth-vpn netns vpn up
ip netns exec vpn ip addr add 192.168.5.2/24 dev veth-vpn
ip netns exec vpn ip route add default via 192.168.5.1 dev veth-vpn