Start a VPN on connection, don't allow any connections before it if the VPN is supposed to be a default gateway; save as /etc/NetworkManager/dispatcher.d/02vpn

02vpn

#!/bin/sh -e
if [ -z "$1" ]; then
    echo "$0: called with no interface" 1>&2
    exit 1;
fi

if [ "$2" != "up" ]; then
	exit 0
fi

NMCLI=/usr/bin/nmcli
IP=/sbin/ip
HOME_WIFI="1505b9bc-cece-4817-8957-6ac5b3a83ea8"
WORK_WIFI="ddaa7836-90cd-48e0-8c11-d78b5557f1db"

HOME_VPN="df0da633-b93e-4e48-9639-17dcdc043935"
BACKUP_VPN="ae1711f2-0c12-4e7c-ae70-6400683c6eb8"
WORK_VPN="2c36bcc5-82a8-4176-889c-af6677a5905f"
WORK_FULL_VPN="15a487b5-ed71-43ea-9b57-604425299c37"

log() {
	/usr/bin/logger -t vpn-script $*
}

no_default_gw() {
	$NMCLI con list uuid $1 | awk '/ipv4\.never-default/{print $2}'
}

start_vpn() {
	vpn=$1
	if [ "$(no_default_gw $vpn)" = "no" ]; then
		# network is not trusted

		gw=$($IP ro sh | grep default)
		remote_end=$($NMCLI con list uuid $vpn | grep vpn.data | sed -e 's/.*\(gateway\|remote\) = \([^,]\+\).*/\2/g')

		# prevent all outbound connections
		log "Delete default gw '$gw'"

		$IP ro del default
		
		# ... except for DNS, if needed
		if (echo $remote_end | grep -q '[^0-9\.]'); then
			log "Remote end '$remote_end' is not an IP, resolving"

			for addr in $(/usr/bin/awk '/^nameserver/{print $2}' /etc/resolv.conf); do
				log "Add route to DNS $addr"
				$IP ro add $(echo $gw | sed -e 's/^default/'$addr'/g')
			done
		
			remote_end=$(/usr/bin/host -t a $remote_end | awk '/has address/{ print $4 }')
		fi
		
		# ... and our gateway
		log "Add route to gateway $remote_end"
		$IP ro add $(echo $gw | sed -e 's/^default/'$remote_end'/g')
	fi

	$NMCLI con up uuid $vpn
}

case $CONNECTION_UUID in
	$HOME_WIFI|$WORK_WIFI)
		start_vpn $WORK_VPN
		;;
	*)
		start_vpn $HOME_VPN || start_vpn $BACKUP_VPN || start_vpn $WORK_FULL_VPN
		;;
esac

exit 0