I'm in a kind of weird situation where I need to do the following:
Connect an OpenVPN tunnel with static RFC1918 IPs (think of 10.3.3.1 for the server end and 10.3.3.2 for the client end) and have it used by the KVM guest directly. What I'm trying to achieve is the KVM guest not knowing anything about the LAN and only the VPN tunnel.
EDIT: So that I don't need to mess with firewalls :-)
Normally I would try to bridge the tun-device with the interface for the KVM and assign the KVM a static IP (10.3.3.2). Is that wise or is there a better way?
Okay this turned out to be pretty complicated to do. So I didn't. I opted for the firewall solution.
The KVM Guest is now setup to bridged connection and has a fixed MAC/IP. Using ebtables on the host I specified that the Guest may only connect to the MAC of the Router and I also limited the Guest MAC to use an IP I setup or else get shutdown automatically. That way I can use normal iptables on the router to allow only connections from the Guest to the VPN Server on the Internet. I'm done with five lines of well-thought-about ebtables/iptables rules. Everything else (intra-subnet ARP or IP communication, comm. to other hosts on the internet) get silently dropped.
With this setup the Guest when not online via VPN cannot even find out that there are other hosts on the same subnet besides the router. The Internet also only consists of the VPN Server. Looks good to me :-)