I do it like this, can provide scripts if you're interested.
One docker image with openvpn:
1. at startup erases all routes except to VPN gateway and 8.8.8.8.
2. before and after connect it only has routes through VPN (no default ones - if vpn goes down, network goes down until re-established)
Start it like:
# ... --name vpn ...
Another docker image with what I want VPNed gets started with the network of the first
# ... --net container:vpn ...
I keep a browser within the second docker image (firefox) and use my main machine to show it. Note: you want to pass '--no-remote' to it and likely split /dev/shm
It can't really leak since it doesn't have routes to do anything other then through VPN.
