Don't run openvpn as root
Don't run openvpn as root. Instead, run a management/wrapper process as root, and have it set up the routes. It can also firewall off DNS and IPv6, as appropriate, to prevent leakage.
kali: running as root is a workaround for the (buggy) tearing down of the routes. but in general, and once that can be fixed, the approach of starting openvpn as root and let it drop privileges (using openvpn-down-root to call our wrapper maybe) should be the best approach.
elijah: the greenhost people said they wrote a housekeeper daemon with root priv that runs in the background all the time and is responsible for important stuff, like preventing ipv6 leakage by maintaining proper iptables rules. and then they just always run openvpn as unprivileged. i think this is the way to go, for a couple reasons. (1) it is better to not ever run any program that gets network input as root (2) a root housekeeper daemon could allow us to nicely "fail closed" meaning that it could set up iptables rules to block all traffic when the openvpn is down or we are restarting it.
(from redmine: created on 2013-09-30, closed on 2014-05-07, relates #3860 (closed), relates #5588 (closed), blocks #4035 (closed))