Let's set aside any solution where you bring a second piece of networking gear to the problem. Let's also let the problem of stopping traffic after the VPN fails to this related, but different question.
I look at this problem as a user centric solution and not something that's easily accomplished by modifying the OS X behavior.
Set up two accounts on your Mac (neither need be admin accounts, but if either is, you won't need a third account to change system settings).
- A shell account that exists to run nothing and only establish the VPN connection.
- A main account that will run the programs you wish to ensure only get access to the network once it has been properly secured with a VPN.
So, with fast user switching enabled, you can log out of the main account. This ensures that no programs or processes from that user will continue running in the background. Most OS X apps are well behaved, and suspend network access when they don't have an active window on-screen, but you'd have to monitor and test this forever to be sure nothing is happening - logging out is simpler to maintain.
Now, you could also replace "account" above with OS and run a virtualization system like Fusion (or Parallels or any other) and only start the guest OS once the host OS has secured everything on a VPN. Depending on the VM software you choose, you also may have control over the network and can turn on and off access even when the guest OS (or OSes) are running. This is basically simulating the extra hardware I initially said I wouldn't consider.
I hope this shows one way you could be more secure while traveling and using a network that you don't trust while minimizing the risk that this will always entail. If someone else owns the network - they own DNS, can log packets, can try man-in-the-middle (MITM) attacks as well as inspect all of your packets deeply to try to determine what is flowing inside the VPN tunnel.
Best Answer
In general, the network settings are global, and apply to the whole machine, including all applications.
VPNs will work great to access machines on a known network (eg: 192.168.1.x = home, 10.1.1.x = work via VPN)
What kind of VPN is it? It's possible that the VPN has grabbed the default route, meaning that all network traffic that isn't on your local network will go via the VPN.
You can run
netstat -nr
in Terminal to see your routing table.You can use
sudo route change default 10.1.1.1
to change the default route to your local network's router (eg 10.1.1.1 for me) so that it will route external connections. Connections to your VPN network should still go through the VPN.Hopefully this helps!