OpenVPN future design

[dma]

This may be generalized to any VPN/tunnel support in Oz:

Oz should support OpenVPN in two ways:

1. OpenVPN connection created at oz-daemon start time (or optionally startable at any time, or at first sandbox creation) that is wired to a bridge intended to be shared among many sandboxes. Something like the existing policy route configuration would be setup at this time to forward the traffic from the bridge to/from the OpenVPN connection. This VPN connection gets its own dedicated config apart from sandboxes.

2. OpenVPN per-sandbox, where the tun interface exists inside the sandbox netns. This is closer to how it works now, but that code should be rewritten entirely to not rely on iproute or any modification of the host routing tables.