There's no good reason why a web browser would make its own network layer connection to support non-HTTP sessions. Session layer proxies have forever been how this is done.
(I ended up setting up a VM and routing everything through Tor, which worked but was complete overkill. It would be great if you could force an application (and all subprocess) to use a certain connection. Put a control in the titlebar/system menu that lets me select interfaces. Please, desktop developers, steal this idea!)
How would you get a non-privileged executable to take control of full network?
While that's the most common way to run a VPN, it's not the only way. You use TUN/TAP devices because you want arbitrary programs to use them. In this case, you only want Opera to use the VPN connection. You don't need a TUN device for that.
This sounds perfect to me. A custom corporate wrapper for a web browser that lives in its own silo. Workers who are working from home for the day can use that app for work while keeping everything else like Spotify or YouTube or Netflix from going on a long roundabout trip through the VPN. Sounds perfect if you ask me.
The term "proxy" immediately brings me back to the days of trying to bypass the high school content filters using sketchy foreign proxies…
Or is the problem just that they're using the wrong terminology?
They clarify it here: https://www.opera.com/blogs/news/2016/04/opera-doubling-serv...
"Our VPN feature is still in development. We are currently working hard to implement support for proxying even more of the browser traffic, including WebRTC and plug-ins. Having this functionality built into the browser, instead of as an extension, allows us to catch more situations, such as certificate revocation checks made by the system.
Yes, the VPN feature is free, and we do not plan to charge for it.
Our VPN is something we call a browser VPN. Under the hood it works by routing all the browser traffic properly encrypted via our secure proxies in various parts of the world. It will not route the traffic from other applications – as a system wide VPN would do – it’s a browser VPN after all."
For instance, when using untrusted WiFi networks I'll connect to my VPS VPN hosted in the US or my UK RasPI VPN.
But when I want to circumvent a geo-block to watch some sports on Al Jazeera Sport (now BeIn Sport), I don't want all of my traffic going through the public VPN provider in Saudia Arabia. I don't really trust public VPN providers.
Normally I'd run a dedicated local VM which I'd connect to a public VM just to watch geo-blocked streaming media.
Proxies, though. Per-application proxies. Or even better - per tab/window/browser profile proxies. This would solve my problem more elegantly.
http://pastie.org/private/fzx7btxmvxbnftgkx31k8g is what I use as openvpn up/down script. Feel free to study/reuse.
 If anyone doesn't know how, here's a good resource (actually not specific to OS or linode vps):
The target market is companies whose employees require secure remote access to internal apps, but IT does not want to give a broad network access via VPN. So, marketing/sales like employees who simply want to access internal portals, etc. without the hassle of dialing into a VPN.
I imagine that you mean the proxy takes care of resolving hosts. For example, requesting https://google.com doesn't resolve google.com. on the client, rather it sends a request for https://google.com to the proxy server and the proxy server resolves google.com.
Attacking the DNS lookup for the proxy itself won't work because the attacker would need the SSL certificate for the proxy. Hopefully Opera has pinned that certificate (or better, its signer), which prevents a rogue CA attack.
"Browser VPN" is another misleading made-up term.
Similarly (unlike poorly setup proxies like Lenovo's Superfish) it also prevents connection to sites with invalid certificates.
(I wrote the same comment in the gist)
I could stick a gateway on my network, but frankly I just don't want to spend any more money and OS X should do fine for what I want.
There is surprisingly little documentation on how to setup OpenVPN on OS X. However, in my travails through OS X I've had to learn a whole bunch of tools I've never used before, the main ones are how to create launcher files, how to setup OpenVPN and how to use pf - in the way OS X wants me to.
I'm think of uploading the setup onto GitHub - would anyone be interested?
The purpose was of course different. Opera Mini added value by optimising the pages for your device (tiny screens, underpowered CPUs, insufficient RAM, small batteries), while the added value of the current proposal is actually defeated when it's offered only for free (meaning they get something out of it - not just marketing for a paid offering).