Tor does this the right way on Linux. You make a separate user namespace with access only to the WireGuard network adapter and run the program inside of that. You want the kernel involved if you want any sort of guarantee:

https://blog.torproject.org/introducing-oniux-tor-isolation-...

Can you use user namespaces to create a network namespace with the VPN active and stick applications in that namespace?

From a quick search, https://blog.thea.codes/nordvpn-wireguard-namespaces/ sees to have at least the bones of a decent solution, though I've not had a chance to dig very far. A lot of results use root to set up the namespace, but I was pretty sure that shouldn't be needed with a new kernel and user namespaces enabled

It would be a non-trivial amount of work but syscall user dispatch lets you intercept syscalls on modern linux if you really want to.

https://docs.kernel.org/admin-guide/syscall-user-dispatch.ht...

ptrace: https://github.com/hmgle/graftcp

I have no idea. I’ve never messed with it, but maybe something like eBPF to intercept network syscalls? Not sure if that’s a thing—especially without root access? Mostly I was just thinking the project page could use a disclaimer since, in Go, it is common to bypass libc. :shrug:

This seems like a very cool, useful project though!