First, kill dhclient, vpnc, openvpn. Leave eth0 up.

Then, in order, run:

# First layer: DHCP. Does not use --gw or --dns since the DHCP-Client sets
# these.
# BEWARE: Not using --dns will lead to using/modifying the host’s
# /etc/resolv.conf. In this case, we want this.
$ spawn-ns \
	--name dhcp \
	--ip 10.0.1.1 \
	--donate-dev eth0 \
	--command "spawn-ns-outer-watchdog \"dhclient -d eth0\" '--ping-ip=8.8.8.8 --wait=10'"

# Second layer: VPNC. Does not use --dns since we want to use the
# /etc/resolv.conf which was generated by the DHCP-Client to reach the
# whitelisted nameservers.
$ spawn-ns \
	--name vpnc \
	--ip 10.0.2.1 \
	--gw 10.0.1.1 \
	--command "spawn-ns-outer-watchdog 'vpnc' '--ping-ip=8.8.8.8 --wait=10'"

# Third layer: OpenVPN. Also does not use --dns, mainly because it doesn’t need
# it and external DNS servers might not (yet) work in the Cisco VPN.
$ spawn-ns \
	--name ovpn \
	--ip 10.0.3.1 \
	--gw 10.0.2.1 \
	--command "spawn-ns-outer-watchdog 'openvpn' '--ping-ip=8.8.8.8 --wait=10'"

# Host routes through highest layer:
$ ip route add default via 10.0.3.1

Fix any iptables NAT rules which use a specific interface, so that they use the
interface 'vbr'.