Oh, I haven't reverse engineered the application or network protocol as of yet and really don't have any intention to do so - just trying to make sure it fits our security requirements prior to using it for anything of value. Dumping the strings from the binary to see if there are hidden/undocumented configuration file parameters is far from reverse engineering (I'll break out either GDB or IdaPro if I'm going to do that....which I'm not . Thanks for the pointer, I'll make the suggestion on the Wishlist though. As for disabling the network interfaces, that is not a viable option if you are talking about VPNs where you want the application to use the VPN tunnel, but not the native interface (ie, tunnel over ppp0 rather than talking out eth0). Lastly, the "specific IPs" option does seem like it may do the trick if there are no DHCP addresses involved (although one could have a central server on a static IP that everyone else knows how to get to via "specific IPs" if the clients coming in over VPN are DHCP'ed). In testing that, I have seen other troubling network traffic (like, who/what is "usyncapp.com" and why is traffic transiting there even when all relay/tracker/dht/search-lan options are turned off??!?)