VPN as Gateway in Rancher Network

I’m trying to find the best way to guarantee that all traffic that is routed from a given container goes through a given VPN. It’s difficult to use network_mode: container for this purpose as that means all of the containers that need to do this would have to be on the same host. I’ve also failed to make network_mode: container work when the OpenVPN Gateway is an infrastructure stack (or just not in the same stack?). It just says I have an invalid reference.

I could force the containers to route through the gateway by manually changing the default route in each container but that could break if the IP of the gateway changes and it causes a problem if I also want to run UPnP port mapping on the gateway. I don’t particularly want all containers to be able to map ports.

To me, it seems like the cleanest approach would be to setup a new environment with a network configuration that sends all traffic through that gateway by default. It looks like, according to https://github.com/rancher/rancher-net/blob/6d7440f0be11563b0d4ec7a33f5ed1012d613d79/package/start.sh#L40, that the gateway is selected on startup of the network container by checking for the route to 8.8.8.8. Is that correct? If we make the GATEWAY variable settable, could we force it to use another container as the gateway? Would this break Cattle?