If you're using a VPN, you probably already know that disconnections might happen for whichever reason and the last thing you want is leaking your Internet traffic outside of the VPN tunnel.
Fortunately, on Linux (and BSD/macOS too but that's gonna be for another time) a kill switch on its simplest form is relatively easy to do, here's how :
You have to restrict all traffic to your VPN interface (here
tun0 ) and then allow DNS queries (UDP:53) and VPN traffic (UDP:1194/TCP:1194) to be passed through the tunnel, you then deny (DROP) all output not matching the previous rules.
iptables -F OUTPUT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -o tun0 -j ACCEPT
iptables -A OUTPUT -j DROP
iptables --policy OUTPUT DROP