I have VPN access using OpenVPN and try to create a safe machine that does not leak traffic over non-VPN interfaces. Using the firewall UFW I try to achieve the following:

• Allow Access from LAN to the machine's web-interface
• Otherwise only allow Traffic on tun0 (OpenVPN-Tunnel interface when established)
• Reject (or forward?) any traffic over other interfaces

Currently I am using the following rules (sudo ufw status):

To                         Action      From
--                         ------      ----
192.168.42.11 9999/tcp     ALLOW       Anywhere           # allow web-interface
Anywhere on tun0           ALLOW       Anywhere           # out only thru tun0
Anywhere                   ALLOW OUT   Anywhere on tun0   # in only thru tun0

My problem is that the machine is initially not able to establish the OpenVPN-connection since only tun0 is allowed, which is not yet established (chicken-egg-problem)

How do I allow creating the OpenVPN connection and from this point onward force every single packet to go thru the VPN-tunnel?