Firewall Settings & Internet Kill Switch / Auto-Force VPN

We had the Force VPN option (firmware v2), replaced by Auto-Force in firmware v3. The latter has suffered many problems (ie. leaks), so I attempted to implement my own Internet Kill Switch (ie. force VPN).

When I ran DD-Wrt on my previous router, this little firewall trick did the job

iptables -I FORWARD ! -o tun+ -j DROP

However, this appears to block all traffic on OpenWRT (I added it in Luci > Network > Firewall > Custom Rules).

I tried to limit forwarding from the LAN > VPN interface only. I did this by deleting the forwarding rule (LAN > WAN) in LUCI (Network > Firewall) but it is reinstated after reboot. However, I did notice that it was disabled in my config files (/etc/config/firewall):

config forwarding
option src ‘lan’
option dest ‘wan’
option enabled ‘0’

So, it appears that the current auto-force simply checks to see if the VPN is enabled and then sets the above to “0” (disabled) if VPN Enabled = “1”

I also had a play with the firewall settings (Luci > Network > Firewall).
The first thing I noticed is that disabling Masquerading on the WAN interface (recommeneded by Air VPN) appears to fix the IP leaks on boot (ie. before the VPN connects).
Changing ACCEPT > REJECT under LAN > Forward and ovpn > Input (recommeneded by some VPN providers) did not interfere with the connection while obviously (presumably?) adding an extra layer of security.
These changes hold on reboot except the ovpn > Input > REJECT (which reverts to ACCEPT).
To fix this I EDITED /etc/init.d/startvpn and changed ACCEPT to REJECT under the relevant setting in set_ovpn_config

Hopefully the developers will implement these changes as defaults (unless I am missing some reason why not?)

So, I think I have plugged the final IP leak and also tightened up the Force VPN / leak protection - comments and suggestions welcome!

EDIT: attached pic. of my firewall settings.

Thanks! Fixing it. Will send for testing.