Personnaly I don't clearly understand in how a killswitch is different than the firewall rules as :
- deny outgoing all
- deny incoming all
- allow out anywhere on tun0
rules for ufw on Linux Mint
In addition I have some local DNS resolver (Unbound) so that if the firewall was bypassed, anyway Unbound is disabled by my vpnstart script after the tun0 connection is on. Perhaps I could call this a double killswitch.