To ensure that the traffic from your local network will only be forwarded through the VPN interface and dropped if the VPN is disconnected, you need to add a simple firewall rule.
In Administration > Scripts > Firewall tab, add the following rule:iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Save rule and reboot router. the rule above stops forwarding packets for all IPs in the LAN if the VPN isn't active. Forwarding traffic only works with the VPN connection active. To add a drop rule for a specific IP that is using the VPN, in case you use Policy Based Routing for OpenVPN:iptables -I FORWARD -i br0 -s <ip address> -o `nvram get wan_iface` -j DROP
where in the above example, the <ip address> is the local IP of the machine/device added in Policy Routing to use the VPN. Also consider using a static IP address for that machine so it doesn't get changed through DHCP. We recommend to set up the static IP on the computer/device directly, but you can also do so in the Tomato's Status > Device List using the Static button below the connected device details.
To set up a "kill switch", see this guide