In general case, some prerequisites must considered while implementing a kill switch:
- DHCP/DHCPv6/ICMPv6 to configure and update IPv4/IPv6/SLAAC when necessary.
- NTP to sync time to properly establish secure connections.
- DNS to resolve NTP servers and VPN endpoints.
Otherwise the relevant system services may become deadlocked due to race conditions.
This can happen upon system reboot, temporary loss of connectivity, DHCP lease timeout, etc.
A firewall-based kill switch should work for OpenVPN.
But NetworkManager provides a built-in PBR-based kill switch for WireGuard.
It does not require any extra actions and is much easier to operate.
Besides better performance, this is another reason to use to WireGuard if possible.