Force all traffic through VPN tun, drop any traffic not headed through VPN to prevent DNS leaks. Assuming use of TUN-based routing and redirect-gateway OpenVPN client options.

iptables.openvpn

# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
# Force all traffic through VPN tun
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

# Set a default DROP policy
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow basic INPUT traffic
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Allow basic OUTPUT traffic
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow traffic to the OpenVPN server and via the tunnel
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p udp -m udp -d 55.555.555.55 --dport 1194 -j ACCEPT

# Log dropped and rejected
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IPTables:INPUT-INVALID-DROPPED -" --log-level 4
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables:INPUT-REJECTED -" --log-level 4
-A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables:FORWARD-REJECTED -" --log-level 4
-A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables:OUTPUT-REJECTED -" --log-level 4

# Reject everything else
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

Is there an undo?