@passwd - it is generally preferred for files to be attached directly to the post rather than via pastebin or other sites. Please do this in the future (@golialive already mentioned this, too).
If I understood your desired operating mode, you want the RPi to serve 2 purposes:
Set up a VPN tunnel that is transparent to the PC (RPi is the VPN client, sets up the tunnel, PC traffic is all routed through the VPN transparently).
If the VPN tunnel is not active, block all traffic PC <-> internet. Essentially this 'turns off' (or unplugs) the internet for that PC if the VPN is not running.
Is this correct?
#1 is achieved by setting up the VPN (network interface: providervpn) and the firewall (zone: vpn), and having the firewall set to allow forwarding lan > vpn. #2 should happen because you had previously deleted the firewall forwarding from lan > wan. This basically cuts the connection to the internet if the VPN is not available.
If so, you're most of the way there, but you should try changing a few things:
there is no need for the Block_Zone firewall zone. It is not doing anything useful and will likely only complicate your configuration and troubleshooting. I'd recommend removing it entirely.
Change the subnet mask back to 255.255.255.0 -- this well help ensure that the RPi has the ability to properly control your PC's internet connection and guarantee that you don't have any overlapping network ranges.
remove the option type bridge from the lan section in the network config file
With those changes in place, log on to your RPi and start the VPN. Test your internet. It should be working. Checking your IP should result something from the VPN provider (a traceroute will also show that your traffic is routing through the VPN tunnel).
Then stop the VPN (you may need to use the command line to get it to stop properly: /etc/init.d/openvpn stop
Test your internet connection again. It should not work. You should have no outside access. And if this is what you want, everything is working as expected. Start the VPN again to get internet again.
Please also post the results of the ifconfig command from the RPi (ssh session into the RPi, type ifconfig on the command line).
I confirm 100% that what I asked for
and with your steps it's work better (before was kind of buggy)
I delete block_zone and changed subnet mask back to 255.255.255.0 and it's work perfectly, I don't know why it doesn't work before! and removed option type beidge.
everything works 100%
and I turned VPN OFF and no access at all to internet
one more thing, when turn VPN OFF, I do traceroute and gave me this result, is it normal?
traceroute to lede-project.org (139.59.209.225), 30 hops max, 38 byte packets
1 192.168.1.1 5.113 ms
2 84.235.124.8 18.053 ms
3 84.235.124.69 20.842 ms
4 84.235.94.135 19.921 ms
5 84.235.94.9 99.684 ms
6 80.81.193.141 99.451 ms
7 138.197.250.151 99.650 ms
8 139.59.209.225 100.866 ms
Did you do the traceroute from the RPi (either on the LuCI page or within an SSH session)? If so, this is normal, as the RPi device (with LEDE) must be able to reach to the internet in general in order to establish a VPN connection in the first place.
However, if you ran that traceroute on your PC directly (i.e. not through the RPi) it is not normal.