If you go to the tun0 interface (under network > interfaces), click edit and then go to the firewall tab, you can create a new zone (vpn).
Then, return to the Network > Firewall configuration, and you'll see the new vpn zone listed with the lan and wan zones. Edit the vpn zone, and configure it the same as the wan (typically input=reject, output=accept, forward=reject, enable masquerading). Allow forward from the LAN zone (and nothing in the "allow forward to destination zones" field).
Now, you can remove the LAN > WAN forwarding, and as long as the tunnel is running, you'll have internet access (and when it is down, the internet is blocked).