Need Help to conf. OpenVPN Killswich with nftables on a dump access point

Hello together,
I need the help of you experts. I am currently running my TP-Link Archer C7 v5 with Openwrt 21.02.3 as a dumb access point and vpn gateway at the same time. The accesspoint has been assigned the IP 192.168.1.4 and receives the internet from the main router with the IP 192.168.1.1 on LAN Port 1. WAN Port is not in use.
I proceeded according to the following instructions:

without deactivating the firewall.

The devices on LAN port 2-4 are also accessible and can connect to the Internet.

At the same time, the access point functions as a VPN gateway. For this I proceeded partial according to the following instructions:

Additionally I added a killswitch option with firewall.user like this:

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

Currently everything works as well. This means that I have entered the access point as the gateway for the devices in the network that communicate exclusively via the VPN. So far everything works fine with the version OpenWrt 21.02.3.
My problem is that with the current version 22.03 no more IP tables scripts work and thus my kill switch is out of function.

My question therefore to you:

Wi can I implement this custom rules rule with nftables?! Maybe there are other possibilities? I absolutely need exclusive communication to the Internet via VPN.

Here are my Configs:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8d:f860:99b0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.4'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'

config device
        option name 'eth0.2'
        option macaddr 'd8:47:32:3c:f4:02'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'surfshark'
        option proto 'none'
        option device 'tun0'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'surfshark'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

The devices connected to LAN port 2-4 are allowed to access the Internet without VPN. Only for end devices that have entered the access point as gateway, everything should run via VPN.

Thanks already for the help

What do you want to accomplish? Internet only via VPN?

A more conventional setup would be to segregate VPN users into their own network, with a separate wifi SSID and/or Ethernet VLAN. Then a "kill switch" functionality is inherent by only allowing vpnuser to forward to vpntunnel. If the tunnel is down they will have no Internet at all.

Hi mk24. Thanks for your feedback. Maybe you can help me in a detailed setup for that way? I think i need your help for such a config.

Many thanks
Michael