This is a guide to configuring Kali so all network traffic is only routed over an OpenVPN connection. If the VPN drops for any reason, traffic will not be sent unencrypted.
Install Required Packages
Install the following packages.
apt-get install network-manager-openvpn network-manager-openvpn-gnome iptables-persistent
Import your OpenVPN config
It’s best to do this via nmcli rather than the GUI, as you get detailed error messages:
nmcli connection import type openvpn file yourprofile.ovpn
If it fails to connect, tail -f /var/log/syslog
If you see an error similar to below:
kali gnome-shell[1030]: Invalid VPN service type (cannot find authentication binary)
This is a known bug. To fix this issue, go to:
Settings > Network > YourProfile, then click the box next to password, and select all users.

Configuring the Firewall
Paste the below commands into a terminal. Note that the VPN provider port and protocol may need changing.
iptables -F
iptables -X
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Allow VPN traffic
iptables -A OUTPUT -o tun+ -j ACCEPT
#Ensure the below is the same port and protocol as your VPN provider
iptables -A OUTPUT -p udp --dport 1198 -j ACCEPT
#Allow DNS (if your provider using DNS for round robin between server ip addresses)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#Allow DHCP
iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
Save the rules to run on reboot
netfilter-persistent save
update-rc.d netfilter-persistent enable