Implementing an OpenVPN "kill switch" with iptables
Future readers, be aware that the rules presented here "will allow deanonymization because it allows any connection over port 1194, not just traffic originating from OpenVPN". This answer presents a much simpler set of rules which do not require hardcoding any IPs or ports.