Networking is hard. Easy to make stupid mistakes.
Another thing you can do on Linux is to only allow outside traffic to and from your VPN adapter. For instance, I have rules in ufw that deny all incoming and outgoing traffic outside of my local subnet except if it is on tun0.
So if my VPN connection goes down, absolutely no traffic goes anywhere because then tun0 doesn’t even exist.
And my firewall is set to deny/deny so only traffic that is explicitly allowed traverses any interface. Nothing is perfectly secure, but that is about as close as you can get.