iptables - вызовите весь трафик по VPN (и отбросьте весь трафик когда никакое соединение VPN),

I wouldn't use conntrack in this scenario but a much simpler set

iptables -A INPUT  -i tun0 -j ACCEPT
iptables -A INPUT  -s 10.10.10.10 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -d 10.10.10.10 -j ACCEPT

No need for any connection tracking. You also don't need the DROP rules at the end, by the way, the -P ... DROP takes care of that.

You'll also want to make sure that you use the IP of the VPN server in your config, otherwise, you'll have to whitelist DNS too:

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --sport 53 -j ACCEPT