You really haven't clearly specified what you actually want to do when the VPN is UP.
1. No traffic to use the VPN
2. ALL traffic /devices to use VPN
3. Selectively route only some devices through the VPN (leave dest I/P blank for ALL destinations)
4. Block use of WAN access if VPN is DOWN i.e. force VPN
If you use IPVanish then there is a bug that has been identified (and fixed by RMerlin in the next release) where Openvpn crashes when it tries to terminate and does not correctly tidy up the /etc/resolve entries.
I suggest you check the log to see if there is an error message when the VPN connection is lost.
Apologies for this.
When the VPN is UP, all traffic to use VPN connection. If I want some devices to use standard ISP connection, they connect to the router which is in between the Asus Merlin router and the modem. If the VPN goes DOWN on the Asus Merlin router, then any device which is connected to it, block the use of WAN (force VPN). And, if it needs to be known, I'm using ExpressVPN.
Here is a copy of the section of the log just before the connection drops. Please note, I have replaced the vpn url with *** as this information is only available to customers of the VPN service.
openvpn[1208]: TLS: tls_process: killed expiring key
May 11 20:01:16 openvpn[1208]: TLS: soft reset sec=0 bytes=6145531/0 pkts=15486/0
May 11 20:01:18 openvpn[1208]: VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=
me@myhost.mydomain
May 11 20:01:18 openvpn[1208]: VERIFY OK: nsCertType=SERVER
May 11 20:01:18 openvpn[1208]: VERIFY X509NAME OK: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=
me@myhost.mydomain
May 11 20:01:18 openvpn[1208]: VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=
me@myhost.mydomain
May 11 20:01:23 openvpn[1208]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 11 20:01:23 openvpn[1208]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 11 20:01:23 openvpn[1208]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 11 20:01:23 openvpn[1208]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 11 20:01:23 openvpn[1208]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May 11 21:01:16 openvpn[1208]: TLS: tls_process: killed expiring key
May 11 21:01:23 openvpn[1208]: TLS: soft reset sec=0 bytes=710836/0 pkts=1869/0
May 11 21:01:37 openvpn[1208]: [server] Inactivity timeout (--ping-restart), restarting
May 11 21:01:37 openvpn[1208]: SIGUSR1[soft,ping-restart] received, process restarting
May 11 21:01:37 openvpn[1208]: Restart pause, 2 second(s)
May 11 21:01:39 openvpn[1208]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 11 21:01:39 openvpn[1208]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 11 21:02:10 openvpn[1208]: RESOLVE: Cannot resolve host address: ***.***.***: Name or service not known