Well, you can beat the default route and instead add a route for vpn, then when it falls, there will simply be no route

Alternatively, you can raise the vmware virtual machine, for example, and assign it a tap network interface from openvpn.
There will be a 100% guarantee that nothing will leak out.

Apparently one I realized what he wants TC.
Imagine the situation - the Internet is connected via a 3G / 4G modem (settings come via DHCP), openvpn is launched on top of it with the default GW replaced. Programs that actively use the Internet connection are working.
The user leaves the computer to smoke / drink_tea / etc, at this time the Internet connection through the modem is interrupted, openvpn also drops, the modem reconnects the Internet, but openvpn has not yet been raised (this takes from 10 seconds to several minutes depending on the settings) and this the very period of time to “fire” the user's IP. Openvpn rises, the Internet starts to "go as it should", the user comes and sees that everything is ok, and does not know that he has already "burned out".
This is the kind of situation TS is afraid of.

It is most reliable to use an additional machine, including a virtual one.
You can either create traffic on a virtual machine by passing it through Windows, or, conversely, pass Windows traffic only through a virtual machine.
In order for Windows traffic to go only to the virtual machine, despite the fact that it is Windows that has physical access to the Internet in the first place, it is necessary to uncheck IPv4 and IPv6 in the settings for the physical connection to the Internet. Then a virtual machine clings to this connection at one end, and the same virtual machine clings to the Host only network interface at the other end, and it is through this Host only interface that the main wheelbarrow should work.
3G in the connection scheme complicates the task. 3G may not connect to the virtual machine. Virtual machines have USB forwarding, but in case it doesn’t work out, I would fork out for a 3G router connected via Ethernet.

Let's say I have 3G and the provider forcibly assigns the settings every time, i.e. the Internet works for me in any case, the main gateway is registered or not registered.

Can you give more details? How will the Internet work for you without the main gateway? I wrote route del default
in my Linux down script and that's it. In case of VPN failure, the main gateway is removed from me and the Internet does not work until I set the default gateway again

And you do not do anything for which you will be ashamed later, and the problem will disappear by itself.