What kind of firewall do you have? (Not on the VM, though something similar might work there also)
I use OPNSense and have an allow rule for the specific IP and port my VPN uses from that VM’s IP. Then a block everything from the VM IP after the allow.
I can connect to the VPN no problem, updates and everything work through the VPN. When it goes down it trys to connect normally and fails.
DNS can be a problem when trying to connect to the VPN so make sure to use the IP