It's pretty easy (at least on Linux) to firewall all inbound/outbound traffic on your physical network interfaces, allowing only the bare minimum necessary to connect to the VPN server (DHCP to get a local ip + an udp/tcp connection to a single ip:port).
Last I checked, it was a bit more difficult to do on Windows, because it didn't allow interface-specific rules, and because software installers had a habit of opening holes for themselves in the firewall without asking you.
Last I checked, it was a bit more difficult to do on Windows, because it didn't allow interface-specific rules, and because software installers had a habit of opening holes for themselves in the firewall without asking you.