In case anyone is interested in needed changes for Qubes OS 4.2 (iptables → nftables), the following did work for me:
# /rw/config/vpn/qubes-vpn-handler.sh
#...
nft flush chain ip qubes dnat-dns
if [[ -n "$vpn_dns" ]] ; then
# Set DNS address translation in firewall:
for addr in $vpn_dns; do
nft add rule qubes dnat-dns iifname == "vif*" tcp dport 53 dnat "$addr"
nft add rule qubes dnat-dns iifname == "vif*" udp dport 53 dnat "$addr"
# /rw/config/qubes-firewall-user-script
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
nft add rule qubes custom-forward iifname eth0 counter drop
nft add rule ip6 qubes custom-forward iifname eth0 counter drop
# Accept traffic to VPN
nft 'add chain qubes output { type filter hook output priority 0; policy accept; }'
# ...
# Block non-VPN traffic to clearnet
nft insert rule ip qubes output oifname eth0 counter drop
# Allow traffic from the `qvpn` group to the uplink interface (eth0);
# Our VPN client will run with group `qvpn`.
nft insert rule ip qubes output oifname eth0 skgid qvpn accept
You can also use iptables-translate to try out translation from one to the other.
Also to disable OpenVPN in Debian:
systemctl disable --now openvpn.service