openVPN fails on 4.1

There was a similar topic, but none helped.
sys-net–> sys-firewall----> Some AppVMs
|----> sys-vpn-Work —> some AppVMs
|----> sys-vpn-Home —> some AppVMs

Connect to the Work-VPN with sys-vpn-Work no problem, because it uses a static IP.
Connect to the Home-VPN with sys-vpn-Home doesnt work, because it uses a dynamic IP (DynDNS).

To clear out some things:
-VPN @ home works
-sys-net/sys-firewall can resolve the hostname
-Worked on 4.0 without problems
-I reinstalled it step by step fresh QubesOS vpn config
-Used my fedora-34-minimal config as sys-net,sys-firewall,sys-vpn-Home (worked on 4.0!) && tried with the preinstalled fedora-34 (with openvpn etc)
-sys-net && sys-firewall are dispVMs

The Error:
RESOLVE: Cannot resolve host address: (Name or service not known)

The Problem:
qubes-firewall-user-script - without it - it works, but leaks data, with it - nothing is working. No ping, nslookup, blah


iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

#    Accept traffic to VPN
iptables -F OUTPUT

#    Add the `qvpn` group to system, if it doesn't already exist
if ! grep -q "^qvpn:" /etc/group ; then
     groupadd -rf qvpn
sleep 2s

#    Block non-VPN traffic to clearnet
iptables -I OUTPUT -o eth0 -j DROP
#    Allow traffic from the `qvpn` group to the uplink interface (eth0);
#    Our VPN client will run with group `qvpn`.
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT


VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
su - -c '/rw/config/' user #cause also using otp

groupadd -rf qvpn ; sleep 2s
su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user

Can someone help me with it? I dont get it why qubes-firewall-user-script is invoking before the tunnel is up.