I guess you’re talking about firewall rules? If so, adding the VPN server entry IP in sys-firewall will ensure that only this IP can receive network packets from your system.
Try it, use an AppVM attached to your VPN VM and turn the VPN off. Then use the AppVM to access a website and see if it works or not. If the firewall and the iptables rules are correct, you won’t be able to access anything without the VPN being active.
It depends if you decided to use OpenVPN or Wireguard. OpenVPN don’t really have any multihop beside the “bridge” with ssh which involve more steps. If you use Wireguard, then you can use the multihop port they provide for each servers and use it in your wireguard configuration.
Ignore the outdated UI elements; it’s written for an older version of Qubes but it still works like a charm and addresses your first two points.
I don’t know about multi-hop but I’ve had success chaining different VPN VMs in the past with and without Whonix/Tor in between (hint: if it doesn’t work, make sure the first VPN is using TCP port 443)