Just to be clear this is a killswitch, that's what you want right? So that it's only possible to connect through the VPN (tun0). And if the VPN goes down your internet gets "killed" so you don't leak your IP.
In that case you want to start ufw when you system starts, so you would need to whitelist your VPN but if your VPN is already connected it should work without whitelisting the IP I guess but never tried it since that's not recommended.
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow out to VPN_IP_ADDRESS proto udp
You have to do the last line for all your VPN server ips or the initial DNS request will not go through. If you connect through udp.
I just realized this is not the exact setup I use. I use Radicale on the desktop but additionally Decsync. So I don't need Radicale on my other devices, just a Decsync client.
With "mostly" in my case I was referring to the Radicale-Decsync plugin which works great but doesn't seem to be actively maintained anymore. So there was an instance where Radicale changed something and the Decsync plugin didn't work anymore. Was an easy fix but sadly that fix is still not available in the "official" Radicale-Decsync plugin which makes it hard for non technical users to use it, currently.
Yeah I get that as well when I don't use ublocks medium mode. The crucial part here is the medium mode since that blocks youtbe.com and google.com domains by default.
https://github.com/kando-menu/kando
This should be what you are looking for? Has controller support.