Look for "Split access", it's pretty similar to what you're talking about. Basically you'd just send all your traffic on your default routes table to 127.0.0.1 (nowhere), and all the traffic on your VPN routes table to the VPN. That way when the VPN isn't active all your traffic gets blackhole'd, when your VPN is active it'll all get sent over the encrypted tunnel though.
I think OP means prior to connecting to VPN so you are minimally exposed during the interim VPN setup.
Same technique could work, just more annoying (static route for VPN provider IP to your LAN gateway, and static routes for your trusted DNS provider, then only allow a default route to be established once VPN is connected).
Look for "Split access", it's pretty similar to what you're talking about. Basically you'd just send all your traffic on your default routes table to 127.0.0.1 (nowhere), and all the traffic on your VPN routes table to the VPN. That way when the VPN isn't active all your traffic gets blackhole'd, when your VPN is active it'll all get sent over the encrypted tunnel though.