Under IP > Firewall > Filter, add a rule. Chain=Forward. Out Interface=WAN, Action=Drop
Then drag and drop the rule to the top of the list.
When traffic originates from the router, the firewall rules in the OUTPUT chain are applied. When traffic is destined to the router (meaning it has the WAN interface's IP, and there is no matching NAT rule to forward the traffic to a private IP), then the traffic will follow the INPUT rule. When traffic passes through the router, such as internet traffic from PCs inside your LAN, then the FORWARD is applied. The rule we just created blocks all traffic from passing through your wan that is going out the WAN. So now traffic can either go out the VPN client via routing rules, or it'll get dropped.