My solution is to use Wireguard "Always on VPN" and to block or create rules on the router (based on the network layer and DNS)
Pi-Hole for DNS
RouterOS appliance for Wireguard and firewall
Disadvantages: you will not be able to do it per application, like in RethinkDNS
p.s. RethinkDNS also have the ability to be a firewall (creates the local loopback VPN connection) but it works buggy as for me