openvpn Issues setting up openvpn with a killswitch in a freebsd jail

[n.pubblic 0]

I'm trying to setup a kill switch so that if OpenVPN goes down all other connections are automatically locked. I adapted this config as it follows:
 

### EDITED
group openvpn
################
client
dev tun
remote XXXXXX 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
ca "/opt/openvpn/keys/ca.crt"
cert "/opt/openvpn/keys/user.crt"
key "/opt/openvpn/keys/user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-auth "/opt/openvpn/keys/ta.key" 1

and this is my ipfw config

#!/bin/bash
ipfw -q -f flush
cmd="ipfw -q add"
vpn="tun2"
$cmd 00001 allow all from any to any via lo0
$cmd 00010 allow all from any to any via tun0 
$cmd 00101 allow all from me to 192.168.0.0/16
$cmd 00102 allow all from 192.168.0.0/16 to me
###############################
# it should allow openvpn to establish the connection
$cmd 00103 allow all from any to any gid openvpn 
###############################
$cmd 00104 allow all from any to any established
$cmd 00110 allow tcp from any to any dst-port 53 out setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 out keep-state
$cmd 00201 deny all from any to any

when i try to start openvpn it won't work e.g. 
 

Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/user.key' is group or others accessible
Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/ta.key' is group or others accessible
Mon Jul 20 22:13:17 2020 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 12 2020
Mon Jul 20 22:13:17 2020 library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Mon Jul 20 22:13:17 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 20 22:13:17 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 20 22:13:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.34:443
Mon Jul 20 22:13:17 2020 Socket Buffers: R=[42080->262144] S=[9216->262144]
Mon Jul 20 22:13:17 2020 UDP link local: (not bound)
Mon Jul 20 22:13:17 2020 UDP link remote: [AF_INET]184.75.221.34:443
Mon Jul 20 22:13:17 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Jul 20 22:13:17 2020 write UDP: Permission denied (code=13)
Mon Jul 20 22:13:19 2020 write UDP: Permission denied (code=13)
Mon Jul 20 22:13:23 2020 write UDP: Permission denied (code=13)

it looks like that in freebsd openvpn wants to start as root/wheel no matter what ad it will downgrade to a custom group only once the first connection has been successfully established. Is there a way around that? Else, is there another way to allow only openvpn to connect to the internet? I'm not married to this solution, i just want to setup a killswitch and avoid iptables.