I know this has gotta be pretty simple, but my firewall-fu is poor.
I’m just trying to give my phone access to a single server on my LAN when away. I have OpenVPN set up and can connect to my home network while away, but I’ve set it up on a different subnet. I want to allow access to one machine on the LAN.
Specifically, 10.0.0.36 should be visible to VPN connections (10.0.2.0).
Specifying a single machine should be possible by using a /32 prefix, e.g. 10.0.0.36/32.
I might be wrong on this, but I believe the “IPv4 Local network(s)” input is simply a GUI wrapper for the push route option. So it makes the client add a route, but you still need a firewall rule on the OpenVPN interface to allow the traffic.
For the VPN interface rules (source), first have a pass rule to a specific IP address (destination). Be sure to specify the needed traffic type (TCP, UDP, and, etc…). Then below the pass rule block access to all of your local networks.