IP Whitelist in K3S does not see VPN IPs

I'm trying to IP whitelist some services in K3S. Restricting to LAN addresses works fine after setting externalTrafficPolicy to local in the Traefik service. However, when traffic comes in over VPN, the whitelisting doesn't work and the connecting client's WAN address is shown in the access logs. VPN is set to send all traffic.

I'm thinking this could be something to do with depth, but I can't find any annotations for that...