IP Whitelist in K3S does not see VPN IPs

I'm trying to IP whitelist some services in K3S. Restricting to LAN addresses works fine after setting externalTrafficPolicy to local in the Traefik service. However, when traffic comes in over VPN, the whitelisting doesn't work and the connecting client's WAN address is shown in the access logs. VPN is set to send all traffic.

I'm thinking this could be something to do with depth, but I can't find any annotations for that...

I'm having the same issue when using OpenVPN (using TUN - clients are mobile devices so TAP is not an option). Found this other post but it doesn't seem like they found a solution.