Restricting traefik to listen on specif network interface


I've been struggling for 2 weeks now to do something that should be easy in principle, and perhaps is and I just keep missing it, and I'd love if somebody could point me in the right direction.

I tried setting up a k3s node in a VPS connected to my private VPN. Everything works fine except that when I create an Ingress I cannot seem to configure the cluster in a way that I can only access the Ingress pages from my VPN network. I don't know how to tell Traefik to only accept incoming comunications on the VPN network interface.

When I disconnect from my VPN, if I change my /etc/hosts file to go through the VPS external IP I manage to go through and hit my Service.

I tried using the externalTrafficPolicy: Local and set a IPWhitelist Middleware with a rule to allow only the IP range of the VPN network. Problem is when containers try to reach other containers through the Ingress they get Forbidden. (for example when the gitlab runner tried to reach the gitlab registry it does so by the Ingress) When I add the pods CIDR to the whitelist all of a sudden I can access the services again from the VPS external IP I assume because klipper reroutes if I hit the wrong node (not the node that's running the service I want) and then the IP that Traefik sees is a Pod IP.

Is it possible to add iptables rules for incoming comunications on a specific network adapter on each k3s node without messing with the cluster own configurations?

Is there a way to tell traefik to only accept incoming comunications from the VPN network adapter?

How do people usually deal with this. I'd like to be able to add VPS to my home internal cluster without exposing my services on the Internet. Any tips?

Thanks in advance for all the advice and hope I'm not cluttering this forum with stupid and recurrent questions but I scoured the web and couldn't find anything that works.

Best regards,
André Santos