@steveomitchell I know you posted your comment a couple of months ago but just ran across it. You should be able to still do the "No direct access to local network" and do exclusions. The No direct access just adds a route in the client route table for the local subnet and points it to the tunnel with a lower metric. The exclusions also add a route in the table but points it to the local interface. We are using both so you should be fine.
... View more