Overly complicated but in summary. My VPN termination is a virtual interface on a router that sits at the edge of my network. After authentication, the VPN allocates me an address within the network range of that interface. At that point, my device looks like any other connected device to that router. I can route / firewall traffic to any private area within the network as well as allow / deny access to any Internet egress on my network. I can modify these policies per login if needed. Again, overly complicated.
Here’s a much easier way:
Search Tailscale on the community. Lots of good success using this kind of VPN.