OK, my apologies … :(. It thought I had this working, but not quite. I was fooled by being on my local LAN (for debugging, it's easier), and some traffic "bypassed" the VPN connection. Not working as well once remote.
Trying to debug it, but having a heck of a time with the Firewall Rules. I have added a floating rule (which should be applied first), passing and logging all DHCP traffic between / on LAN and OpenVPN (TAP) ... but it's not catching anything - even though I see the traffic in the DHCP log, and also using tcpdump on the server (LAN interface). Very frustrating ... :(.
Any suggestions on the firewall would be greatly appreciated, as it's hard to debug this blind.
Thanks!!!