I am trying to do some best-practises firewalling between me and my friends site-to-site openVPN tunnel.
Lets say the network looks like this:

Local(My) network: 192.168.1.0/24
Remote site-to-site network: 192.168.2.0/24
Local tunnel endpoint 192.168.10.1
Remote tunnel endpoint: 192.168.10.2

I have no idea what kind of people that might connect on his network, so I will try to be alittle strict with that I will let pass through the tunnel.
So I guess the best way to go, is probably to specify what IS allowed through, instead of specifying everything that is NOT allowed.

Now my question is about how to specify the source when filtering the traffic. If I understand correctly, the filtering is happening on the OpenVPN-tab. Can I set the source to be that whole subnet on his end (192.168.2.0/24) and thats good? Or can I specify the tunnel-IP as a source, and in that way block/allow from that particular tunnel to him, no matter what subnet he has? (I have more VPN tunnels to other people). In other words, can I use source 192.168.10.2?

He may have other VPN-tunnels on his end to other people, and I would like to restrict access for them (but maybe still allow him(his subnet) access, so they don't just "bridge" theire way onto my home network. How can this be avoided?

Regards