I would create 3 type of access to myLAN behind my router.1) powerful access: it means user can access the LAN over IP and can surf Internet (even if not secure); 2) powerful access to LAN: it means user can not surf Internet but can communicate with whichever PC on the LAN to every ports and IP (it is allowed everything over IP protocol); 3) restricted access to LAN: it means user can not surf Internet and his/her access to the LAN must go under constraints.
Using "acl" option in client's section is not a good idea as it marks traffic to be protected. So I can not use it for people belonging to 1st group otherwise they will be permitted to surf Internet.
I ought to apply rules concerning VPNclients directly to outside interface but they will be mixed with others rules applied over that interface.
Is there a more pretty way? Should I use route maps? And how?
Moreover saying the LAN beyond the router is 192.168.20.0/24 do you thing is a good idea to reserve a subnet (e.g192.168.20.128/28) for VPNclients? Doing that needs also to specify a route towards that range point to outside interface.
Sorry for the long post.