OpenVPN Restrict tun0 from internet access for local system

Goal is to provide VPN access only to wireless connected clients, not to the local system. The problem is that all internet access on the local system goes to the VPN.
Also would like to be able to start and stop OpenVPN service without affecting local system internet access via eth0.
This system is also the DNSmasq server to the clients via eth0 and wlan0.

Is there a way to do this? eth0 and wlan0 both have static addresses set in dhcpcd.conf

wlan0 is connected to tun0 with:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

$ route -v WITHOUT TUN0

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metri  Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     303    0        0 wlan0

$ route -v WITH TUN0

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.1.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
10.8.1.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
128.0.0.0       10.8.1.1        128.0.0.0       UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     303    0        0 wlan0
217.138.203.211 192.168.0.1     255.255.255.255 UGH   0      0        0 eth0

A block from Lan to all but WAN can work but may need another tunnel for lan0 to Wan0, then you lock WLan0 to Tun0.

This can be helpful:
https://www.thegeekdiary.com/centos-rhel-iptables-troubleshooting-guide/

Decided to run the VPN in a Namespace that requires tunnel out to the WAN and a tunnel bridging wlan0 to tun0 inside the Namespace.

I am working on this and it will be the answer to my question above.