I don't know if this is what you're looking for, but if you configure the OpenVPN server to assign specific IPs on the tunnel to specific OpenVPN clients, you could then uniquely identify those clients and create firewall rules that limit access to specific target resources.
For example, if the OpenVPN server is using 10.8.0.0/24, and a client has been assigned 10.8.0.2, and the remote network is 192.168.1.0/24, and that client should only have access to 192.168.1.100 …
Code:
iptables -I FORWARD -s 10.8.0.2 ! -d 192.168.1.100 -j REJECT
Assigning specific IPs on the tunnel requires using a CCD (client-config-dir) directive that points to a folder containing files based on the common-name of the cert used by the given client. Within those files you would specify the ifconfig-push directive to assign the preferred IP. But that assumes every client is being assigned its own unique certs and keys, which isn't the case by default. Alternatively, you can require username/passwords (which most ppl do anyway) and use the username-as-common-name directive, which tells OpenVPN server to use the username instead to distinguish clients.
P.S. I just realized you're using oem/stock firmware, which will probably make the above impossible to implement, particularly the firewall rules. But at least w/ the right router and firmware (e.g., Merlin), it is possible.