local.m4: Boundary network addresses can legitimately transit the VPN.
This is IPv6-specific. Suppose an internal host on one end of a VPN
connection sends a packet to a host on the boundary network at the
other end. This packet will go via the public Internet -- fine. But
the other end will reply, and route the packet through the VPN because
it's an internal address. So we should allow it or we break
connectivity.
The right answer is probably to arrange for the routing to be
symmetrical, either by forcing the original packet to go through the
VPN or the reply to go around it, but both of these would seem to
involve messing with policy routing in a complicated way. The current
situation seems weird but not especially harmful.