Simple Rules don’t provide an obvious way to block traffic from the VPN to LAN clients. This trick gets the job done.
Background
Simple Rules with IP Addresses as a Destination create firewall rules that drops all network traffic from the source to destination.
While Simple Rules cannot block traffic from VPN to LAN an IP Address rule can block the response from LAN to VPN preventing a connection being established.
Putting it into practise
First determine the address range used by Teleport and/or Wireguard VPN server.
For Teleport this is easier said than done. The least painful way is to connect a client then check the IP address in the Client Devices listing.
Then create a Simple Rule:
Name: VPN <-> Internal Access Policy
Action: Block
Source: All Devices
Destination: IP Address Address Range: VPN network address - VPN broadcast address