I was lucky to be a part of network team in several corporate and cloud environments and having a default route which is then filtered through proxies was our typical scenario. These deny acl’s are very typical for cisco anyconnect or openconnect VPNs.
With AWS cloud env where you don’t have a transit gateway setup, you have to deal with SNAT because of non-transitive VPC peerings and this makes writing ACL’s at destination end impossible.
Given the fact that pritunl creates iptables rules to only allow access to subnets advertised to clients, what is the significant challenge to add an extra statement denying specific destination?