I’m wondering if you inadvertently have a VPN policy set to block client devices from using the VPN & if so, the 'net in general (aka ‘Kill-Switch’ functionality).
(Another place to check is that devices aren’t toggled to be blocked in general (GL GUI → Clients → $device → Block WAN))