GL GUI → VPN → VPN Dashboard → Global Proxy → VPN Policy Base On The Target Domain Or IP → Accessing Following Domain/IP → Not Use VPN/Use VPN sounds about right.
Well, yeah. If you’re blocking everything non-VPN, there’s no need to explicitly set a set of firewall rules to allow a bypass to another subnet.
… so you want to block non-VPN traffic but also allow WAN traffic to your upper ring (let’s call it ‘Ring 0’) subnet to this one, Ring 1? That might be something possible via Customize Routing Rules but I’ve got no insight for 'ya there.
It could probably be done. This is after all, OpenWrt ‘under the hood’. You might need to employ LuCI (GL GUI → System → Advanced Settings). My firewall skills are less than stellar.
… but be sure to make periodic backups throughout your progress.