You can use a firewall on TRB140 to restrict internet access.
When you configure OpenVPN, there should be another firewall zone added. So, there should be LAN, WAN, and OpenVPN firewall zones in Network -> Firewall -> General. Also, a firewall traffic rule in Network -> Firewall -> Traffic rules is automatically created when you configure OpenVPN. This rule serves the purpose of opening a port from the WAN side to the OpenVPN instance, enabling the establishment of the VPN connection.
By default, all traffic from LAN is allowed to WAN. What you can do is block all traffic from LAN -> WAN. To do this, edit LAN => WAN zone and remove 'wan' from 'allow forward to destination zones'. This will drop all packets going from LAN to WAN. Then, you can manually add traffic rules to allow only necessary traffic from LAN to WAN. You can find more information about traffic rules here.
You can leave the WAN and OpenVPN zone as they are.