@JJBAU 

What do you want to achieve by creating an ACL? You have just created a block of everything from the internet? Why do you have it?
Can you explain a little bit what end result you wan

  @MR.S 

Thanks, to answer your question basically i deny everything and only allow the traffic I want on the network.  Given that all LAN initiated internet traffic is fine I am ok with this setup.

Having said that I believe I have solved the problem, basically from thinking about your question!

I needed to add the LAN IP Subnet of OpenVPN to the rule - once I had done that it operates as expected.   For some reason I thought that the traffic would hit the ACL with the WAN IP and not the private IP address of the OpenVPN client.

Cheers.

  @GRL 

Valid point and interesting suggestion.

I only need to enable the rule when I am traveling so depending on location (country) that could open up some exposure too.  

Either way a consideration none the less.

  @JJBAU 

Not really, the stateful firewall doesnt work like that

Adding an explicit allow - bad idea in general

Not adding countries in a location list - traffic will still be dropped by the firewall form the countries you allow other than hosted services on the gateway like VPNs/  Stateful firewall track traffic patters, if the VPN is established to the gateway, it will allow it without you having to "allow it"

By default, everything is blocked incoming anyway

  @GRL 

Apologies, I was agreeing that the explicit IP Allow was a bad approach.

Thanks for the clarification on the preferred rule as I misunderstood the first time it was mentioned (been a long year for a tired old brain).

Appreciate the time to respond by both of you and have made the appropriate changes.

Cheers.