Tailscale working well, but how do I set a rule to force clients thru VPN?

[spants]

Great work on this release!.

I have been using tailscale as an exit point on a machine inside the firewall but now switched to using the OPNsense instructions on tailscale.com. It is working well - can manage systems inside the firewall and get internet access.
However, I would like to setup a rule that forces any external clients to exit via my wireguard (mullvad) vpn rather than via the WAN. The clients seem to have my external IP address from what I can see.
I know its a basic question but I am going around in circles!.

tdlr- need any client that has come in via TLSCL interface to be able to see internal systems (working) and exit firewall only via VPN.

Many thanks!

[lilsense]

you would need to set a routing rule to forward traffic not thru the WAN but thru the VPN for TLSCL interface.