Never know what staff may have on their home network or whether they connect to open WiFi at the coffee shop. Because of this, all the tabletPC devices are configured with an always-on OpenVPN service. The default gateway is the remote OpenVPN server so that ALL traffic goes over the VPN at all times.

Well, almost all times, when staff bring their tabletPC back to the office, the windows apps they need work without the VPN. The problem is that Windows works when internal, but not other devices such as an iPhone. The VPN encrypted layer would make the local WiFi more secure as well.

Adding the internal IP addresses to the openvpn-client.conf has not worked because the openVPN ip addresses do not work.

tunnel still does not connect when internal to untangle. So I assume I need to add the other internal untangle IP addresses on the server side configuration and or hairpin loopback is needed.

Have definitely done this before with tinc, other firewalls, and most likely untangle as well.

What do I need to configure on Untangle to make openVPN or wireguard or another VPN work even when guests are on an internal-to-untangle network such as WiFi?

Yes, I understand that VPNs are normally for remote access only, but for many years we had VPN tunnels up at all times even for subnets on the inside of the firewall.