Hello Stuart,
You could use Reverse Path Check and take those ACL lines (RFC 1918 addresses.)
Now regarding ACL for vpn traffic, by default vpn traffic will not be inspected over the interface ACL's but you can restrict it with any of the interfaces ( remove the syspot permit vpn and that will start inspecting VPN traffic with ACL's)
Remember to rate all of the helpful posts
Julio
Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC