The rule I was making wasn't for the VPN service itself, you should probably already have rules to allow Internet (maybe limit by countries or something) to SRM for VPN Plus applications. My rule was for allowing the tunnelled connections that are coming out of the VPN service from the remote site. These tunnelled connections are still detected on the receiving router's Internet interface and they then have to be allowed into the LAN.