Tapo C200 - fw rules for blocking and allowing wireguard (home assistant)

running wireguard on my home assistant instance.
Everything is taking place on
I've added a tapo camera called c200 on my wifi, on
My wireguard instance lets my phone connect back home with ip
What rules should I use to block my camera from the internet, but still be able to talk to my lan devices?

I've made a block traffic rule for the camera not reaching internet

config rule
        option target 'REJECT'
        list proto 'tcp'
        list proto 'udp'
        option name 'cameratowan'
        option src 'lan'
        list src_ip ''
        option dest 'wan'

and my camera now only works when I'm connected to my home wifi. Which is cool, but now I need to make it work with wireguard enabled on my iphone as well.
I would assume that when enabled, my phone is in the lan zone, and no need for any rules, but so far that's not the case.

It's working on my laptop with wireguard enabled (on my lte/4g shared from iphone). Tested with vlc.
It might be that the tapo app doesn't like it.
Maybe I need another app.