One thing I've dabbled with[1] is using pfSense to set up a VM with a management 'interface' that only routes to my local network and drops any packets not on the web UI port[2], and an Internet 'interface' that pfSense routes over a VPN (I can't remember if I ended up actually using two separate interfaces, or a set of firewall rules to allow the LAN traffic access). AFAICT, it seemed to work reasonably for the brief period I used it - the VM could only see the pfSense gateway, and all of the Internet traffic from the VM went over the VPN, whilst the traffic from the rest of my network was unaffected, but I could access a few services locally on a 10.x.x.x IP (different subnet to my main network).

[1] Actually to setup a Pi-Hole instance that bypassed my ISP's DNS hijacking, but the principle seems similar

[2] And DNS in this case