I have LAN to LAN VPN (Vigor 2765 at home & Vigor 2860 at work) setup and works fine. VPN stays up for months. I can manage work devices from home.

At the Vigor 2765 home end, I have firewall rules to allow only one work IP address, my work PC, to access my home intranet addresses. Works fine, devices at work other than my works PC cannot access devices at home, this being blocked by the Vigor firewall.

However any IP addresses at work can access the management interface of my home Vigor 2765, via the VPN !!!!

Is it possible to block VPN access to the Vigor 2765 management interface from a range of IP addresses at the work and of the VPN ?

I have run into this exact situation, except my 'home end' is a 2865. So far, I don't know of a way to fix this. I think I even opened a support case about it some time ago, and Draytek did not give a super helpful response. [I think in the end I dropped the ticket by never getting back to them due to lack of time.. ]

The firewall recently (ish) had the WAN -> Localhost option added, now we need a LAN/VPN -> Localhost option too. Hopefully will come sooner or later. 

Real pain, a "device" appearing on our work network that work is not really in control of.

I moved the management port of my home Draytek from standard port 80, to another value, but when doing deep network scans of our work network it detected "home 2765" router management port. Due to to the firewall rules "at home" no other device on my home network was accessible/visible.

Might not be too much of an issue as it requires knowledge of the IP subnet "at home" ie 192.168.nnn.xxx to scan. But if you did a complete 64k of subnet addresses and 64k of ports for each subnet, the "home" management port would be detected.

A fix/firewall needs to be possible at the "home" end so as to not require changes to the "work" Draytek router.

I have tried adding rules "WAN -> local host" & "LAN/RT/VPN - > LAN/RT/VPN" to block access but these have no effect to traffic emerging from the VPN.