Network Policy not applied to OpenVPN Container?

  podSelector: {}
  - Egress
  - to:
    - ipBlock:

This is a snippet from a network policy applied to a namespace, which contains an OpenVPN deployment.

The container has the NET_ADMIN capability available.

For the OpenVPN setup to work, an iptables rule is created inside the container (not on the node), which looks like the following.

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Now, the NetworkPolicy works as expected on everything, all deployments and containers, as necessary, however the OpenVPN server is reachable through the internet and can communicate with clients over IPs like

How can the OpenVPN server communicate through that IP, when a range including this IP is explicitly blocked for access by a NetworkPolicy applied to the namespace containing the Deployment with the OpenVPN Container?

The MASQUERADE changes the IP address of the packets to a benign internal Kubernetes IP address, which is not caught by the except block in the NetworkPolicy.