networking – Routing VPN-Client to specific LAN-Device

I’m trying to allow a friend of mine direct access to a local device in my home network. I’ve set up a raspberry with Ubuntu and an openVPN server and created the certificates. This part is working.

Since he does not need access to the whole network my idea was to restrict anything unnesseccary. (More a practice for me then a security-issue)

But I’m not sure where to start. My idea was to set up some user specific routing. But that part is fairly new to me. Can someone give me some advice on how to achieve this?

Best regards