A VPN set to 0.0.0.0/0 swallows all traffic, including access to the local network. The right AllowedIPs keeps the tunnel up and hands the LAN back.
The VPN comes up, the tunnel is active, and suddenly the printer, the NAS and the router stop answering. The machine routes everything to the VPN, including what should stay local.
Why 0.0.0.0/0 swallows the LAN
An AllowedIPs of 0.0.0.0/0 tells the client to route all IPv4 traffic into the tunnel. That is exactly what a full outbound tunnel wants. But that route also covers 192.168.0.0/16 and 10.0.0.0/8, so the local network too.
The result: a packet to the LAN printer goes into the tunnel, exits at the far end, and never comes back. The LAN is not cut off, it is misrouted.
Split AllowedIPs instead of taking everything
The fix is not to disable the tunnel. It is to remove the LAN prefix from the VPN route. You replace 0.0.0.0/0 with the list of subnets to route minus the LAN, or you add a more specific route to the LAN via the local gateway.
A more specific route always wins over a broader one. A /24 to the LAN beats the VPN /0. The tunnel stays active for everything else.
The principle to keep: AllowedIPs is not a security filter, it is a routing table. You choose what enters the tunnel, and you leave the local to the local.