I needed to exclude a local WiFi subnet from the VPN. I used an approach with adding multiple routes instead of 0.0.0.0 / 0. For example, if you need to exclude subnet 192.168.240.90 / 21 (binary representation is 11000000.10101000.11110000.01011010), then you should add following 21 routes to your VpnService (binary representation):
00000000.00000000.00000000.00000000 / 1
10000000.00000000.00000000.00000000 / 2
11100000.00000000.00000000.00000000 / 3
11010000.00000000.00000000.00000000 / 4
11001000.00000000.00000000.00000000 / 5
11000100.00000000.00000000.00000000 / 6
11000010.00000000.00000000.00000000 / 7
11000001.00000000.00000000.00000000 / 8
11000000.00000000.00000000.00000000 / 9
11000000.11000000.00000000.00000000 / 10
11000000.10000000.00000000.00000000 / 11
11000000.10110000.00000000.00000000 / 12
11000000.10100000.00000000.00000000 / 13
11000000.10101100.00000000.00000000 / 14
11000000.10101010.00000000.00000000 / 15
11000000.10101001.00000000.00000000 / 16
11000000.10101000.00000000.00000000 / 17
11000000.10101000.10000000.00000000 / 18
11000000.10101000.11000000.00000000 / 19
11000000.10101000.11100000.00000000 / 20
11000000.10101000.11111000.00000000 / 21
The idea is to invert the bit at the position of prefix (from the right) and make zeros all bits after the position of prefix. As a result, all packages except those that go to the local subnet will match one or another route