Unfortunately, per-tunnel IP filtering is not currently supported.
Fortunately, Windows are able to override built-in service installer using the sc command. This command worked for me (run as Admin):
sc create RebexTlsProxy2 obj="NT AUTHORITY\Network Service" DisplayName="Rebex Tls Proxy 2" binpath="\"c:\proxies\tlsp2\tlsproxy.exe\" run --run-as-service"
Please note that the path to executable is c:\proxies\tlsp2\tlsproxy.exe but the service must be run with run --run-as-service arguments. Therefore you have to build the binpath parameter like shown: binpath="\"c:\proxies\tlsp2\tlsproxy.exe\" run --run-as-service" (with escaped quotes around the path to executable).
I had to set correct permissions for Network Service account to c:\proxies\tlsp2\ folder. Also please make sure that the service can write to logging location (configured in config.yaml).