On the datacenter side you could terminate the VPN into a separate virtual router with its own routing table which would have routes like this:
172.29.0.0/21 -> 2.2.2.2 via st0.x
0.0.0.0/0 -> 10.30.0.5 (EX4200) via ge-something/something.something
On the EX4200 you'd need a route to 172.29.0.0/21 going to 10.30.0.8 (?) instead of 10.30.0.4 and treat that second (sub-)interface as just another internal network that needs to get to the internet via your inline web filter.