Private network for devices connected to VPN Server on the Beryl AX

I have setup a wire guard VPN server on my Beryl AX so I can connect to my home network while away. This is working without an issue but I would like to share this with some of my friends. The issue here is that with my current setup a connected device can see the entire network and all attached devices.

I want to configure it so that devices connected via the VPN are on a separate network therefore unable to see anything. There will be exceptions to this as I may want to allow access to my DLNA or Home Assistant server but I want everything else inaccessible.

I also have PIA configured on the Beryl so that I have a VPN connection readily available via wifi. I want to make sure these devices can still see the network therefore it can’t be a blanket rule applied to all connections.

My network comprises of a main router with OpenWRT (linksys wrt3200acm) and the Beryl AX connects to it via ethernet. The former is in the 192.168.1.X range, the latter is 192.168.8.X, and the VPN server assigns 10.0.0.X. I hoped that if I changed the subnet that it would ring fence the devices but no luck.

I know there is a GUI for advanced setting in the Beryl so I have a feeling it will be a combination of tinkering there as well as creating a new network interface on my WRT3200.

Could someone point me in the right direction for how I would set this up please? Any help on this is greatly appreciated!

A small gripe I have is with the config file created for the vpn server. I have a DDNS but it’s on my main router, as I haven’t got it setup on the Beryl the config defaults to my ISP IP and I have to edit the file each time I create a new one. It would be good if we could hard code this.

Add firewall rule like this in luci: is the wireguard client, is the target IP which is not allowed for client.