Multiple WiFI VLAN, VPN, Split Horizon and DNT-over-TLS

Afternoon all,

I have a standard OpenWRT build set up...all users on a flat VLAN (PC's Consoles, Mobiles, TV, etc. in same subnet). I am currently using the DNS-over-TLS configuration thats found on this site and I have a VPN provider for SmartDNS, etc.

What I would Like to achieve though is have all "user devices" on 1 WiFi VLAN and all TV's in another; TV's in a VLAN that will be behind the VPN and user devices will be in the VPNBypass Subnet (using VPNBypass app).

Is there a way I can do this without breaking the config too much (DNS-over-TLS remains so as I am not DNS leaking for regoin ID)?

Thanks in advance. Can provide any current network config as required.

You can search for threads requesting help for guest vlans routing them over VPN. The principal is the same.
New SSID bridged to a new subinterface, then PBR to route these hosts via the VPN to the internet.

That there is...but would love a str8 up recipe that considers al the other factors of the dns-over-tls and the likes...I know its not an easy challenge (may actually be) but also be a nice tutorial for ppl going forward as its a likely scenario these days!!!