Thanks again @egc. I followed that suggestion and the steps in the link.
I want the primary wifi to go via the VPN and the guest wifi as the failsafe, so after setting up the guest network I set up specific clients to route to the VPN (adding the DNS tag as well) recognising that they have a different IP in the guest wifi.
That all seemed to work, although there still seemed to be a DNS leak.
What I didn’t realise initially is that I’d somehow managed to turn off the lan dhcp server, so while playing around and changing networks I lost the ability to connect to the lan!
Luckily my wife’s iMac still had a lease and I’d backed up my previous configs to text so I was able to reset things. Was pretty worried for a while there as I couldn’t connect back in try to fix the problem.
Will have another look at this on the weekend when I have more time. I think this is the best approach but I’ve obviously screwed something up somewhere.