Hi again mk24,
Instead of making a new thread I thought I'd reply in here. Your help is greatly appreciated. Here's what I did.
I made a new interface called VPNNET - a static address of 192.168.99.1, enabled DHCP server with DHCP options at 6,10.64.0.1 and 10.64.0.1 as my custom DNS server. Interface is ticked as a 'bridge'.
/etc/config/network
config interface 'vpnnet'
option proto 'static'
option type 'bridge'
option ipaddr '192.168.99.1'
list dns '10.64.0.1'
I selected the wireless network from before to attach to this newly created 'vpnnet'.
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option country 'GB'
option htmode 'VHT40'
option channel '36'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'ap101'
option encryption 'psk2'
option key 'hardtoguesspassword'
option network 'vpnnet'
I've set up a new interface as per mullvad wireguard instructions. Generated a private + public key, used mullvad API and my account number to get the IP address of the wireguard interface. Enabled force link, added a peer with a public key of the peer, endpoint host and a endpoint port. Set the allowed IPs field to 0.0.0.0/0.
config wireguard_WGINTERFACE
option description 'gb29 mullvad'
option public_key 'uaBPua4Tnbluy51WbNOahHx77RGJFGRr/MAqWFILJhI='
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'gb29-wireguard.mullvad.net'
option endpoint_port '51820'
Went to firewall; created a "vpntun" zone for tunelling - covered network as "vpnnet" - which is what my WiFi AP is attached to. Accept on input, output and forward. Masquerading enabled.
config zone
option name 'vpntun'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpnnet'
option forward 'ACCEPT'
Another zone "vpnusr". This time the covered network is "WGINTERFACE" which is the wireguard interface with mullvad settings. Allowed forwards to destination zone "vpntun" (and on the receiving end allow from source from this new zone as well). Accept on everything.
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'vpnusr'
option network 'WGINTERFACE'
This made me lose my LAN to WAN connection - when I SSH into the PI there is no internet. WiFi network still exists. I see packets on all three interfaces (lan, vpnnet, wginterface) - but no connection.
Any advice appreciated guys.