Openwrt as an AP for Wireguard

Hi everyone, I have installed Openwrt on a Netgear ex3700 device with only one ethernet port.
I would like to use it exclusively connected to a external VPN server.
All my devices connect via wifi to Openwrt and go to the internet via cable ethernet to the gateway (primary router).
I would like that all devices that connect via wifi can only access the internet via vpn, in no way can they access the primary router (gateway) and so the opposite, no devices connected to the primary router can access the Openwrt graphical interface ( this just to increase security, I accept other better solutions).

So I have to configure:
1: access point client
2. wireguard vpn client

  1. Access point

The first step is to make it work as an Access Point client.
I can still get it to work because a static ip is set on the LAN interface on the same subnet as the gateway.

For this he must first run the graphical interface on the static wlan address (192.168.2.1) so that if I have problems on the lan interface (DHCP client) I can always connect via wlan.

I still have
3 devices set:
br-lan: type = bridge | ports = eth0
eth0: type: network | existing = eth0
wlan: type: network | existing = wlan0

3 Interface
Lan (br-lan)
lan0 (eth0)
Wlan (eth0)

Once the network is set up, I should have:
wlan (dhcp client)> nat >eth0|wan (dhcp client)> primary router
so:
wlan> vpn

wlan = 192.168.2.1
eth0 = 192.168.1.2
wan = 192.168.1.1

a. For security, but I accept better solutions (VLAN?), The graphical interface of the router is only accessible from wlan to ip 192.168.2.1

b. all traffic to the internet (192.168.1.1) must go through the vpn.


root@OpenWrt:~# cat /etc/config/network
 
 config interface 'loopback'
         option device 'lo'
         option proto 'static'
         option ipaddr '127.0.0.1'
         option netmask '255.0.0.0'
 
 config globals 'globals'
         option ula_prefix 'fd04:da03:70c3::/48'
 
 config device
         option name 'br-lan'
         option type 'bridge'
         list ports 'eth0'
 
 config interface 'lan'
         option device 'br-lan'
         option proto 'static'
         option netmask '255.255.255.0'
         option ip6assign '60'
         option ipaddr '192.168.1.111'
 
 config switch
         option name 'switch0'
         option reset '1'
         option enable_vlan '0'
 
 config interface 'lan0'
         option proto 'dhcp'
         option device 'eth0'
         option delegate '0'
 
 config interface 'wlan0'
         option proto 'static'
 root@OpenWrt:~# cat /etc/config/network
 
 config interface 'loopback'
         option device 'lo'
         option proto 'static'
         option ipaddr '127.0.0.1'
         option netmask '255.0.0.0'
 
 config globals 'globals'
         option ula_prefix 'fd04:da03:70c3::/48'
 
 config device
         option name 'br-lan'
         option type 'bridge'
         list ports 'eth0'
 
 config interface 'lan'
         option device 'br-lan'
         option proto 'static'
         option netmask '255.255.255.0'
         option ip6assign '60'
         option ipaddr '192.168.1.111'
 
 config switch
         option name 'switch0'
         option reset '1'
         option enable_vlan '0'
 
 config interface 'lan0'
         option proto 'dhcp'
         option device 'eth0'
         option delegate '0'
 
 config interface 'wlan0'
         option proto 'static'
         list ipaddr '192.168.2.1'
         list dns '1.1.1.1'
         option device 'eth0'
 
 config device
         option name 'eth0'
         option ipv6 '0'
 
 config device
         option name 'wlan0'
         option ipv6 '0'
 
 config switch_vlan
         option device 'switch0'
         option description 'vlan0'
         option ports '0t'
         option vlan '1'
 
 config device
         option type '8021q'
         option ifname 'br-lan'
         option vid '1'
         option name 'br-lan.1'
         option ipv6 '0'
 
 root@OpenWrt:~# cat /etc/config/wireless
 
 config wifi-device 'radio0'
         option type 'mac80211'
         option channel '36'
         option hwmode '11a'
         option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
         option htmode 'VHT80'
         option cell_density '0'
 
 config wifi-iface 'default_radio0'
         option device 'radio0'
         option network 'lan'
         option mode 'ap'
         option ssid 'OpenWrt'
         option encryption 'psk2'
         option key '12345678'
 
 config wifi-device 'radio1'
         option type 'mac80211'
         option channel '11'
         option hwmode '11g'
         option path 'platform/10180000.wmac'
         option htmode 'HT20'
         option disabled '1'
 
 config wifi-iface 'default_radio1'
         option device 'radio1'
         option mode 'ap'
         option ssid 'OpenWrt'
         option encryption 'none'
         option network 'lan wlan0'
  1. configurare wireguard
    ...

I accept advice for greater security if using nat, static route, vlan etc ...

thanks!! to those who want to help me