What I want to do is make a public hotspot, but I don't want a bunch of randos doing sketchy stuff on my main internet connection. So, I'd like to get a VPN subscription, from NordVPN, ExpressVPN etc.. and set that up as an OpenVPN profile on the Wrt router, create an AP and separate subnet for the hotspot and route all of that through the VPN connection. This will result in a double NAT, one at Wrt and the other at the VPN provider, but that's okay. I need this to be totally detached from my main wan and lan. So far I'm been unsuccessful in getting this to work.
I made an interface attached to wlan1-1 (the public AP) with a static IP of 10.100.1.1/24 and enabled DHCP. Connecting clients do get assigned an IP in that range and are given 10.100.1.1 as the default gateway/DNS.
What's stumping me is how I get that subnet to NAT from a different gateway. Bearing in mind the IP/Subnet and gateway from the VPN provider is not always the same so I cannot hard code it. I tried making a 'vpnwan' interface attached to tun0 as unmanaged and then creating the two firewall zones and forwarding rules but that gives clients "Destination port unavailable". I'm thinking I may need to use MWAN3 or something as it is technically a multiwan setup.
With unmanaged devices this would be easy. I'd shunt OpenVPN's route directives to a second routing table, use iptables to mark incoming packets on wlanx-x then use ip rule to redirect them to the second routing table. Just can't quite get my head around how to do this with the UCI stuff.