Hi there.
There's a problem in the pages of the OpenWrt documentation and howto's.
This should be fixed because you give users potentially dangerous instructions.
When you specify how to configure the wireguard client (to have a VPN tunnel to another part of your network)
you suggest to assign the VPN (out) interface to the wan area "to minimize firewall setup"...and in theory this makes sense....however, by doing this you allow all the clients of the guest network to access your VPN tunnel (if the users follow also the procedures on how to create a guest network).
The purpose of a guest network is to isolate potentially unsafe devices from your safe ones.
Allowing them to route traffic to your VPN tunnel (to avoiding creating another zone for VPN) can be catastrophic.
When you have a guest wifi (maybe open) and a VPN to another part of your network.
You are basically exposing all your network connected to the Wireguard server to the guests (public)
The wireguard information doesn't talk about guest networks at all, nor do the guides for setting up additional AP interfaces talk about VPNs - and neither of them should. How the routing between those is supposed to happen is a policy decision, there is no one size fits all solution to this - the admin needs to know what they want to end up with (there is something to be said about offloading the risks of guest networks to a commercial VPN - something that obviously shouldn't happen with your company's internal VPN).
While the wiki pages are open for improvements from anyone who cares, adding all kinds of intertwined topics would make them pretty much unreadable - at the end of the day, someone will have to make the policy decisions themselves (and as mentioned before, those may go either way - depending on the kind of VPN you're setting up).