The OpenWRT router (TL-WR740N) is a wireless client.
The wireless network has a subnet of 192.168.0.x
The router has the address 192.168.2.1, because it is connected to the local network 192.168.2.x (DHCP is disabled, each has its own address statically registered: 192.168.2.101, 192.168.2.102 and so on)
It is necessary that access to the 192.168.0.x subnet (including the Internet) is available only to those who have either a VPN client or some other proxy client installed on their PC (192.168.2.101, 192.168.2.102, etc.)
Maybe someone has a similar ready-made configuration?
You could block all access to 192.168.0.x in the 192.168.2.1's firewall, leaving only ports used by the
VPN and/or proxy to pass, going to the IP(s) of the proxy host and/or VPN server.