Wifi for VPN. Ethernet for direct internet & local access

Installing and Using OpenWrt
2

Remove masquerade.

Remove this forwarding, you have the wifi->vpnfirewall already.
MS-V is the only one that works because the default gateway in the routing table is from the vpn, but you don't allow (and don't want) that in firewall.

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.