Comment by hexmiles

In my case I simply create two wireguard tunnels (one called "vpn", the other called "guest") and use firewall rules to block all traffic from the "guest" tunnel to all service except the one that should be "public" (in my case a minecraft server).

I think you could technically do it with a single tunnel by using firewall rules that refer to the IP address of the single peer but it's less convenient.

NOTE: I also added a dedicated dnsmasq instance only for the "guest" tunnel so that they have DNS working and can use hostnames instead of IP address.

This setup is trivial with both OpenWrt and OpnSense, but it should be doable also with manual setup