Couldn't make OpenVPN operate with my desired restrictions in place (likely an user error), so dove into Wireguard. The supporting help docs are garbage to the uninitiated. Have pasted my personal notes below to hopefully help others. This has all been tested on a separate network with an LTE gateway. Note - I use the terms server/client because that's easier for me to grasp; I know it isn't correct.

PS: sorry for the photo uploads but I wasn't going to fix nuanced syntax just to make this post pass the forum's external link checker.