I believe the YazFi script supports this capability, although it could be done by yourself w/ some basic networking knowledge.
Just beware, this usually requires removing the wireless clients (or more specifically, their network interfaces) from the default bridge (br0), so wired and wireless clients are now using different IP networks, and all communications between the wireless and wired users is now routed. Besides the normal hassle of having different clients on different networks (particularly if *only* for the purposes of segregating VPN users), it also means that network discovery doesn't work between them, not unless you restore that capability w/ an mDNS proxy (e.g., Avahi). Here again, YazFi may already enable that capability (I'm a bit unsure because I don't use YazFi personally but I know others do).
IOW, you can do it, w/ some effort, but it comes at a price. A price that some may not be willing to pay.
