This all depends on how much throughput your desire. You
might be able to get away with an RT-AX88U if all you need in the foreseeable future is 200-300 Mb/s of VPN, but beyond than that, I'd just bite the bullet and run an x86-based firewall with separate, discrete wifi (either a Wifi 6 consumer all-in-one in AP mode, or an SMB-grade product if you want something more mature and/or scalable).
For a pre-built x86 solution, I would checkout Netgate's
pfsense appliances, specifically the SG-5100 ($699), or for more CPU for way lower cost, build your own appliance with an embedded Qotom/Protectli box off Amazon (Intel i3 or i5 models can be had
with an SSD and RAM for ~$300).
For a Wifi 6 solution, I'd do a purpose-built AP, such as the
EnGenius EWS377AP, which is a 4x4 radio and one of the best values out there.
Put something like that together, and you'll have a rock-solid network that will absolutely destroy a consumer setup in nearly every way except for lower single-array wifi amplification.