Sorry, I don’t know of any.

IMO not a good idea to use any VPN on LAN, except for remote access into it.

Any VPN will increase your latency. Playing thru remote access will kill your latency.

I would create another VLAN just for cameras with appropriate firewall rules. Allow Trusted into this “no-internet” VLAN but nothing to the internet. One way would be to figure out which ports the cameras use so you can add a firewall rule to allow communication to the NVR’s IP. Another way would be to set the NVR on a static IP in the IOT and allow all traffic to it from this camera VLAN, (this is probably the easiest but not the most secure).

As a side note, I try to set as many things that I can on a static IP, it enables the use of firewall rules, also helps with normal monitoring.

As another side note - The Unifi APs support up to 4 VLANs (1 per SSID) - they also support the use of a SSID with multiple passwords which will allow connection to a VLAN depending on which password is used. It’s a new feature and I haven’t used it, so idk how well it works or other issues.

I would set up Trusted, IOT and Guest VLANs. Put all PC’s, servers and NAS in it, all else goes to IOT (Phones, Tablets, streamers, cameras and NVR, etc). Create firewall rules to allow internet for all and let anything from the Trusted network to get to IOT and Guest, but block everything from IOT and Guest to Trusted (except for a couple exceptions). One exception is I don’t see a printer but if you had one I’d assign it a static in the Trusted and allow all VLANs to get to it’s IP. Another exception is I use PiHole (lives on Trusted) and I allow only port 53 (DNS) to those IPs, (I have 2 Piholes).

Your Unifi APs are VLAN aware but I have no idea on your router/switches (I assume at least the router is).