Two questions upfront.
- Does your Netgear router support being a VPN client?
- Does it have a guest mode?
If the answer to both of those is yes then you could consider using the guest mode as your VPN network.
If not then your best option is probably 2. You could get a router which supports OpenWRT or use a different enterprise style router like pfsense.
I the same thing you’re asking about in pfsense where I routed one VLAN over a VPN while leaving my main LAN completely normal.
Why not just use the Cloudflare Tunnels command line binary?
It can automatically create the CNAMEs