We have a guest staying here (US) from France for a few months and they’d like to be able to access some of their country specific things (streaming sites, applications, etc) I was wondering if there was a way to set up some sort of tunnel to their host country, assign it to a specific vlan, then just set up a new ssid tagged to that vlan so all their devices could just connect to that and route to France instead of the normal WAN
Yep, easy to do. Here’s a a script repo for PIA: https://github.com/FingerlessGlov3s/OPNsensePIAWireguard
You’d need a VPN device on the other side. Either commercial VPN server, or VPS or some VPN capable host with routing.
On your OPNsense, you would not even need a VLAN or SSID, just use DHCP reservations and set up some FW rules to route their devices to the VPN.
if they know someone in France that has a freebox ( isp box), wireguard is part of the box and you just need to use the inteface to create an account and then you can tunnel with WG in 2 seconds tops.
Or allow them to use a vpn themselves? NordVPN works here very well but I wouldn’t get it just for my guests 
As everyone has stated already, this is easy to do with a VPN. The guest can either run the VPN on their client or if it’s for something like a Roku, I’d suggest using policy-based routing to do it. For policy-based
- Setup the VPN client “to be in France”
- Assign the device a static IP
- Setup policy to route the static IP out the VPN gateway
Here’s a tutorial from Lawrence Systems for pfsense but works exactly the same in opnsense. https://www.youtube.com/watch?v=HMWRCXSFVjU
I use geoip and a nordvpn to a us based destination to gain access to local (US) news sources. I have different (static) rules for those that use cdn’s and try to route me to ‘local’ versions.
Certainly doable, see below comments. They can also use for example a VPN provider like Nordvpn or Surfshark and use that over your WAN and set their exit in France. Or, better yet, dump a Raspberry pi in their house install wireguard on it and use that, as a lot of streaming providers block known IP ranges of commercial VPNs nowadays. Of course the RPI option depends how technical they are and if their home connection has a public IP (some providers use CGNAT and then this would not work)