Apple Configurator

After spending a fair few hours on this - and being told it wasn't possible - I wanted to share the process for getting an Apple AirPrint Printer working over a WireGuard VPN on an iOS device. If I explain the process, then it should be printer agnostic; for info., my router is an ASUS XT12, printer is a Canon MG3200 series.
With 18 Steps, it's not for the feint-hearted, but here are the basic steps:

1. use your router's LAN Settings to assign a Local LAN Static IP to your Printer. This is best practice anyway but is needed in this case; as you can manually (by IP, not via Bonjour autodiscovery) add a printer to an iOS Configuration Profile
2. download the iOS WireGuard client to a device e.g. your mobile
3. also download an iOS-based network management tool to the device. I used the free 'iNetTools' from the App Store
4. use your router's (or separate e.g. Raspberry Pi) WireGuard Server to set-up the server-side Local LAN Tunnel IP v4 eg 172.16.10.0/27 depending on the scale of your LAN. Make sure the 'Access Intranet' & 'DNS' options are enabled and the Server switched 'on'
5. then configure an iOS Client; use a single WireGuard 'virtual IP' per client eg 10.0.01/32 then 10.0.0.2/32; and also include the LAN Gateway IP (in 3. above) for the Gateway & DNS
6. switch on the Printer - which is connected by WiFi to your LAN router
7. from the LAN and no VPN, from any device on the same WiFi LAN, use your browser to connect to the Printer's web interface by using only the Printer's assigned Static IP Address
8. take the device in 2. above, switch-off WiFi and use 3/4/5G data connection and use the WireGuard Client to VPN back to your internet-facing WAN/LAN Router. [Note: you will need to configure your router's DDNS service if your ISP doesn't give you (or you don't pay for) a Static Public IP address]
9. assuming the VPN tunnel works, the issue is that when you try a 'test' print from your iOS device e.g. mobile, the AirPrint option will result in 'AirPrint Printer Not Found'. This is what I've been stuck on trying to fix for some time.
10. with the VPN running, use the iOS iNetTools to try to ping the Printer's IP address; check to see if you get a reply
11. again with the VPN running, use the same Tool to do a Port Scan on the Printer's static IP address. This is really important as it will confirm which Ports your specific Printer is using to communicate on your LAN. For example, my Canon was using Ports 80, 535/TCP (Printer Spooler Port) & 631/TCP (CUPS)
12. now go to your Router and add Ports 535/TCP & 631/TCP to your Router's Virtual Port Forwarding rules. Add the Source IP to be 10.0.0.0/29 ,for example, if you've under 8 concurrent VPN clients connected. This is so that these Ports are available to all the concurrent VPN virtual IP addresses. No need to add Port 80
13. next is customising how the AirPrint is found on the LAN (over the VPN); the next step needs a MacOS device - the software is not available on Windows
14. go to the MacOS App Store and download/install the Apple Configurator. Make sure you're logged-on to your Apple Account
15. turn-off the WireGuard VPN Client. Connect the Mobile in 2./3. above via USB; you should see your Device in the App. First, do a Local Backup of the iOS device!
16. then use the Configurator 'File' option to create a 'New Profile' and use the left-hand navigation to go to (only) the AirPrint Section. Add the Static IP address of the LAN WiFi Printer then 'Save'
17. use the Apple Configurator to 'Add' this Configuration Profile to your iOS device. Once added you will see this on your mobile under 'Settings->General->VPN & Device Management' - where you will also see the WireGuard VPN Profile
18. With the iOS WiFi 'off', the Device VPN 'on' and Printer 'on' (obv) this new, additional Profile will mean the LAN Printer is now Discoverable. Try a Test Print; the printer should be available and the printer kick into life
    It was also interesting to see how the Apple Configurator can be used to create additional customised iOS configuration options, particularly under a 'Supervised' mode on a personal (not business owned) device.
    Hope that helps?!