I'm trying to figure out if I can use VPN Express's Open VPNs username and passwords to do the following... (I realise I can use the VPN Express app instead but I want to learn and play around with the router).
1. Firstly, can I bypass VPN Express and roll my own somehow for less than $6.67 US p/m?
2. Can I create an Open VPN client on my HAP AC 2, run it permanently on a wireless VLAN, create an SSID like "UK" and "US" and connect a client direct to a US/UK VPN?
3. Are there any other considerations? security issues ? placing a load on the router? It has IPSEC hardware encryption.

1. Firstly, can I bypass VPN Express and roll my own somehow for less than $6.67 US p/m?

If you can place your own router in each country of interest, and at least one of them will have a public IP address (or all of them will have IPv6 addresses which are all public), then yes. Whether the total expenses will be less than US $6.67 monthly is another question.

2. Can I create an Open VPN client on my HAP AC 2, run it permanently on a wireless VLAN, create an SSID like "UK" and "US" and connect a client direct to a US/UK VPN?

You can create one or more OpenVPN clients, and use policy routing to route traffic from clients associated to each SSID either via a gateway representing each destination country within the same OpenVPN connection if that's how VPN Express works or via a distinct OpenVPN connection as a whole if a dedicated one per destination country is needed.

3. Are there any other considerations? security issues ? placing a load on the router? It has IPSEC hardware encryption.

Many:

• Mikrotik's in-house implementation of OpenVPN is seriously limited as compared to the genuine one. For client mode, what limits you most is that it supports only TCP as transport and doesn't support compression, so if VPN Express insists on UDP transport or compression, you cannot use Mikrotik to connect.
• with any public "VPN" where you don't control both the client and the server, you never know who actually controls the business, what information about your traffic they collect and for what purpose (where a targeted advertising for expats is one of the least harmful ones)
• hardware encryption, on all Mikrotik routers that support it, is used only for IPsec, not for OpenVPN, nor even for SSTP. So you have to see whether your uplink bandwidth or the throughput of your hAP ac² will be the limiting factor
• be careful regarding DNS - the clients will likely have to access it via VPN as well, because the response for the same query may differ depending on what's the source address of the query. As the clients cache the DNS answers, you have to use the proper SSID right from starting the machine, otherwise you may end with an IP of a server for international users so you won't see the contents available to UK users even if accessing it from a UK address.

Thank you Sindy,
I'll absorb this and add to the post shortly.