If you make a VPN connection e.g. via Wireguard to your router then have "Allowe IPs on 0.0.0.0/0, ::/0" on the client then all traffic from the client goes to the router. If you put the wireguard in a firewall zone that allows it to be forwarded to wan then all the traffic from the client can go the internet. I can make some screenshots from my config if needed
You can run your own. I am doing pretty much the exact same thing.
I have wireguard on my openwrt at home. With my phone I connect to the openwrt router and from there i access the internet. I mainly do this for privacy and security reasons, e.g. if i use a public WiFi then everything i send is secure, also people cannot detect what sites/IPs im using. Of course my ISP at home can detect. There is always somebody you need to trust.
On the client (=phone) ,
DNS server is 192.168.8.1 (= router main IP address on "lan" interface)
Define a peer:
Public Key: Fill in routers public key.
Allowed IPs: 0.0.0.0/0, ::/0
Endpoint: Router public IP:43648
Preshared key: xxxxxxxxxxxxxxx
The preshared key is not really needed btw, but you can use it for extra security. Guest interface is also not needed. Do make sure that the wireguard port is accessible from the internet. My main lan is 192.168.8.1/21
I put both of them in the "lan" firewall zone and set "forward" to accept=allow forwarding between different interfaces in the zone.
If you want broadcast to also get through then you may want to install avahi-dbus-daemon
When I attempted to use my mobile phone as a hotspot, the connection didn't establish.
The firewall rules had been added via the CLI, but I'd fiddled with the settings in an attempt to get it working - I had changed the 'destination zone' to 'WAN'. I've now changed that back to 'Device (input)' and everything appears to be working correctly.
I agree, wireguard is relatively easy to setup, has a small attack surface, and is fast. Especially if you add the preshared it is secure. Of course the weak point here is not the protocol, it is the endpoint. If that gets compromised then you are out of luck. If you do not care about accessing your home network, but still want your traffic to go via your router, you can consider adding it to the "guest" network then you can keep it separated.
Would you recommend changing the default IP addresses and subnets to provide additional security? I've used the IPs in the guide which, I presume, would be the ones targeted if Wireguard were to become compromised?
In general if a certain device does not need access to a certain resource it is better to not give it access. E.g. if you have visitors dont give them access to your secure WiFi, make a guestnet. Or if you have IoT device that do not need access to your file server, then separate them. Or your new fridge needs internet, why allow it to talk to anything else. Ideally separate the trafic with VLANs if you have multiple switches/routers.
What I did was make a guest network, with separate SSID and use vlan tagging to keep it separated (I have a r7800 which is AP& router, and an r7800 which is just an AP and also have a e4200V2 which i use as switch). Things like an internet radio also only get access to the guestnet. I did set it up that I can operate the internet radio via my RPi which is on my secure net.