Well, for egress there is exists a solution, in that wireguard can/will set the flow-id in the fwmarks and cake can actually consume this, so that it will recognize the VPNd flows individually (but IIRC, this only works in besteffort mode, so not in conjunction with dual-dshost or dual-src-host or triple-isolate, and it requires that wireguard-encryption/decryption runs on the same router, and finally this will only work for egress traffic).
Regarding your proposals:
ad 1) why bother with an virtual interface, just instantiate SQM/cake on the wan device (preferably the L2-device as reported by
ifstatus wan), the problem here is that even with dual-dsthost your VPN traffic will get at best 1/N of the capacity, with N-1 the number of concurrently bypassing internal IP-adresses... for ingress that should work better than besteffort, as all wireguard traffic should look like belonging to a single flow so pure per-flow fairness is going to throttle the VPN even more that per-IP fairness.
(For egress just try the
flows nonat keywords instead of dual-dsthost so that you get at least per flow fairness).
ad 2) This by itself is problematic as in each priority tier cake will still apply its normal fairness mode, and all the VPN flows look like a single flow... (but it is possible to combine this approach with the
flows nonat trick from above). And the typical problem is that for ingress traffic you can not really mark your VPN traffic well, since you have no working iptables/nftables available. If the external port of wireguard stays constant, you could try to use a tc filter to set DSCPs according to the port-number, but since anybody can send you packets with any port number that is not super robust.
ad 3) Doable, but unless the VPN sqm instance is set to considerably lower speed than the WAN sqm instance, the VPN sqm instance will rarely trigger (at least for ingress).
As I tried to illustrate for egress things are not that bad, but for ingress the picture is considerably bleaker (unless you are happy with only guaranteeing the combined VPN traffic as much capacity as as single IP address in per-IP fairness)
Hope that helps....