UPD:
here's the running config on the router and VPS.
should give you a good idea how to do this
https://gist.github.com/SirToffski/5502cd558d855cc36e9dfb00628b708d
Yes I've got a similar retup! Here's a diagram.
Your solution is:
Let's say wg0 subnet (for remote server) is 10.100.200.0/28. Put this range for the allowed IPs on your router wg0 interface and check "Create routes for allowed IPs". Create a separate FW zone for wg0 interface - and make it similar to the WAN zone, including MASQUERADING. This way all our outboud traffic to the server will have the source IP of the router's wg0 interface.
Then another network/interface wg1 10.200.200.0/28 is where your phone will connect to, Also make a separate FW zone for it and configure that zone similar to your LAN zone.
Also - if you use remote server for outbound and pihole - I found it's actally easier to make that remote server a peer of the WG server hosted on the router. In that case the wg config on your remote server would be like this:
[Interface]
Address = 10.200.200.12
PrivateKey = key_goes_here
DNS = whatever_DNS_you_want
[Peer]
PublicKey = Key_goes_here
Endpoint = Your_router's_public_IP
AllowedIPs = 10.200.200.0/28,192.168.2.0/24,192.168.1.0/24
PersistentKeepalive = 21
and on your router the peer for the remote server can be like this:
config wireguard_wg0
option persistent_keepalive '21'
option public_key 'key_goes_here'
option route_allowed_ips '1'
list allowed_ips '10.200.200.12/32'
My setup: [EDIT... this was my setup about 4 days ago. Now the VPS is a part of wg0 (yellow) zone. I find it’s easier because you don’t have to open any ports to the internet on the VPS that way. And the setup is simpler too]
