I was thinking about this further and for my use case (remote access to my tvheadend server), I have created a short systemd service script that just configures Wireguard directly. This leaves the DNS resolution to Wireguard entirely and adds routes as directed by the allowed-ips setting.
One of Wireguard's features is the way it handles roaming. This means that the (supposedly) either endpoint can change IP addresses and it all just works because of its Cryptokey Routing meaning it uses the cryptographic keys to get the packets where they need to be. There's a section on the website about it here: Built-in Roaming
I'm not 100% sure this would work through NAT though. I tried adding a listen-port to line 3 below and it just broke everything.
#!/bin/bash
ip link add dev wg0 type wireguard
wg set wg0 private-key /storage/.config/my_wireguard/private_key peer SERVER_PUBLIC_KEY endpoint SERVER_DNS_ADDRESS:SERVER_LISTEN_PORT allowed-ips 192.168.5.0/24 persistent-keepalive 25
ip addr add dev wg0 192.168.5.6/24
ip link set up dev wg0
The systemd service file is one I copied from the wireguard.service.sample.
[Unit]
Description=WireGuard VPN Service
After=network-online.target nss-lookup.target connman-vpn.service time-sync.target
Wants=network-online.target nss-lookup.target connman-vpn.service time-sync.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/storage/.config/my_wireguard/wg0_up
ExecStop=ip link del wg0
[Install]
WantedBy=multi-user.target
Display More
I also configured connman to ignore the wg0 interface in its blacklist:
# List of blacklisted network interfaces separated by ",".
# Found interfaces will be compared to the list and will
# not be handled by ConnMan, if their first characters
# match any of the list entries. Default value is
# vmnet,vboxnet,virbr,ifb,ve-,vb-.
NetworkInterfaceBlacklist = vmnet,vboxnet,virbr,ifb,docker,veth,zt,ve-,vb-,wg0
Anyway I hope this helps someone.