Just for completness I’ll mention that I’ve abandoned the attempts to make a selective proxy to VPN on my router.
I have many self-hosted apps I want to exclusively use the VPN, not all of them natively support running through a proxy. So instead I created a separate VM, installed Mullvad CLI and put all the apps there. And for things like VPN for private browsing in Firefox I set up the simplest possible Dante (sockd) service on this VM:
logoutput: /var/log/sockd.log
internal: 10.0.0.5 port = 8888
external: wg0-mullvad
method: none
user.privileged: root
user.notprivileged: sockd
client pass {
from: 10.0.0.0/16 to: 0.0.0.0/0
log: connect disconnect error
}
socks pass {
from: 10.0.0.0/16 to: 0.0.0.0/0
log: connect disconnect error
}
This approach has some benefits, like simpler setup than running a gluetun container and VPN management. The only drawback is that it’s more resource intensive, but I can live with that.