I’ll start. Did you know you can run a headless version of JD2 on a raspberry pi? It’s not the greatest thing in the world, but sometimes its nice to throw a bunch of links in there and go to sleep.
Wireguard creates a new network interface that accepts, encrypts, wraps, and ships packets out your typical network interface.
If you were to create a kernel network namespace and move the wireguard interface into that new namespace, the connection to your existing nic is not broken.
You can then use some custom systemd units to start your *rr software of choice in said namespace, rendering you immune to dns leaks, and any other such vpn failures.
If you throw bridge interfaces into the mix, you can create gateways to tor / i2p / ipfs / Yggdrasil / etc as desired. You’ll need a bridge anyway to get your requester software interface exposed to your reverse proxy.
Wireguard also allows multiple peers, so you could multi-nic a portable personal device, and access all your admin interfaces while traveling, with the same vpn-failure-free peace of mind.