To avoid some bugs in wg-quick and/or iptables on my Synology:
- I set up the wireguard device manually.
- I used network namespaces to create an explicit tunnel namespace. I then specified DNS for this namespace only.
Credit where credit is due. I got this idea from the Wireguard website. https://www.wireguard.com/netns/#the-new-namespace-solution