I would say there are better methods to solve this problem these days than a script. Check out Ansible or NixOS.

Put your external facing services behind the VPN, or at least put them in a separate VLAN that's firewalled in such a way that they can't reach the rest of the network if they become compromised.

For the last question I welcome you to !skincareaddiction@sh.itjust.works where's there's a lot of helpful people that can help you with that! 😊

I would advise that you instead also connect the Windows machine to the VPS with WireGuard as 10.1.0.3, basically mirroring what you've done on the Ubuntu server. The routing will be a mess otherwise. Another option is running the WireGuard tunnel on your gateway with something like OPNsense.

Does the machine running the WireGuard tunnel to the VPS acts as a "router" aka gateway for the network? Otherwise the windows machine doesn't have a return path for the connection.

I would assume no since Valetudo has its own API.

S920

I'm running this as my router. It handles a 500/500mbit connection over WireGuard for me without a problem. CPU usage can spike up to 80% when I push it as much as I can, so depending on how it scales I'm not 100% sure how it would handle 1gbit routing+vpn for example.

Make sure mDNS is working properly in your network.

Same! Which version do you use? Small or big?

You probably need to enable some power saving features that Windows does by default but Linux may not. Run something like https://wiki.archlinux.org/title/TLP just to see if it helps, and then do some tuning because it might be too aggressive.

Backup your data regularly and the risk should be very small.

It's a good way to see if someone has cracked your WiFi password for example so why not. Doesn't add much security but better than nothing.