WireGuard use-case: route all traffic through a WireGuard tunnel

[stapelberg]

Raw WireGuard support was added in #14, this issue covers a specific use-case.

At a high level: when running an event, we might want to not use the uplink directly, but rather use the uplink to establish a WireGuard tunnel and then route all outgoing traffic through the WireGuard tunnel instead. Semantically, this means uplink0 should be a WireGuard tunnel, and the network interface that’s currently uplink0 should be transit0 and only allow WireGuard traffic.

Side note: this would also be beneficial for https://gokrazy.org/ when using unencrypted WiFi networks. Depending on how the implementation goes, we should probably file a separate issue over there to make the result work on gokrazy, too, not just router7.