I can’t even specify the allowed IPs for a connection

Funny. This was the exact use case which cemented my pf/OPN sense decision. I used to use pf, now use OPNsense. And as you probably know, the IP specificity issue is not just regarding Wireguard, it’s also regarding your reverse proxy, if you’re running one.

As an aside (and I may be showing my lack of knowledge here), I have OPNsense handling DHCP which broadcasts two PiHoles (redundancy) as the DNS to my networked machines/devices. Then for upstream DNS, I have those two piholes pointed at a dedicated technitium dns box – it’s it’s an authoritative dns server, not just a recursive one like unbound. As I said in my previous comment, there are probably better or fancier setups but this one, for my needs, is sufficient.