I am out of the loop and I’m surprised suddenly people care about VPN. Why did Wireguard require so much of its code to be put into the Linux kernel? What’s stopping something from doing same or better in userspace? Does Wireguard work poorly on other OSs w/o it’s code embedded?
You need to do all the same rigamarole with routes/firewalls when you use the kernel Wireguard implementation. That's why scripts like wg-quick exist (https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash …). This is no different from a userspace TUN/TAP VPN.