@Rico_Lino @DL6ER
Easiest solution is to place an override config that makes pihole-FTL wait for WireGuard:
mkdir -p /etc/systemd/system/pihole-FTL.service.d
echo -e '[Unit]\nAfter=wg-quick@wg0.service' > /etc/systemd/system/pihole-FTL.service.d/wait_for_wireguard.conf
But the current Pi-hole v5 installer errors out when it finds any override config, hence this will break EDIT: Ah nope sorry, this has not been merged: Full systemd support by Kiskae · Pull Request #2900 · pi-hole/pi-hole · GitHub So no issue at all with the above override config pihole -up for now... I hope I can convince everyone to drop that behaviour, as we have an exact fine reason here to use them 
.
.
And the iptables forwarding rules are required for VPN clients to access anything else then the VPN server itself (local network or internet). If indeed the VPN is only to enable Pi-hole for mobile clients, then indeed those rules can and should be dropped, same for sysctl net.ipv4.ip_forward which is as well not required then.