Thank you for taking the time to reply, I really appreciate it.
Please note that for Pi-hole to provide DNS via VPN, it would suffice to use your Pi-hole's Wireguard IP for DNS (in your phone.conf,
DNS = 10.100.0.1), while only routing traffic to that DNS server via Wireguard (in your phone.conf,AllowedIPs = 10.100.0.1/32, fd08:4711::1/128).
In that config, only your phone's DNS request to 10.100.0.1 (or fd08:4711::1) would be sent into the VPN tunnel.
All other traffic would be routed through your phone's normal current connection (wifi or mobile).
This would allow your phone to benefit from Pi-hole's filtering while still enjoying the download speeds of your phone's connection (e.g. 150Mbit /s of mobile download speed).
Thank you for this, I have created two configs so I can switch between if I need.
I'd recommend to have a read of aforementioned guide, or at least follow above links from the quote.
You're absolutely right - I did the IP forwarding, but somehow missed the section on enabling NAT. I followed that article and added the nftables config. The VPN tunnel is now behaving as expected!
Thank you so much for your help, the extra detail you included has cleared up a whole bunch of things for me.
If anyone else reading this is having issues with the PostUp/PostDown rules, the given example didn't work for me, due to the word srncat not being recognised. As per the docs this can be substitued with 100, and it now works. Snippet below:
PostUp = nft add table ip wireguard; nft add chain ip wireguard wireguard_chain {type nat hook postrouting priority 100\; policy accept\;}; nft add rule ip wireguard wireguard_chain counter packets 0 bytes 0 masquerade; nft add table ip6 wireguard; nft add chain ip6 wireguard wireguard_chain {type nat hook postrouting priority 100\; policy accept\;}; nft add rule ip6 wireguard wireguard_chain counter packets 0 bytes 0 masquerade
PostDown = nft delete table ip wireguard; nft delete table ip6 wireguard
Additionally, in my phone.conf I changed DNS from 192.168.1.2 to 10.100.0.1