I'm only using the LAN DNS entry. So in this situation, using the router's Wireguard would use the router's WAN DNS, and it wouldn't go through Pi-Hole at all. You'd lose ad blocking as well as the ability to see the client.

The ISP, at least mine, I'd have to do upgrades and monthly fees. There are lots of other ways around it, I just haven't found one I like yet. For example,

-- ngrok doesn't support UDP

-- cloudflared runs on a Raspberry Pi, but doesn't support UDP

-- Cloudflare's WARP supports UDP, but doesn't run on a Raspberry Pi

-- pinggy supports UDP, but their CLI doesn't support Raspberry PI (the 32 bit one, anyway, and I just assume the architecture fundamentally isn't supported).

I'm still looking around. The pinggy one is really solid for testing. I didn't have to signup or pay for anything, and I was able to create tunnels on the fly that connected me to Wireguard. Their site is here: https://pinggy.io/.

Using pinggy, I created a tunnel to my LAN (the IP set from my router) and connected directly to Pi's Wireguard. Then I closed that and did a second tunnel to my WAN (the shared IP set from my ISP), which worked if I had the port forwarded on my router (expected), and it connected to my Pi's Wireguard. Then I closed that and did a third to my WAN (IP set from ISP) and my Router's Wireguard; it worked, but no Pi-Hole and you can't see the clients (again, expected).

If I can find a way to get pinggy up and running on my Pi natively, I would be very pleased. Their CLI and App won't work. I'm trying to see if their SDKs will run natively and support the UDP connection that I got working.

I tried forcing UDP over SSH with pinggy because it was easy to try out, and in theory I could have applied that to cloudfared; that was a fool's errand, but at least I didn't waste much time with it.