Put your external facing services behind the VPN, or at least put them in a separate VLAN that's firewalled in such a way that they can't reach the rest of the network if they become compromised.
bookworm
For the last question I welcome you to !skincareaddiction@sh.itjust.works where's there's a lot of helpful people that can help you with that! 😊
It's something I noticed going from the AirPods to the AirPods pro and I hated it at first, but I never think about it anymore so I guess most people just get used to it.
I would advise that you instead also connect the Windows machine to the VPS with WireGuard as 10.1.0.3, basically mirroring what you've done on the Ubuntu server. The routing will be a mess otherwise. Another option is running the WireGuard tunnel on your gateway with something like OPNsense.
Does the machine running the WireGuard tunnel to the VPS acts as a "router" aka gateway for the network? Otherwise the windows machine doesn't have a return path for the connection.
S920
I'm running this as my router. It handles a 500/500mbit connection over WireGuard for me without a problem. CPU usage can spike up to 80% when I push it as much as I can, so depending on how it scales I'm not 100% sure how it would handle 1gbit routing+vpn for example.
Same! Which version do you use? Small or big?
You probably need to enable some power saving features that Windows does by default but Linux may not. Run something like https://wiki.archlinux.org/title/TLP just to see if it helps, and then do some tuning because it might be too aggressive.
Backup your data regularly and the risk should be very small.
It's a good way to see if someone has cracked your WiFi password for example so why not. Doesn't add much security but better than nothing.
ClamAV is an anti-virus software that you would run on end-devices to scan files, an intrusion detection scans network traffic to detect anything potentially malicious. I don't know your exact router model but I suspect it's way too weak to run intrusion detection. If you have a switch that's capable of mirroring you could use that to utilize a more powerful machine to scan network traffic.
I would say there are better methods to solve this problem these days than a script. Check out Ansible or NixOS.