Question / planning about Wireguard in my network

Hello Forum,

I would like to test Wireguard in my network as a possible replacement for my OpenVPN. Currently I use OpenVPN over my IPFire.

My network consists of a DMZ (orange) and a green network.

I would like your input on how to do this as I would like to use the Wireguard connections with my PI-Hole which is in green.

Procedure one would be to install Wireguard in the DMZ and create a port forwarding for the Wireguard IP from the DMZ to the “green” IP address of the PI-Hole.
Option two would be to install Wireguard on the “green” network and open the firewall for the Wireguard port to “green”.

What is the most secure solution from a security perspective?

Another question: I also want the Wireguard clients to use the web proxy (WPAD) of my IPFire. What is the correct procedure here?
Do I also need to open a port 800 to the IP of the IPFire?

I would be really grateful for any tips and tricks from the professionals here and I say thank you in advance. :slight_smile: