[hannibalhorn]

I have a Unifi USG, which has a third party wireguard addon, though of course OpenWRT could work just fine. You setup a wireguard tunnel normally, but disable the default routing (on a Unifi, set route-allowed-ip false), and then explicitly add a route for 10.124.0.0/16 through the wireguard interface. The mullvad servers page[1] has socks 5 proxy addresses for all of their servers - assign one to a firefox container and you're all set. No reason you couldn't have a container for each geographic region you want.

1. https://mullvad.net/en/servers/

On a USG the config looks like this:

    wireguard wg0 {
        address ***/32
        mtu 1420
        peer *** {
            allowed-ips 0.0.0.0/0
            endpoint ***:51820
        }
        private-key ***
        route-allowed-ips false
        up-command "ip route add 10.64.0.1/32 dev wg0 && ip route add 10.124.0.0/16 dev wg0"
    }

[angrais]

I'm curious to learn more why you have gone this route compared with the default settings of a standard router?

I'm uncertain of the benefit for everyday people.