but without nix it’s a pita to maintain through restores/rebuilds.

No it isn’t. You can even define those routing polices in your systemd network unit alongside the network interface config and it will manage it all for you.

If you aren’t comfortable with systemd, you can also use simple “ip” and “route” commands to accomplish that, add everything to a startup script and done.

major benefit to using a contained VPN or gluetun is that you can be selective on what apps use the VPN.

Systemd can do that for you as well, you can tell that a certain service only has access to the wg network interface while others can use eth0 or wtv.