I done goofed … a little bit from my and the self hosting perspective.
I’m running and paying for the Mozilla VPN and it did kinda suit my needs until now.
But since I discovered, installed and fell in love with Jellyfin (and cruising the Caribbean shores more for that matter … *Arrr and wink wink*) the lack of features with Mozilla VPN become apparent:
It’s based on Mullvad but there is only a Ubuntu-App. No RPM, no Fedora and no Debian(!). Would be fine if you could configure it headless on a Ubuntu server but no possibility to do that with OpenVPN or Wireguard and using transmission-daemon and/or deluge with a proxy-VPN and/or split tunneling.
ATM I set up a Proxmox-Ubuntu-Mate-VM. XFCE hasn’t all features like split application tunneling, activated in the App because Mozilla relies on a clean GTK desktop environments. Yes, you heard that right. Mate is ok for that matter, but I have to relearn setting up RDP access. It’s a hazzle! Mozilla, boo!
But I’m crying, when I see the RAM and the CPU usage! I don’t want to run a complete desktop VM for a mere “background” task.
Any ideas how to get the best out of that situation? Do I miss something here?
Or is the only way: Wait till November when my yearly subscription runs out *whimper* and change to the real original deal (Mullvad)?
Wait for your subscription run out and change to the real deal. AFAIK you have to have a Mozilla account to use the VPN. With Mullvad you’re just a number, no more, no less. If you don’t want to wait try googling for a Wireguard solution for Mozilla VPN. To make split-tunneling work you’d probably have to work with iptables.
Thank you very much! I’ll give it a shot! 
I spun a new container to test it out.
Just one question: is it possible to set it up headless?
Connected via ssh copied the url to my main machine’s browser, it connected successfully to Mozilla and said “please return to your VPN” but in my terminal nothing happens.
You’re not the first one to ask that question.
Currently the best way to go about that is to get the token on your main machine and copy it over to wherever you want to use it. You can also do everything on your main machine and just copy the wireguard configuration files over. (by main machine I mean “machine with a browser”)
It works great right now and I was able to export all of europe on my main machine with a killswitch. But local lan access is blocked.
I don’t know if its easy for you to point me to a tutorial to allow local access or perhaps, if I don’t ask too much, where to put it in the config:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECTPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Only, if it isn’t too much hazzle. Your tool helped me a lot already!
edit: helped myself with ufw. Found out, that the interface is the name of the server and not wg0. 
After a long night and fighting with permission and transmission and deluge and and and I finally gamed the system.
Got your tool working! And it works great with deluge.
Just disabled xorg and am running headless right now. 