What's the Unix way of handling split-tunnels

I want to be able to control in my servers which programs are connected to the regular internet and the ones which are only able to communicate through a VPN, in the most minimal, versatile and secure way. ## Current Setup I have a server, a Raspberry Pi 4B with 1 Gb RAM, connected to my router. The ports I have forwarded to my RPI is a Wireguard interfaces, *wg0*, which I use for all of my personal devices and a port for Transmission peers. I'm running a few services on my RPI, some of which I would like to be routed to a VPN except (e.g.: Searx, Transmission), others to be kept bound to the *wg0* interface (e.g.: Jellyfin) and in the future some which I would like to be public by exposing the ports to my RPI (e.g.: Minecraft server). Currently I'm using *UFW* as my firewall which doesn't block anything coming from *wg0* and the port for that same Wireguard interface and also the peer port for Transmission. ## My Goal I would like to be able to find an elegant solution that would allow me to configure which programs go which way, so that I could connect to my server from my *wg0* interface anywhere I am, but some programs would then communicate with the outside using the VPN ## Research Done So far I know that Mullvad VPN can be used as a simple Wireguard interface - [source from Archwiki](https://wiki.archlinux.org/title/Mullvad) - and I would imagine that the same would hold true for any other VPN providers. I also know that for some programs, such as Searx, offer the possibility of bindings the outgoing requests to a given interface - by configuring source_ips - but also binding the address to listen on a different interface - by configuring bind_address - which means that I could be able to redirect the outgoing requests through the VPN and access it from my *wg0* network. It seems that most VPN clients already support this split-tunnel feature for an arbitrary program, which means that they can do something of this sort somehow (taking a given program off of the VPN connection)! And because they are open source, the solution should be known. ## My Questions/Concerns Now let's say that I would do exactly that, binding outbound Searx to the VPN and web interface to *wg0*. This leads me to question 1, how would DNS work in this situation? Would all the DNS requests done by Searx be routed through the VPN? Would that be something automatic, manually configured or even might not be supported? I also know that Docker is the cool kid in town, that allows users to sandbox applications in a pre-configured environment, which would allow me to force the network connection for a given container. This leads me to question 2, should I be using docker in this situation even though I have a RPI? Due to performance, and out of minimalism, I would like to keep Docker out the question, unless I really have to, which leads to me to question 3, if the program doesn't allow any configuration, is it still possible to route that program to a given interface? This seems like something that Linux does behind the scenes, if we have multiple interfaces that connect to the internet, I would imagine that it's the OS that decides which interface the program uses, not the program itself. Who's responsible for that? Obviously knowing that the VPN clients do this, question 3 doesn't make that much sense, it does seem to be possible, I'm just not sure how. Finally, a more generic concern as question 4, does the program have to be aware of its IP address? Because Searx asks for you to specify an outgoing IP, not an outgoing interface. I would imagine that most VPN have fixed IPs and as such this wouldn't be a problem anyways, right? ## Small Notes As I said I have heard of Docker, but I'm trying to avoid it. I also heard about iptables, but I don't know how to use it, and I know that it conflicts with UFW.