and how it is possible to completely wrap all traffic from the local network into this tunnel ?
That is a loaded question, it depends WHERE you mean.
For example I have a router acting as a client and I have a router acting as a server.
Case1: To ensure a subnet on the client router is used for all traffic I create a route rule.
dst 0.0.0.0/0 gw=wg interface Table=vpntunnel
Where the route rule establishes
the source subnet, the action of lookup only in table, the table selected is vpntunnel.
Case2: Now that traffic has reached the Server router wg interface.
What you do depends on the firewall rule set.
If you have the default rule, only WAN non-dst traffic is blocked and the router will move the tunnel traffic to the internet...........
If you have a block all rule then you have some choices to make.
a. add the WG-INTERFACE to the LAN as an interface list member and thus a typical LAN to WAN rule will include/allow such traffic.
b. create another firewall forward chain rule in-interface=wg interface out-interface-list=WAN
Note: the same thinking applies for example if the WG tunnel is coming from a smart phone!
Case 3: This time lets say you want to be able to use the wireguard from your smartphone to manage the router.
Well with the default rule on the input chain stating block all not from LAN then you have to make adjustments
a. add wg interface to LAN interface to gain access on input chain
b. add wg interface to MANAGMENT or BASE interface if no specific LAN rule exists (LAn users should only get dns access anyway).
c. create a specific rule in-input=wg interface accept etc...
@sob As I stated, LOOK MA NO HANDS - no IP addresses (for wg) were harmed or used in this config
(KISS)