Replace the single VPN container (veth pair, host-side auth scripts) with a
multi-container setup on a shared bridge network:
- Dedicated VPN container handles all PIA auth, WireGuard config, NAT, and
optional port forwarding DNAT
- Service containers default-route through VPN container (leak-proof by topology)
- Host runs tinyproxy on bridge for PIA API bootstrap before WG is up
- WG interface is still created in host netns and moved into VPN container
namespace
- Monthly renewal to ensure that connection stays up (PIA allows connections to
last up to 2 months)
- Drop OpenVPN support entirely
