@nprofile1q... I do the opposite; I leave the wireguard interface in the default namespace, and move the physical device interface to a special "physical" namespace. So, by default, all my applications use my self-hosted VPN. I also have multiple namespaces for multiple VPNs, for example, I only run my torrents through one specific VPN, so I have a script ~/.local/share/bin/rtorrent that runs su -c to first prompt me for password and then run rtorrent proper inside the appropriate namespace. That way, I can never run rtorrent in the wrong namespace by mistake, as the name is overridden. I also do the same for a firefox instance that runs with a different --profile to access my bank and such through the physical network. Having to write the password makes it abundantly clear that I'm now switching to the physical network, and can never happen by mistake.