Is your friends client config setup for split tunneling?

If the client config installs a default route to the VPN you will get all their traffic.

The server config can refuse to forward traffic to the internet, but then your friends will be effectively on your LAN but otherwise appear to have no internet access.

Its a good idea to restrict which IPs on your LAN they can access, but the client config also needs route only those IPs over the VPN.

https://www.privateproxyguide.com/how-to-set-up-split-tunneling-with-wireguard/

Yeah it makes you stand out as a fingerprint data point. I generally thought it was recommended to not enable since privacy violators won’t respect it anyways.

YAML is (mostly) a superset of JSON. Is the face hugger any less evil than the alien bursting out of your chest?

Getting deep into tech privacy has solved this for me. My browser essentially resets itself to factory defaults every time it opens. No more purple links!

Good luck if you run a de-googled ROM. I can’t install sandboxed Google Play Services inside the profile because its not approved. I could try and sideload it in, but I’d rather just go without.