Since direct inbound is neither necessary nor desirable, I’ve spun a new firewall VM in Qubes with my Wireguard interface. Now the AppVMs are using that VM instead of their own individual tunnels. I didn’t need to free up allocated IPs in my VPN, but now there’s one available for another device if needed. When I am back stateside I will reconfigure my US home network (as it’s needlessly complicated today), and add a peer for my Qubes VM so I can always reach local home assets directly.