Add support to Oz for WireGuard VPN exits

[dma]

One way to do it is similar to how we do it w/OpenVPN:

• wg interface traffic gets clearnet in ferm.conf config, as with tun devices

• oz launches wg at sandbox creation time, bridge created at sandbox creation time

• specialized oz route-up gets invoked that creates routing table, routes, & policy rules that forward traffic to/from wg interface to bridge

• openvpn client has options to reconnect on timeout and on SIGUSR1, route down is run, then route up is run again .. this would maybe need to be implemented for wireguard

• need to deal with possibility of 1918 CIDR address space collisions

• there may be a right way to do it: https://www.wireguard.com/netns/