IMO this is the best OS way, but without nix it’s a pita to maintain through restores/rebuilds. personally I never fully comprehended how to properly configure iptables/routes (I did try though, so nobody can blame me lol).
however, a major benefit to using a contained VPN or gluetun is that you can be selective on what apps use the VPN.
I host 12 other containers (with nas mounts) on the same host outside of the three that need to use a VPN, so this is why the solution I described works for me. and should I ever need to use routes for more advanced network filtering I still have it available without adding the complexity of splitting normal traffic vs VPN traffic.
I would recommend it. Speaking from personal experience, I trusted my VPN connection to remain on and self-heal. Thinking that cost me a strike against my ISP.
Now I know for a fact that if anything goes wrong with the VPN connection, all the containers that need it will need to restart before they have connectivity again and that can only happen after the VPN container restarts and passes healthcheck.