feat: local Mullvad WireGuard + policy routing for guest traffic

- parahub-mullvad script: setup/status/remove for owner's Mullvad key
- WireGuard packages: kmod-wireguard, wireguard-tools, luci-proto-wireguard
- Policy routing: ip4table='100' + guest subnet rule (fixes guest→VPN flow)
- setup: auto-detects country, registers key, creates WG interface, switches firewall
- remove: reverts to GRE6→VPS gateway

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/build.sh

@@ -64,6 +64,11 @@ PACKAGES_CORE=(
     # GRE6 tunnel (guest traffic → VPS gateway)
     kmod-gre6
 
+    # WireGuard (optional local Mullvad via parahub-mullvad script)
+    kmod-wireguard
+    wireguard-tools
+    luci-proto-wireguard
+
     # DNS-over-HTTPS for guest privacy
     https-dns-proxy