PiHole is a big part of how I do exactly those things.

• Router acts as a wireguard client (for external VPN) and server (for home VPN).
• LAN and home VPN DHCP services push pihole DNS server so client devices use it by default
• I can change DNS servers temporarily on any given device if needed
• Phone uses “always on VPN” feature on Android to connect to home VPN; computers can connect easily as well from anywhere
• Router routes all LAN and home VPN non-local traffic across external VPN provider
• PiHole uses external VPN provider’s DNS server for upstream DNS to prevent DNS leaks

Granted it was difficult to get it all working. But really no maintenance since then.