I leave
option route_allowed_ips '1'
list allowed_ips '10.0.10.2/32'
on server side, and when I finally managed connection from TunSafe client @ Windows, it seems
AllowedIPs = 0.0.0.0/0
on client side does the work right 
All traffic is routed through WG, no DNS leakage. Without any wurther PostUp / PostDown commands, or special postrouting/MASQ on server side firewall… 
The same seems to be working also for Linux client.
Performance looks VERY good, in full thoroughput (30/30 Mbit) my CPU in Omnia is in percents… Its very different from ssh/rsync/sftp solutions. Now I understand the fuzz about it
It even looks, like also devices on LAN are reachable! Hmm. Dont see much difference from yesterday, but it seems to be working all out of the box 
Now the only downside of wireguard for me is lack of:
- support Android 2.3.6, 4.0, and 4.4,
- support LibreElec
- official Windows client
- support in sslh
When I will have some time, I will wrote article to the Turris user documentation, I think this is really usefull and wg deserves that (after all Turris team efforts to keep this package up to date), especially, when the step-by-step docs (related to TurrisOS) are not so easy to find.
P.S.:
Does anyone experience also errors in runtime?:
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.10.1 P-t-P:10.0.10.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:54512 errors:30 dropped:0 overruns:0 frame:30
TX packets:63661 errors:4 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:45990896 (43.8 MiB) TX bytes:53491784 (51.0 MiB)