New update. According to the author it fails closed.
Also regarding fail safe, it actually handles this as long as it is only used for network provider qubes as documented in the readme, and not as an app qube. If you look closely at the firewall forward rules it only allows traffic from the lan interface flowing to the wireguard interface. That means that if the wireguard interface is down, the traffic flowing from the lan is dropped. This can be verified with tools like tcpdump by taking down the wg tunnel. If you see that this is not the case it is a bug and I will fix it.
There is nothing preventing the VPN qube itself from talking to the WAN if the wireguard tunnel is down, but this is by design and intended from my side. The intention is to make sure the clients behind the VPN qube stays protected even if the tunnel is down
The author has updated the github repo page with a better explanation. It fails closed. I wish i could correct the first post.