The problem

CGNAT with some ISP provided support double NAT due to ipv4 shortage. This will block wireguard with public ipv4!.

IPv6 can help here, but there are a few issues that need to be solved first (simple)

1. Duckdns hass component sends to the cloud only the external ipv4 by default (with CGNAT this is wrong and won't help). In case of ipv6 network with firewall there is a need to send the ipv6 of the hass hosted (remember there is is no NAT in case of ipv6). Luckily, this problem was solved see https://github.com/lfhohmann/ha-duckdns_ipv4_ipv6

2. Now that duckdns has both ipv6 and ipv4 (for CGNAT better to disable ipv4) it would be possible to connect wiregaurd client (the client has only domain ). It prefers ipv6

this is the lines in the configuration.yaml

#duckdns:
#  domain: !secret duckdns_domain 
#  access_token: !secret duckdns_tocken

duckdns_ipv4_ipv6:
  access_token: !secret duckdns_tocken
  domain: !secret duckdns_domain 
  ipv4_mode: duckdns
  ipv6_mode: nameserver

3. rule in the router to allow forwarding udp/ipv6:51820 traffic to hass server bypassing the firewall (again this is not NAT forward)

with openwrt it would look like this (replace xxx with static dnsmasq ipv6 of the hass server, the MSB/64 is dynamic so it is not possible to use it)

config rule
        option src 'wan'
        option name 'wireguardv6'
        option proto 'udp'
        option dest 'lan'
        option dest_ip '::xxxx/-64'
        option dest_port '51820'
        option family 'ipv6'
        option target 'ACCEPT'

4. docker ipv6 : no need to enable ipv6. Port forwarding is done for both ipv4 (native) and ipv6 (v6->v4 translation by host). The docker image after the bridge work with only ipv4 and the host is doing the translation. docker inspect wiregaud will show the port forwarding rules and one with :: is matched to ipv6.