Basically yes the masg_src is the WireGuard IPv6 subnet
But you do not appear to have that yet.
Probably make a new config on Mullvads website specify both IPv4 and IPv6 and you should get not only an IPv4 but also an IPv6 list address see:
Note that you should use a /64 netmask for the subnet so that you will have something like:
option masq6 '1'
list masq_src 'fc00:bbbb:bbbb:bb01::6:4edd/64'
Mullvad is hijacking your DNS there is a paragraph about it at the end
Mullvad is hijacking your DNS there is a paragraph about it at the end
Ah I missed that, well guess that's ok really.
Note that you should use a /64 netmask for the subnet so that you will have something like:
I noticed that mullvad will only give me /128.
Ok, got new configs from mullvad, made all the changes. Still leaking starlinks ipv6 address 
EDIT:
Maybe have figured something out.
Mullvad VPN does not provide a /64 subnet prefix. You can use our SOCKS5 proxy on the clients to get an IPv6 exit IP.
Can you show the current configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
That should not matter, but you use the /64 for the firewall masq_src but not for the list addresses in the WireGuard interface
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc9:fcdb:2690::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '9.9.9.9'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'xxx'
option force_link '1'
list addresses 'xxx'
config wireguard_WGINTERFACE
option public_key 'xxx'
option endpoint_host 'xxx.xxx.xxx.xx'
option endpoint_port '51820'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
list allowed_ips '::/1'
list allowed_ips '8000::/0'
config route
option interface 'WGINTERFACE'
option target '100.64.0.7/23'
option disabled '1'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option masq6 '1'
list masq_src 'fc00:bbbb:bbbb:bb01::6:5845/64'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
config forwarding
option src 'lan'
option dest 'WGZONE'
config forwarding
option src 'lan'
option dest 'wan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
ip route show
default dev WGINTERFACE proto static scope link
100.64.0.0/10 dev wan proto kernel scope link src 100.71.122.211
185.xxx.xxx.xx via 100.64.0.1 dev wan proto static
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1
ip -6 route show
default from 2a0d:3344:100:18e5::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:183:7000::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
2a0d:3xxxxxxxxx8e5::/64 dev wan proto static metric 256 pref medium
unreachable 2a0xxxxxxxxxx:18e5::/64 dev lo proto static metric 2147483647 pref medium
2a0dxxxxxxxxx83:7000::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a0d:3344:183:7000::/56 dev lo proto static metric 2147483647 pref medium
fdxxxxxxxxx:2690::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdxxxxxxxx690::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
default dev WGINTERFACE proto static metric 1024 pref medium
root@OpenWrt:~#
ip route show table all
default via 100.64.0.1 dev wan table pbr_wan
192.168.99.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.99.1
default via 10.zxxxx0 dev WGINTERFACE table pbr_WGINTERFACE
default dev WGINTERFACE proto static scope link
100.64.0.0/10 dev wan proto kernel scope link src 100.71.122.211
185.195.232.70 via 100.64.0.1 dev wan proto static
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1
local 10.xxxxx dev WGINTERFACE table local proto kernel scope host src 10.69.88.70
local 100.71.122.211 dev wan table local proto kernel scope host src 100.71.122.211
broadcast 100.127.255.255 dev wan table local proto kernel scope link src 100.71.122.211
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.99.1 dev br-lan table local proto kernel scope host src 192.168.99.1
broadcast 192.168.99.255 dev br-lan table local proto kernel scope link src 192.168.99.1
default from 2xxxxx:100:18e5::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2xxxxx4:183:7000::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
2axxxxx44:100:18e5::/64 dev wan proto static metric 256 pref medium
unreachable 2axxxx4:100:18e5::/64 dev lo proto static metric 2147483647 pref medium
2axxxxxx0::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2xxxxx0::/56 dev lo proto static metric 2147483647 pref medium
fdxxxxxx90::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdxxxx90::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
default dev WGINTERFACE proto static metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2xxxxxx5:: dev wan table local proto kernel metric 0 pref medium
local 2axxxxx1:1eff:fef8:98ae dev wan table local proto kernel metric 0 pref medium
anycast 2xxxxxx3:7000:: dev br-lan table local proto kernel metric 0 pref medium
local 2axxxx3:7000::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fdcxxxxx0:: dev br-lan table local proto kernel metric 0 pref medium
local fdxxxxx90::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
local fe8xxxxxx8ae dev wan table local proto kernel metric 0 pref medium
local fexxxxxxxxx98af dev eth0 table local proto kernel metric 0 pref medium
local fe8xxxxaf dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev WGINTERFACE table local proto kernel metric 256 pref medium
ip rule show
0: from all lookup local
29998: from all fwmark 0x20000/0xff0000 lookup pbr_WGINTERFACE
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766: from all lookup main
32767: from all lookup default
wg show
interface: WGINTERFACE
public key: xxxxx
private key: (hidden)
listening port: 55020
peer: xxxxx
endpoint: xxx.xxx.xxx.70:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 42 seconds ago
transfer: 460.86 MiB received, 108.98 MiB sent
Ok great, /64 is set 
The WireGuard interface must have both an IPv4 and IPv6 address that is what you should have gotten from Mullvad when making the config on their website.
Those are private addresses so no need to redact those, to be sure pleas show it.
The IPv6 address you have gotten from Mullvad is what you have to fill in (with a /64 netmask) in
It looks OK but the important IPv6 routes are missing ::/1 and 8000::/1
There is a typo which might cause this you have set:
Your WG show also does not show this as allowed IPs:
So correct the typo, then reboot the router and check again with
ip -6 route
wg show
Do'h!
Corrected
wg show
interface: WGINTERFACE
public key: xxx
private key: (hidden)
listening port: 44939
peer:xxxx
endpoint: 185.xxx.xxx.xx:51820 <<<<<< is endpoint sensitive?
allowed ips: 0.0.0.0/0, ::/0, ::/1, 8000::/1
latest handshake: 14 seconds ago
transfer: 3.60 MiB received, 1.93 MiB sent
ip -6 route
default from 2a0d:3344:100:18e5::/64 via fe8xxxxx0:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:183:7000::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
2a0d:3344:100:18e5::/64 dev wan proto static metric 256 pref medium
unreachable 2a0d:3344:100:18e5::/64 dev lo proto static metric 2147483647 pref medium
2a0d:3344:183:7000::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a0d:3344:183:7000::/56 dev lo proto static metric 2147483647 pref medium
::/1 dev WGINTERFACE proto static metric 1024 pref medium
fc00:bbbb:bbbb:bb01::6:5845 dev WGINTERFACE proto kernel metric 256 pref medium
fdc9xxxxx::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdxxxx0::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
8000::/1 dev WGINTERFACE proto static metric 1024 pref medium
default dev WGINTERFACE proto static metric 1024 pref medium
Any of these sensitive?
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'xxxxx='
option force_link '1'
list addresses '10.69.88.70/32'
list addresses 'fc00:bbbb:bbbb:bb01::6:5845/128'
ipv6 not reachable according to ipleak.net
We are nearly there, the firewall settings are mixed up 
The above is when you have added the WG interface to the WAN zone but you have used a separate zone so remove the two last lines.
Enable masq6 on the WGZONE:
Reboot and test again
Either there seems to be some kind of discrepancy between half editing files with vim and using luci or maybe I followed the wrong tutorial in your docs, because there was a few. Whatever happened, it is working!
I have an ipv6 address 
Eth clients appear to only have ipv4
wireless clients have both
pbr clients appear to show ipv4 from ISP (starlink) but show ipv6 from mullvad.
Am I there?
Great to hear
For PBR using IPv4 and IPv6 you also have to route both IPv4 and IPv6, if you use an IPv4 address then only IPv4 is routed so you have to make a rule for the IPv4 client address and a rule for the IPv6 client address.
But and that is a big BUT many clients use their frequently changing IPv6 temporary address although this can be disabled on the client this is not very practical so the solution for dual stack IPv4 and IPv6 address:
Use the MAC address of the client, this will route both IPv4 and IPv6 or use the whole interface in case you want a whole subnet routed e.g. make a rule with @br-lan see the PBR read.me
Make sure the clients are not using private MAC addresses other wise the MAC also changes frequently.
Have you rebooted the clients?
Is IPv6 enabled on the clients?
On first glance I do not see anything out of the ordinary on your DHCP or LAN IPv6 settings and seeing that some clients have working IPv6, it could be something on the client but I am not the leading authority on IPv6 
I have an arch build that I had not setup systemd fully yet, and forgot. So, all is well!
The others are apple, and appear to be using some kind of mac switching, which confused me at first.
egc you have been invaluable, many many thanks Sir!
I hope you find a 50euro -or whatever denomination- on your travels! wouldn't it be funny if you did now
Finally setup my network how I wanted it!
Great it is solved, glad I could help 
I wonder if this is similar to my issue. I have wireguard working with PBR over wifi testing it from my laptop and I have ipv6 disabled in br-lan. But when I try to access the sites I have listed in my PBR from my cell phone(oneplus 13) they don't route over pbr. I know because I am abroad and I get the sites geoblock error.
I ran tracert as well and indeed my cell doesn't hit the wireguard 10 interface after the 1st hop
I added MAC addresses to the clients for ipv4 and 6 however, I discovered that the scum Disney+ and prime etc started blocking them again. The reason is, the ipv6 address the clients gets is from wireguard.
I think the scum streaming services are also blocking VPN ipv6 addresses.
I've set the clients back to an IP address for now so they don't get an ipv6.
Really hate Disney, prime, netflix.
EDIT: scratch that, the clients are getting ipv6 addresses from wireguard. So off to read the pbr docs :[
Streaming service are actively blocking VPN use.
In your case default routing is via the VPN and if you try to use streaming services via the VPN and it does not work then you might be out of luck.
IF you use PBR to route e.g. your TV via the WAN and streaming services are blocked then that might be caused by a DNS leak, as default routing is via the VPN, all your DNS is going via the VPN also for clients e.g. your T.V. using the WAN.
If this is the case you need Split DNS, meaning lan clients using the WAN must use DNS via the WAN.
There are several ways to do it but the PBR app also has DNS policy routing.
See also:
For some background reading:
https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak.
Would this be true all of the time? DNS queries originate from cloudfare on the client, I already setup DNS to 1.1.1.1 via pbr. It seems to be working but Disney still rejects the TV.
Would streaming services not block ipv6 addresses as well as ipv4 from VPN's?
Thanks for the doc referrals, as I do not just want to fix the problem, but learn
I also get something to read whilst slacking at work haha
I am starting to consider an inversion and making the WAN default and VPN not. Not sure if this is giving up, not sure if many people do this... I do really hate these out of control corps stealing data though.
The default setup is that your lan clients use the router's DNSMasq as DNS server , DNSMasq then uses the default route which is the VPN in your case to resolve DNS.