So I have opened a similar post months ago and it worked when Wireguard was hosted on my router and using my public IPv6 address it connected just fine.
But now that I moved one of my VPN services from my router to a Proxmox server I seem to have trouble with forwarding IPv6 to port 443 UDP.
Currently this is how my Traffic Rule for my VPN service looks like.
I can confirm that if I use the GUA IPv6 address locally as shown in the image it connects just fine. But when on another network it does not.
When looking through Wireguard I can see ICMPv6 messages saying Destination Unreachable (Port unreachable) when my client tries connecting to the VPN hosted in my house but fails instead.
You do not forward an IPv6 address you just open up the firewall for the IPv6 address with a traffic rule.
You can use a negative netmask to only set the suffix.
In IPv6, a block of GUAs is routed to your house, and each device in the house will have a unique GUA within that block. The DDNS should point to the VPN server's GUA not the router. This usually means running a DDNS client on the VPN server.
As a separate issue from addressing and routing, the firewall prevents incoming connections from passing from wan to lan by default. You will need to make an exception for a machine that offers a service to outside.
So let's say I have a separate device doing nginx/caddy, then another for VPN the best approach here will be to have sub-domains which point to my device's IPv6 GUA address?