Having some difficulties getting Unbound to cooperate without ServFail-ing while running behind a VPN.
WAN is PPPoE, therefore MTU is 1492. Wireguard MTU is set to 1420. Both Wireguard and WAN have MSS clamping enabled - presumably therefore WAN MSS is 1452 and Wireguard's is 1380. Additionally, the DNS Reply Size Test: https://www.dns-oarc.net/oarc/services/replysizetest has consistent problems with ServFailing or fragmentation. Occasionally will report EDNS size of 4050-4068, occasionally it'll be entirely fragmented (<512), and sometimes partially (4050, 450, etc.). My problem right now as I see it is that I'm uncertain how to calculate all these things with MSS, EDNS size, UDP, etc. with all the headers and such. Although there's likely more to it than that.
OK, so I fixed it. The settings in question are tcp-mss, outgoing-tcp-mss, max-udp-size and edns-buffer-size. TCP-MSS were straightforward, right? Since the MTU set for Wireguard is 1420, just set them to 1380. Max-UDP-Size took some toying with to determine that the default, 4096, delivered the most optimal consistent results. The crux of this, all of this, was EDNS though. It seems that setting it to 512 is the magic bullet to fix the myriad of problems that were cropping up. Additionally, testing against the OARC Reply Size Test server tells me that my EDNS responses are in-line with appropriately set EDNS - rather than a truly hobbled 512. Don't know why this is, but I can now do local recursive resolution behind wireguard with all the bells and whistles (qname minimisation, DNSSEC, various hardening options, etc.).
Edit: Issues where random domains would randomly NXDOMAIN on me started to crop up, ended up having to disable qname minimisation to resolve it. Everything else is fine, though.
Edit 2: An issue would crop up wherein after a period of time/queries Unbound would refuse to query things any longer, returning only SERVFAIL until the service was restarted entirely. This appears to have been resolved by disabling multithreading and setting "disable-dnssec-lame-check: yes". Moreover, I've also disabled harden-glue for the time being. Now the occasional SERVFAIL will eventually resolve correctly, after a few minutes.