Webserver and DNS/Pi-Hole access after installing VPN

Help, I am new to OpenWRT and networking, feeling overwhelmed... I managed to set up a simple home network that worked until installing Mullvad VPN: I have my router 192.168.1.1 (with wireguard for VPN), a webserver 192.168.1.180 and some laptop/desktop computers and android phones connected through LAN and Wifi. I then installed Mullvad VPN through Wireguard installed on OpenWRT which generally works (I can access the internet through VPN with the router) but I am looking for guidance how I can do the following

1. My webserver is no longer available on the internet -- I would like to allow 192.168.1.180 to directly access the internet outside the VPN and be accessible but I am struggling how to achieve this.. this is the most important

2. I had been using Pi-Hole on 192.168.1.180 to filter ads/spam but this somehow stopped working. From my research it seems to have to do with hijacking by Mullvad VPN -- I found the following website and created a token that should disable hijacking: https://schnerring.net/blog/use-custom-dns-servers-with-mullvad-and-any-wireguard-client/ I'd ideally like to have DNS through Pi-Hole on 192.168.1.180 through Unbound while the traffic goes through the Wireguard VPN

These are my config files:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:d76e:762a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'
        option macaddr 

config device
        option name 'lan2'
        option macaddr 

config device
        option name 'lan3'
        option macaddr 

config device
        option name 'lan4'
        option macaddr

config device
        option name 'lan5'
        option macaddr 

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key
        option force_link '1'
        list addresses '10.131.141.81/32'
        list dns '192.168.1.180'

config wireguard_WGINTERFACE
        option description ' us-nyc-wg-301 '
        option public_key 
        option route_allowed_ips '1'
        option endpoint_host '
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid ''
        option encryption 'psk2'
        option key '

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid ''
        option encryption 'psk2'
        option key 

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.180'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.180'
        option dest_port '443'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGINTERFACE'
        option name 'WGZONE'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

config forwarding
        option src 'lan'
        option dest 'wan'
````root@OpenWrt:~# wg show
interface: WGINTERFACE
  public key: 
  private key: (hidden)
  listening port: 51654

peer: 
  endpoint: 
  allowed ips: 0.0.0.0/0, 192.168.1.180/32
  latest handshake: 28 seconds ago
  transfer: 53.36 MiB received, 3.25 MiB sent`

This is expected since you setup an outbound VPN. All of the traffic that comes in via the normal wan is being routed out via the VPN.

To fix this, you need Policy Based Routing.

Set DHCP option 6 to point to your Pihole (192.168.1.180). This will advertise the Pihole as the DNS server to all client devices.

You should also consider upgrading to 24.10.

Thank you very much psherman. After reading the PBR link, I tend to believe that I would want to go for the "PBR with netifd" option, and here with "Route LAN to VPN by IP set" - do I get that right?

I am having difficulty understanding the example syntax:

for IPV in 4 6
do
uci -q delete firewall.wan_set${IPV%4}
uci set firewall.wan_set${IPV%4}="ipset"
uci set firewall.wan_set${IPV%4}.name="wan${IPV%4}"
uci set firewall.wan_set${IPV%4}.family="ipv${IPV}"
uci set firewall.wan_set${IPV%4}.match="net"
uci -q delete firewall.lan_mark${IPV%4}
uci set firewall.lan_mark${IPV%4}="rule"
uci set firewall.lan_mark${IPV%4}.name="Mark-LAN-VPN"
uci set firewall.lan_mark${IPV%4}.src="lan"
uci set firewall.lan_mark${IPV%4}.dest="*"
uci set firewall.lan_mark${IPV%4}.ipset="!wan${IPV%4} dest"
uci set firewall.lan_mark${IPV%4}.proto="all"
uci set firewall.lan_mark${IPV%4}.family="ipv${IPV}"
uci set firewall.lan_mark${IPV%4}.set_mark="0x1"
uci set firewall.lan_mark${IPV%4}.target="MARK"
uci set network.lan.ip${IPV}table="1"
uci set network.vpn.ip${IPV}table="2"
uci -q delete network.lan_vpn${IPV%4}
uci set network.lan_vpn${IPV%4}="rule${IPV%4}"
uci set network.lan_vpn${IPV%4}.in="lan"
uci set network.lan_vpn${IPV%4}.mark="1"
uci set network.lan_vpn${IPV%4}.lookup="2"
uci set network.lan_vpn${IPV%4}.priority="30000"
done
uci commit firewall
uci commit network
service firewall restart
service network restart

What do I need to edit to have traffic to/from 192.168.1.180 go through my "regular IP" and everything else through the Wireguard VPN interface?

Often when users discover the wonderful world of PBR they want more than just one LAN client e.g. DNS or Domain based routing so in the end installing the full PBR app might be useful
But until then here you go:
First disable default routing via the VPN by removing/disabling route_allowed_ips on the WireGuard peer:

Second make a routing table with number 100 with a default route via the VPN, add in /etc/config/network:

config route
	option interface 'WGINTERFACE'
	option table '100'
	option target '0.0.0.0/0'

Third make an ip rule to let your lan client use table 100, add in /etc/config/network:

config rule
	# for ip source:
	option src '192.168.1.180/32'
	option lookup '100'
	# destination e.g. from all to dest
	#option dest '25.52.71.40/32'
	# for interface
	#option in 'lan'
	# for proto
	#option ipproto 'icmp`
	# for source port
	#option sport '116'
	# for destination port
	#option dport '116'
	#table number to use for lookup
	#option priority '2000'

For the record I also posted the instructions for other rules but those are commented out

Reboot and test your lan client by browsing to: ipleak.net

Does that include remote VPN clients or is that only devices on the Home Network that would have access to the Pihole?

Define the remote VPN clients? If they're inbound, you can optionally allow them to reach the pihole.

Can the Pihole be accessed from anywhere as per this Tailscale article?