If the delegated prefix changes then you have to change the static Wireguard addresses when you want ipv6 through the tunnel.
The approach from the OPNsense guide is to give an ULA address to peer and client, but then test at https://test-ipv6.com/ (https://test-ipv6.com/) say that my browsers prefer an ipv4 connection.
Then I thought about giving random GUA addresses outside my delegated prefix to peer and client and make use of the outbound NAT.
This works well and the above test says 10/10 for ipv6.
Are there any gurus that say that this is bad practice and that there will be problems that I overlooked?
That is exactly the way I do. Due to ULAs there is NAT between client and Internet, thats not what we want to achieve with v6, but there is no way until we get a fixed prefix. :'(
I guess the threshold question is why do you care about what the IPv6 website tells you? The only reason they give for being "concerned" about v4 being favoured is where the user is behind CGNAT and therefore potentially has a "polluted" v4 public IP. Otherwise in both cases you are NATing the outbound traffic
Give out a GUA prefix that you know is not used elsewere. Borrow a single /64 from someone with a larger assignment. Register a tunnel account with Hurricane Electric ... there are possibilities with this giant address space.
Thank you for your answers, it seems to me that the consensus is that I do no harm and there will be peace in my mind ;)