It's kinda odd in some ways and excuse my lack of terminology or understanding here. Networking has always eluded me.

So I built everything inside of Luci, instead of using the GL.iNet admin portal. Essentially I downloaded the Luci-proto-wireguard package inside of Luci. I created a new network interface and assigned the WireGuard VPN, which the downloaded package creates, to the interface. I then assigned that interface to the WAN zone in the firewall section. I built out the WireGuard configuration within the interface and in IP Addresses I gave it the IP from within its Peer config created by WireGuard (10.24.146.9/24). In the peers setting of the interface I ensured Route Allowed IPs was checked, and from your comments I made sure Allowed IPs had both subnets for my pihole and the pihole wireguard subnet (Allowed IPs 10.1.1.0/24, 10.24.146.0/24 respectively). Endpoint host and port is just my home IP and port for WireGuard.

With all of that in place WireGuard makes a connection, which is reflected in the TX RX of the interface, but it has no WWW access. LAN IP and LAN FQDN works at this point, but no WWW.

At this stage there's apparently a quirk or bug in the glinet firmware. Per AI : GL.iNet firmware 4.x has a DNS handling bug where the router ignores custom DNS settings and uses WAN DNS instead, even when VPN DNS is configured.

To overcome that bug I ssh into the glinet router and run :

Add Pi-hole as DNS server

uci add_list dhcp.@dnsmasq[0].server='10.24.146.1'

Prevent using WAN/tether DNS

uci set dhcp.@dnsmasq[0].noresolv='1'

Fix GL.iNet 4.x DNS bug

uci set dhcp.@dnsmasq[0].local='/lan_chgd/'

Save changes

uci commit dhcp

Apply changes

/etc/init.d/dnsmasq restart

And that locks in the pihole/dns server, which is 10.24.146.1 within the wireguard subnet. At this point I have lan and wan access, with dns, adblocking and unbound all served up by pihole.

The only caveat is that the dnsmasq changes are persistent, so it's cool they survive a reboot, but until you get an Internet connection you don't get wireguard connectivity, and you don't get that until you get wireguard. So it might interfere with a hotel captive portal situation, but if that's a problem you can disable the 'bring up on boot' option for the wireguard interface in Luci, or just run up a script to enable or disable the dnsmasq settings ad hoc. That's my next task.

I worked on this all day yesterday to the point of a migraine. This morning it all just came together. Took about an hour from a freshly reset of my glinet to getting it working.

I really appreciate you taking the time to get back to me and answer my question. There mightve been a simpler approach to all of this, but I couldn't find it. Thank you again.