For clarification:
Split tunnel
[Interface]
Address = 10.0.0.2/24
DNS = 10.0.0.1
PrivateKey = <phone interface private key>
[Peer]
AllowedIPs = 10.0.0.1/32, 192.168.1.0/24
Endpoint = <wan ip>:51820
PublicKey = <pfSense tunnel public key>
PresharedKey = <pfSense peer PreShared key>
Changing the DNS from cloudflare/google to the IP of, basically the "gateway" of the tunnel?, allowed a handshake. (that is 10.0.0.1)
Also, the "allowedips" value on the peer (which is actually pfSense as this is the clients conf file) needed to be 10.0.0.1/32.
Also, deleted all WireGuard components and started from scratch to verify it all worked, and found that when I make the tunnel, and give it the 10.0.0.1 address, and then not assign OPT8 and only use the pre-existing "Wireguard" firewall rules, the handshake could not happen. It was ONLY when I assigned tun_wg(0) to OPT8, added the rule "IPv4, Proto:Any" to the OPT8 ruleset could it all actually work.
This is working, sort of. In this case, my phone has wifi off, using cellular data. It can access the local lan (192.168.1.0) just fine. However, it does not access anything with the browser (not split?). Wasn't expecting that.
Tried it at work on a w10 machine. Did not work with the fully I am guessing because I also use 192.168.1.x on that LAN as well, so WG was confused, should it send data down the tunnel to my NAS or should it head out to the Ubiquiti UDM Pro at work for the 192.168.1.x requests. Hadn't thought of that, where the subnets at different locations might conflict.
I assume those local subnets need to be different. But what of the split tunnel at my home LAN and the phone being on cell data? it has a very different WAN IP with no routing to RFC1918 ports but still doesn't get outside?
Any thoughts?