I have wireguard configured on the gateway acting as a VPN server. The "Local IP Address" on the gateway's wireguard config (10.16.16.1) is set to a subnet unused by any of the existing VLANs. There is a single peer configured currently (I deleted all other configured wireguard peers), with the "Allow Address" set to 10.16.16.13/32.

It seems like the gateway is setting up the wireguard connection properly, but is not forwarding traffic back to the wireguard clients.
 

The wireguard handshake between the client and the gateway is successful. I see the Handshake and response in my tcpdump/wireshark. But I am unable to get a ICMP reply on my client's interface when pinging the router. 

I can ping a computer on the local LAN (i.e. 10.16.1.200) from the wireguard client (10.16.16.13). On 10.16.1.200's interface, I can see both the ping from 10.16.16.13 and the reply from 10.16.1.200. But that never reaches 10.16.16.13.

Looking at the gateway's routing tables in the omada UI, I see a route to 10.16.16.13 (I assume the /32 is implied) with a "Next Hop" of 0.0.0.0, "Interface" of 829089647, and "Metric" of 9999.

My gateway is managed by an omada controller so I can't ssh into the gateway or access its local management UI. I think I'm at the limit of how much I can diagnose.