Wireguard remote access to LAN using VNC fails

Prior to the Brume2 bug, I had this working sort of but was flaky, so starting over.

Wireguard server on Brume has remote access to LAN and allowed IPs to LAN.

Wireguard client on iPhone will happily connect to LAN PC by RDP, but not connect to LAN Mac by VNC. The VNC clients on IOS work fine if the iPhone is on the LAN.

So why does RDP work and VNC not??? I presume it has something to do with VNC using 2 ports. I think I had this working previously by specifying a route from wireguard client subnet to LAN, but this doesn't quite make sense why exactly that should make a difference.

So is appears that MacOS VNC connections require Bonjour to work across the subnets.

So I followed these instructions:
Resolving mDNS across VLANs with Avahi on OpenWRT

Had to SSH to router to get command line interface. Luci did not let me install opkg avahi-daemon. Curiously the router reports it is already installed.

root@GL-MT2500:~# opkg install avahi-daemon
Package avahi-dbus-daemon (0.8-7) installed in root is up to date.
Updating database.
Database update completed.

I used the vi editor to edit the config file:

root@GL-MT2500:~# vi /etc/avahi/avahi-daemon.conf
[...edit...]
[reflector]
enable-reflector=yes

Not sure if the avahi-daemon was already running - maybe it was?

/etc/init.d/dbus start
/etc/init.d/dbus enable
/etc/init.d/avahi-daemon start
/etc/init.d/avahi-daemon enable

In any case, it is working now and I can use RealVNC to connect to MacOS screen sharing over wireguard.

I didn't do anything else to the firewall rules. IGMP snooping is turned on but it didn't fix the issue by itself.

Unclear if MTU adjustments were also required. Some sources suggest MTU of 1380-1384 is needed on wireguard client and 1420 on server end.