Based on my experiments with IPv6 prefix delegation and subnetting I determined a prefix to delegate to Steve. Steve has asked for a /64 delegation like the one I would get from him. The prefix became 1011, derived in this manner: My LAN (0019) is actually subnet 0 in the first level (/56), subnet 1 in the next level (/60) and subnet 9 in the third level (/64). So the 1011 is subnet 10 (first level), 1 second level and again 1 third level. The initial 10 could also be interpreted as subnet 1 in a /52 allocation and subnet 0 in the /56 allocation giving a total of four possible subnet levels.

(basically excerpts from an email)

i) on the VPN router

  ip addr add dev br-lan 2a06:4000:8073:1011::2/64
  ip route add default from 2a06:4000:8073:1011::/64 dev tun2 metric 10    ===> for return traffic

ii) on Ictoan

  ip addr add br-lan 2a06:4000:8073:1011:202:12:89:12/64
  ip route add default from 2a06:4000:8073:1011::/64 via 2a06:4000:8073:1011::2  ===> for return traffic

a) on Vultrgate

  ip route add 2a06:4000:8073:1011::/64 via tun0
  ip route add 2001:44b8:5135:7c07::/64 dev wg0
  Add 2001:44b8:5135:7c07::/64 to Bent's peer "allowed-ips"

The basic IP commands are:

    ip addr add dev eth0 2001:44b8:5135:7c07::44/64
    ip route add default from 2001:44b8:5135:7c07::/64 dev wg0  metric 10    ===> for return traffic
    ip -6 route add 2a06:4000:8073:1011::/64 dev wg0 

Two of the three commands are easily transferred to Networkd configurations files but the one with 'default from' isn't. The solution chosen was to write a systemd service file for this. The service file is listed further down. Here is the configuration file for eth0:

#/etc/systemd/network/eth0.network
[Match]
Name=eth0

[Network]
Address=192.168.19.44/24
DNS=192.168.19.5
IPForward=yes
Address=2a06:4000:8073:19::44/64
Address=2001:44b8:5135:7c07::44/64
IPv6AcceptRA=yes

and for the tunnel interface (wg0):

#/etc/systemd/network/wg0.network
[Match]
Name=wg0

[Network]
Address=10.8.3.2/24
IPForward=yes

[Route]
#Gateway=10.8.3.1
Destination=2a06:4000:8073:1011::/6

Similarly the basic IP commands are:

    ip addr add dev enp2s0 2001:44b8:5135:7c07::5/64
    ip route add default from 2001:44b8:5135:7c07::/64 via 2001:44b8:5135:7c07::44 metric 10  ==> return traffic

The 'default from' entry is again handled by a service file. Configuration file for enp2s0:

[Match]
Name=enp2s0

[Network]
Address=192.168.19.5/24
Gateway=192.168.19.254
Address=2a06:4000:8073:19::5/64
DHCP=no
IPv6AcceptRA=yes

[Address]
Address=2001:44b8:5135:7c07::5/64
PreferredLifetime=0

(the PreferredLifetime=0 is there to prevent usein this address as source address for outgoing connections

#/etc/systemd/system/return-route.service
[Unit]
Description=Return route for IPv6 traffic
After=network-online.target

[Service]
ExecStart=/usr/bin/ip -6 route add default from 2001:44b8:5135:7c07::/64 via 2a06:4000:8073:19::44 dev enp2s0 metric 10
ExecStop=/usr/bin/ip -6 route del default from 2001:44b8:5135:7c07::/64 via 2a06:4000:8073:19::44 dev enp2s0 metric 10
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

This is the script from Spot. The one on gate-rpi is identical except for the interface name which is eth0 on gate-rpi. It doesn't have the 'via' part either.