I think I'm missing the point of this statement. Everything that follows seems to be about using NAT loopback on the WAN DDNS address to access an internal server. So I fail to see the relevance of tun11 in this scenario.
You don't describe how you have configured tun11 or any related policy routing rules so perhaps they have a bearing. But ignoring that for the moment, to get NAT loopback to work you would need to create a standard port forwarding rule for port 80 under "WAN - Virtual Server / Port Forwarding" which as far as I can see you haven't done.
The DDNS is pointing at tun11 IP, not the WAN/ISP connection.
It is an OpenVPN client which has port forwarding enabled from the VPN service provider.
Hence tun11 -> LAN.
Not WAN -> LAN.
And this works perfectly from the outside.
I can see how this might cause confusion though, most people don't use a VPN client as a "WAN" connection like I do.
Hmm the Port Forwarding in the GUI is strictly related to WAN right?
I have no intention on opening ports on my WAN.
I don't know what related policy routing rules I need or how to show them?