I have mixed MT & Ubuntu WG vpn mesh. All of them have public IPs and have valid endpoint configs on both ends.

Sometimes MT <-> Ubuntu communicate, but won't finish handshake. Most (if not always) of the time I notice in the Ubuntu wg stats the MT endpoint is listed with the wrong port (different from the endpoint one). My guess is the MT NATs the outgoing connection and some confusion happens.

Trying to exclude WG backbone traffic from srcnat on MT end, I want to create mangle rule to mark packets and then have that mark excluded in the default srcnat rule.

What's the right way to do the mangle rule? I'm still not sure where WG stands in the routing flow (I've looked at the chart numerous times, sorry).

P.S. I already have input/accept rule for the ports.