WireGuard peer port randomly changes ignoring UI setting

[unholy_saint]

Hello,

I noticed a weird behavior on a proxmox VPS. A running wireguard tunnel with one peer suddenly stopped working. After checking settings in web interface and even rebooting several times i found no configuration problems and ssh-ed to the router. It turned the peer endpoint port does not match the one set in web UI and restarting interface or router just changes it to a different random one. If i change the port to another, save/apply, then back to the actual one and save/apply again both changes are correctly applied. However if i  just press apply again, change anything but the pot, disable/enable interface or reboot router remote port changes to random one again. Web UI however continues to show the one i set in it.

Until now each time i used wireguard on OPNSense it was on the receiving connections end so i have no idea if what i see is unique bug or a known "feature". This time however the router is behind two layers of NAT, one of them not controllable by me, so there is no way to rely on incoming connection. It has to be initiated by the router.

Any idea what can be happening and how to debug the issue?