Consider the following scenario:

Wireguard (daemon) is running on a *:123/udp

Not always a great way out from a hotel network, since NTP is usually rate-limited - sometimes a great way out. Things change.

Instead of deciding on 1 service-port for Wireguard, having Wireguard transparently serve on more ports, seems like a good solution and does not require running multiple interfaces or services.

In the following example, iptables will translate requests coming in at port 8443/udp and redirect them to where Wireguard is actually listening; 123/udp

iptables -t nat -I PREROUTING -i ens160 -d 10.87.132.254/32 -p udp -m multiport --dports 8443  -j REDIRECT --to-ports 123

Now connecting to :8443/udp (and still 123/udp, obviously) will access Wireguard, just that it's translated internally.

As always, change the arguments to fit your environment.