Is it the server telling the server that the client’s port is unreachable or is it the client telling the server that the port is unreachable? Do you see the packets traveling over the Wireguard interface? Do you see the response if you use Wireguard from the client?

The request traced out is incorrect. WG Client IP initiates a DNS request to Server IP, and then WG Client Addr receives a response from WG Server Addr. The DNS response should come from the same IP that the request was sent to. The client may be rejecting a response coming from an unexpected source. If you’re doing masquerading instead of plain routing, you need to make sure that you’re doing NAT in both directions.