that looks fine, can you see if you see the same type of advertisements on the wgclient? (You may need to use without multicast argument, just check on port)
tcpdump -i wgclient port 5353
if its empty then it doesn't work.
Also i notice the 239 ip, this is likely ssdp and is only limited to its current subnet as for discovery, so if your homekit uses this then it might not work.
Best is to use tcp, or udp/tcp any is only relevant if you also deal with icmp but since that is not used it should be fine as tcp/udp
Do you think Zerotier will work better in this case? Do I need to try to setup it one more time?
So close - I can ping and view video from device via native app but can't add it to HomeKit...
Unfortunately i have no experience with zerotier, it needs to support layer2.
The best what you want is seeking a evpn solution but then it depends how you want to use it.
currently you have vxlan and gretap as protocol but these work kinda like point to point tunnels, so if you use a vpn without layer2 support you can encapisulate layer2 traffic through the gretap/vxlan tunnel.
But that is only possible between two routers and both can use this protocol on the wireguard tunnel.
Currently i build my own openwrt images with pre baked configuration to suit my own network, but it can also work as a example how i configurated vxlan
