Thank you for working on this and making sure the implementation is done right.
See also: Using OCF in WireGuard from the same report.
I was curious from that why WireGuard uses the smaller nonce. From libsodium’s description of the two algorithm variants, the version with the longer nonce has a much tighter restriction on the number of bytes you can encrypt safely with the same (key, nonce) pair (which presumably means that WireGuard doesn’t have to be as careful as IPSec about nonce roll-over) but it doesn’t explain why that should be the case.
Great news Jason!
I tried to run wire guard in a jail before and tweaking the network settings on that jail to work with it caused the host to stop responding to mDNS. Weirdest experience. Just moved to a Linux vm instead of solving it.