Which port to run Wireguard on

Changing ports isn’t a terrible thing, also not the perfect “fix” either, as you can still recognize open ports and scan the service on them.

Some ports are reserved in networking, so should stay away from those.

Some ISPs don’t allow you open ports on 80/443 as those are web hosting ports and they provide a service to consumers to download content from the internet, not for their consumer to be a web hosting provider as well. That’s at the residential level, if you have a business plan that might change, but it might be hard to convince and ISP otherwise.

Just change the port slightly, like 51831 or something. That will help a bit, but VPN traffic can be identified regardless of what port it's on.

Generally speaking, you never want to use a low port (<1024) for anything other than the service assigned to it, because it causes all kinds of headache. Both on your side and on the other side. As for high ports, pick whichever one you prefer. They don't have any binding to a given service, though there are some conventions.

The thing that shows people you're running a VPN is not the port but the protocol header, so changing the port is pretty much useless if you want your ISP to not know you're running a VPN for some reason.

I used 51968 when I still had WG in use (switched back to the old setup). Anything besides the default (51820 when I used DDG correctly) should be fine. I wouldn't use 443 as that's reserved for https, unless you want loads of https probes to be handled by wg ;) )

picking a different port that isn't also used by another common service will eliminate most of the botscans you'll see otherwise.

... do you have a reason to belive your ISP cares if you run wireguard?