Instead, I could just terminate both kinds of tunnels on the VPS, and just route from one to the other. Though that means that I have the config for "VPN clients" on a possibly less trustable VPS on foreign infrastructure, and also unencrypted traffic flowing between the two wg tunels out there.
Just forwarding the client tunnel traffic to an wg instance at home would mean that I keep full control over that end.
Not really having used Wireguard up to now (except for very simple 1:1 setups connecting two hosts), it doesn't seem I'd have many concerns to take into account with tunnel-in-tunnel traffic, except keeping an eye on the MTU for the inner tunnel?
Setup of an endpoint that keeps both the tunnel going out to the VPS with a stable IP address and terminate incoming wg traffic coming in through that tunnel will probably need some form of nonstandard configuration...
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!