checked what the udp hole punch ports being used each way are and tested these from outside using netcat from the Azure linux vm's. they work perfectly, but not between windows peers. they seem to be trying the right ports though. on the firewalls, all traffic from the wireguard network is allowed and dropping the firewalls doesn't help. besides, they work up to a point and happily from a linux node