A. You have a bunch of customer sites that are impossible for you to connect to using Wireguard as they all have challenges (ISP variety).
B. Its clear that they have to act as clients and thus will send out traffic to establish a connection.
C. Complicating the scenario is the fact that you want to be able to connect to them from random location, lets say with your IPAD at a coffee shop.
@anav thank you for advices - I have to go through. You've started at the right point. I've took a pencil and paper again ...
A: Yes, some of the customer sites has fixed IP, some not
B: due to security reason, it is much better to initiate connection from my side
C: actually no; I can connect to my site over VPN and from there I would like to access customer sites. So, it is enough if connections are made only from my site with fixed IP
D: some customers have Mikrotik, but most of them not. Some customers have experienced network administrators, but not all - that's why simple solution (in terms of customer's ISP router) would be appreciated
E: secret wish is, WAN of inside RB is DHCP client ...