Old rule `tcp flags & (syn|ack) == syn` only matched plain SYN.
SYN-ACK from the server has SYN+ACK both set, so masking with
syn|ack and comparing == syn FAILED for SYN-ACK. Result: server
responses came back unclamped, full-MTU TCP segments overflowed
the WG path's effective MTU (1420 inner), large pages silently
stalled — YouTube didn't load, Microsoft pages partial-loaded,
Google was slow. Browsers retried indefinitely, looked like
"the network is broken" from a user perspective.

Replaced with `& (syn|rst) == syn` which matches both plain SYN
and SYN-ACK (only excludes RST, which carries no data). Combined
with `set rt mtu` instead of the hard 1280 — lets the kernel
pick the right MSS per egress interface (wg-to-wgnet → 1380 v4 /
1360 v6) instead of pessimistically clamping everything.

User's commented-out line had the right idea (rt mtu) but wrong
flag mask; fixed both at once.