Just speculating. Can't test it out for you because I no longer use Surfshark.
Surfshark insists on using MSS Clamping. In your config file, try adding the following line:
PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS ---clamp-mss-to-pmtu
I know for a fact that this works for Wireguard running on Linux. But for Windows, I have no clue if the command is the same. If not, try searching for adding MSS Clamping to your Wireguard connection profile.