IPSec, not WireGuard

  1. OpenBSD has a native IPSec implementation: IKED. It's easy to configure
  2. Using iked will allow us to force users to import us as a certificate authority, to bypass SSL censorship
  3. WireGuard "lacks cipher and protocol agility"
    1. Many users/operating systems today lack wireguard
    2. Any users on an obsolete client will be unable to connect
    3. Unnecessarily paranoid security
    Imagine you have a VPN server with 200 road warrior clients somewhere out there in the world - which is a very normal use-case. If you were to change the cipher you are using from one day to the next one, you would need to upgrade your WireGuard software on all those laptops, phones, etc. at the same time. That is literally impossible. Administrators who have tried this needed months to deploy configuration changes. Sometimes even middle-sized companies need years to conduce a process like this.
    Compatibility matters and although you are using some weaker cipher, for many this is no reason to shut down their business and cut off hundreds of sales people from doing their job. -- "Why Not Wireguard"