My OpenVPN setup worked, which is the only nice thing I have to say about it. It was a thicket of certificates, a CA I'd set up years ago and was frankly scared to touch, a config file full of options I'd copied from a forum and never understood, and a connection that took a few seconds to establish every time and dropped the moment my phone changed networks. I tolerated it because the cost of replacing it always looked higher than the irritation.
WireGuard changed that maths completely. The entire config for a peer is short enough to read in one glance and understand in full:
[Interface]
PrivateKey = <key>
Address = 10.0.0.2/24
[Peer]
PublicKey = <server key>
Endpoint = vpn.example.net:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25
That's it. No certificate authority, no cipher negotiation to misconfigure, no sprawling options file. Each side has a key pair, each knows the other's public key, and the kernel does the rest. The handshake is so fast the connection feels like it's simply always there, and roaming between wifi and mobile no longer drops it, which alone justified the swap.
It's still relatively young and it isn't in the mainline kernel yet, so there's a module to install and it lacks some of OpenVPN's enterprise plumbing. For a personal VPN into the homelab, none of that matters and the simplicity is the whole point. A config you can hold in your head is a config you'll actually maintain. The OpenVPN files are deleted, the CA is gone, and I feel lighter for it.