My OpenVPN setup worked, which is the most I will say for it. It was a server config the length of a short novel, a certificate authority I had set up once and now feared to touch, a ta.key whose purpose I had long forgotten, and a habit of dropping connections on mobile data and reconnecting in its own sweet time. Every time I added a device I had to mint a certificate, copy three files, and remember which of the four .ovpn profiles I had bodged for this exact phone. It was a Jenga tower of things that mostly stood up.
WireGuard finally landed in the mainline Linux kernel this winter, which was the nudge I needed to stop putting it off. I had read the "it's only a few thousand lines" pitch and assumed, as one does, that the simplicity was in the marketing rather than the experience. It is not. The whole thing is a couple of interfaces and a list of public keys, and that's genuinely it.
Here is the entire server side. Not an excerpt, the whole thing:
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <server private key>
[Peer]
# phone
PublicKey = <phone public key>
AllowedIPs = 10.10.0.2/32
[Peer]
# laptop
PublicKey = <laptop public key>
AllowedIPs = 10.10.0.3/32
There is no CA, no per-client bundle, no handshake timeout to tune. Each peer has a keypair, you tell each side the other's public key and which addresses live behind it, and AllowedIPs does double duty as both the routing table and the access control list. The cryptography is fixed: one modern suite, no negotiation, no cipher downgrade to worry about. Half of what made OpenVPN configs long was choices I was unqualified to make and WireGuard simply doesn't offer.
The part that delighted me most is mundane: roaming. WireGuard is connectionless in the way that matters. There is no session to drop. My phone goes from wifi to 4G and back, and the tunnel doesn't reconnect because it never disconnected; the next packet just arrives from a new address and the server updates where it sends replies. With OpenVPN, switching networks meant a visible stall and a reconnect. With WireGuard I stopped noticing the VPN was there at all, which for a VPN is the entire point. PersistentKeepalive = 25 on the roaming peers keeps NAT mappings warm and that's the only knob I touched.
I will keep the OpenVPN box around for a fortnight out of superstition, then delete it and the CA and the forgotten ta.key with real pleasure. The honest summary is that I put off this migration for over a year because I assumed it would be a weekend, and it was an evening, most of which I spent double-checking I hadn't missed something. I hadn't. It really is just keys and a list of who can reach what.