I have been running OpenVPN into the homelab for years and it worked, in the way an old car works: it goes, but you do not look forward to opening the bonnet. Certificates, a CA I half understood, a config file with thirty directives I had cargo-culted from a forum post in 2016 and was afraid to touch.
This weekend I replaced the lot with WireGuard. The whole server config is now shorter than the comments used to be.
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <server key>
[Peer]
PublicKey = <laptop key>
AllowedIPs = 10.10.0.2/32
That is it. A keypair per device, one line of peer config each, no certificate authority, no TLS handshake, no daemon doing a hundred things. It is in the kernel now too, which is mainstream as of the 5.6 series, so it is not even a strange out-of-tree module any more.
The speed is nice and the reconnect-after-sleep behaviour is genuinely better. But the thing I actually value is the small surface area. I can hold the entire configuration in my head. When something breaks I will be able to reason about it, instead of grepping logs and praying. Less to understand is less to get wrong, and after years of the OpenVPN bonnet, that is the upgrade I wanted.