The OpenVPN box had been limping for months. A tangle of certificates, a server.conf I no longer fully understood, and a TLS handshake that decided to take its time whenever I roamed between wifi and 4G. I kept it because it worked, mostly, and because the thought of migrating it filled me with a particular sort of dread.
WireGuard took an afternoon. The whole config for a peer is short enough to read in one go: a private key, the peer's public key, an endpoint, and an AllowedIPs line that doubles as both routing and a crude firewall. No certificate authority, no easy-rsa, no remembering which file the Diffie-Hellman params live in. Each peer is a [Peer] block, and that is genuinely the whole mental model.
The bit that surprised me was roaming. Because WireGuard is connectionless over UDP and keys the session off the static key pair, my phone switching networks just works. The link goes quiet, the next packet re-establishes it, and I never notice. With OpenVPN I'd watch the tunnel time out and reconnect; here there is nothing to watch.
It is not magic, of course. You still have to think about key distribution, and wg-quick will happily route all your traffic into a hole if you fat-finger AllowedIPs = 0.0.0.0/0. But it's the first time the VPN in my house has felt boring, and boring is exactly what I wanted from it.