For anyone that thought this doesn't feel comprehensive the Prior Work sections covers why -
"The WireGuard handshake protocol has undergone rigorous formal verification of desired properties using the Tamarin proof system [2]. Many of the cryptographic primitive implementations have also been formally verified as correct. The remaining implementations have been carefully fuzzed against the verified implementations to ensure correctness."
So all put together the simplicity goal really paid off for WireGuard.
Boring in the sense that nothing exciting was found,but encouraging that 1) nothing was found! 2) null-result publication is useful in and of itself, sometimes.
Ultimately this is a fatal flaw in the peer review system in the way most scientific publications do it.
The review should happen independent of the result and ideally the publication decision should happen before the research is performed. (There are some publications that do something alike - it's called "Registered Reports" - but it's still a small minority.)
How much of a challenge is it to implement a purely userspace client? Last I checked the wireguard app depends on the Linux kernel's Crypto primitive API's a lot.
For increased adoption,it needs to support windows and iOS.
Not only that, high performance packet routing is sometimes done mostly in user-space (haven't looked much into XDP yet).
iOS is not compatible with GPL license and that platform is horribly closed and people shouldn't use it for anything more serious than DRM content consumption. I tried to compile it with dev provisioning profile but gave up in the end, it is also not complete yet. It works perfectly and easily on Android and Linux and that's what I care about the most.
Works fine for me on Manjaro using wireguard-dkms and the Wireguard app from the F-Droid store.
Copying public keys back and forth via email seemed a bit of a faff so there's probably a better way. Possibly using `qrencode` would let you set up the client configuration...
Perhaps I am misunderstanding the premise of Wireguard as all the tutorials seem to be setting up a client and a server that are on the same network, is not possible to have the server as a VPS and have the client connect via the Internet?
It is really no difference between setting up Wireguard on a local network or via Internet as long as one of the hosts can listen to a public UDP port. If one of your clients are behind a NAT you may need to enable the keep alive option in the client's config
"The WireGuard handshake protocol has undergone rigorous formal verification of desired properties using the Tamarin proof system [2]. Many of the cryptographic primitive implementations have also been formally verified as correct. The remaining implementations have been carefully fuzzed against the verified implementations to ensure correctness."
So all put together the simplicity goal really paid off for WireGuard.