[Spivak]

> new version of Wireguard that doesn't work with the old version.

Right, and maybe this is actually in improvement in security overall but it just externalizes the downgrade attack since once there are multiple versions of WG floating around with different vendors/clients only supporting a specific version you end up similarly vulnerable since you need to run multiple WG endpoints of different versions.

And since it’s a kernel module you’ve made the hassle of doing so very annoying compared to one line in a config file.

IPSec feels messy and complex specifically because the world is messy and complex. WG is fantastic and I love it dearly for “the 90% case” where I have total control over all peers.