[K0SM0S]

It's a lot more if you do it all manually, however for most "common" use cases, one should probably go with automatically generated config files.

For instance pfSense provides you with single-click configs for any target platform, with certs, credentials etc. properly tied to some ACL or ID management system, etc. It's neat and pain-free and just works.

You could learn all the theory underneath (I mean systems, IT, not the crypto!) and do it manually (and you probably should for a big-enough infra, or specific-enough use-case), but that will be premature optimization I think.

Basic VPN is easy (take a weekend to learn / implement and you'll have all the great benefits of VPNs). Wireguard is "just" more efficient by an order of magnitude as I see it, it'll become the de facto low-profile implementation me thinks.

[kertis]

First setup always needs to be manual.

[K0SM0S]

... yes, obviously? : )

We might not be using the word "manual" to mean the same here.

I meant not writing the whole xml json yaml or whatever yourself, manually copying certs and credentials etc — you're likely to make mistakes, it's tedious and useless most of the time. You rather use tools like Viscosity. Just efficient / best practice sysadmin.

You obviously need access to the target machine in the first place... it's a VPN setup.