One of the main selling points of Wireguard is that it runs much leaner than OpenVPN or IPSec tunnels, especially on embedded hardware, so there isn’t much of a workload in the first place.
Crypto used by IPSec (aes, sha) is often accelerated by hardware - and the above mentioned Ubiquiti has hardware for that. Chacha/Poly used by Wireguard are not.
Of course, benchmarks from random strangers are not gospel, and the results aren’t particularly damning. But even then, you’re assuming that you have the luxury of running on a chip that comes with a hardware crypto engine. Good luck trying to get AES encryption/decryption speeds at anywhere near line rate with a Raspberry Pi or a run-of-the-mill router.
Doesn't feel light to setup if you're trying to get a tunnel working between different providers. We had a strange dead peer issue between Fortigate and Mikrotik and could never figure it out as it happened so rarely. All phase 1 and phase 2 settings were identical. I can imagine that happens elsewhere too.
There are also benefits to running your VPN endpoint on your network gateway - otherwise it can be difficult to configure routing tables to allow a user connecting from outside the network to access both internal and Internet IPs from the tunnel endpoint.
"It's free!" they say, if you can get it to run
The Geeks say, "Hey, that's half the fun!"
Yeah, but I got a girlfriend, and things to get done
The Linux OS SUCKS
(I'm sorry to say it, but it does.)
I was about to be annoyed by this comment until I saw it in the context of a song about how every operating sucks, which, when framed like that, I can't help but agree with. ;) (although I will say that I've been having a better time w/ arch linux + dwm lately than any OS / setup I've ever used-- but then again I also love raspberry pis, have like 3 of them, and am, in fact, using one to run dnsmasq / wireguard, so... xD)