[tptacek]

One simple reason is that the serverside might not want to expose a shell to its clients, and instead just provide network connectivity; you can configure something like that with SSH, but it's a pain, and WireGuard is approximately as simple to set up as SSH, which is the primary reason it's so popular.

[djbusby]

And it's crypto is "very good" (so I've heard, not an expert)

And it's fast/low overhead.

And yea, surprisingly easy, "just works"

I lurk their maillist, seems a nice group.

[tptacek]

It is very good, it is objectively better in a lot of ways than legacy DNS protocols. But it's popularity is, I think, mostly because of ease-of-use.

[Hello71]

Is it a pain? As far as I know, all that's needed is to insert restrict,command="/sbin/nologin",port-forwarding before the user's key in authorized_keys. You can add more security by using a separate user, but individual Unix users for each client are not^W^Wshould not be necessary for security.