[rudasn]

I've looked at netmaker before, but haven't used it nor have examined any of its publicly shared source code. So I don't know how exactly that works, but I'm guessing it's touching on quite of a few layers of the stack.

WireHub, OTOH, gives you 0 LOCs to worry about especially if you don't provide your PrivateKeys to begin with - of course, the QR codes won't work, and you'd have to manually copy/paste stuff around, but it works (it's a feature be design). I don't provide clients/agents to install, you use stock WireGuard apps as usual.

Without even having your PrivateKeys, the attack surface shifts from WireHub to whatever else you have going on in your networks and networked devices.