[Aloha]

It seems to me that if I were building a VPN client like Global Protect but using WG, I'd have an eternal per client auth key that is used to set up an initial tunnel to the VPN controller, over that you perform auth, etc, then you're given another session key, which is valid as long as that session is. The first tunnel would disconnect as soon as you finished authenticating and got your actual session key.

[mbreese]

Why even have the first tunnel? You could do the entire thing out of hand over a web interface or other mechanism. If the public address of the WG server (or the authn server) is known and available, then there’s no real difference in setting up the connection over a persistent WG channel vs an HTTPS service.

Both solutions are custom for that VPN, so I’d just have one WG tunnel that’s controlled through a secured (web)service. The bonus is that you wouldn’t need a hard coded initial key. (You’d still need some authentication mechanism, but it could be more than fixed public/private key pairs).