[thrwaway1985882]

From the OpenBSD perspective, I just populate /etc/hostname.wg0 on my laptop with my wg configuration ... and I can immediately `ssh router` at home or on the road :-)

IOW, why ever down the connection? Why not start your tunnel immediately when the network comes up and leave it running until the network goes down?

[bongobingo1]

I was thinking about doing this to multiple different servers and thought they could all share the same vpn network address for simpler configuration but now that I think about it doing that might run into constant server-key-changed warnings from SSH.

[thrwaway1985882]

If you need a management vlan, make one.

Wireguard interfaces are _cheap and easy_ - there's no reason not to set up an interface for normal client traffic that sshd doesn't listen on, and an interface for just sshd with different ACLs and routing logic if you want.