[akerl_]

In fairness, most of the fervor for these kind of knock-based flows predate Wireguard existing. They come from the era where OpenVPN and friends were the common practice in that space, and I would not have considered "add OpenVPN" to be a rational way to improve the security of anything I was doing.

[frumplestlatz]

OpenVPN was a perfectly reasonable answer to this problem for many years.

“Port knocking” et al were most definitively not.

[akerl_]

Eh. I've used OpenVPN over many years for many kinds of problems. I'm hesitant to call it perfectly reasonable even for the most mundane use case of "running an entirely vanilla virtual private network". For the use case of securely wrapping services in the way Wireguard can do, it's hilariously bad.

OpenVPN is basically 1000 configuration options and magic incantations wearing a trenchcoat, and if you get any of them wrong the whole thing crumbles (or worse, appears to work but is not secure).