> Another option would be to run insecure QUIC or SCTP on top of WireGuard,
You cannot run SCTP on the Internet anyway. Too many routers block
anything that's not TCP/UDP/ICMP.
> I'm also wondering how easy this would be to program. It would clearly
> be much
> more heavyweight than simply opening a socket, but I guess it can be
> done via
> invocations of the `wg` or `wg-quick` tools.
Don't use the tools. There's a library around that you can use to do all
of the heavy lifting via netlink sockets. You'll also need the privilege
to assign addresses and routes to the WG interfaces.
> Ideally we wouldn't need root
If you go the netlink route, you do need one process that has the
appropriate privilege, which means root at install time (but not runtime).
> Once the network is live, we'd need the transport protocol to be
> stable, or at least be easily upgradeable
Well, the WG wire protocol is supposed to be stable by now. Switching
away from it would require new code on your side anyway, so you can
implement the exact method of switching at that time.
-- Matthias Urlichs
WireGuard mailing list