Wireguard is a great solution for a secure, high-performance data pipe. However, it only supports layer 3 static routing by itself, which by itself fits none of my typical use cases.
If you're willing to think of it as a secure control plane where the cryptographic identities of peers are mapped to IP addresses, you can run other tried-and-tested but insecure tunnels over it.
If you're willing to think of it as a secure control plane where the cryptographic identities of peers are mapped to IP addresses, you can run other tried-and-tested but insecure tunnels over it.