I'm certainly comfortable with WireGuard for machine to machine connections, but I don't see how it would replace traditional VPN w/ 2FA (e.g OVPN w/ Duo) for non-technical staff to access internal apps (at least without something similar to PAM)
When non-technical people get VPN access, it's almost always to access a small selection of specific applications. Lock their VPN connections down and implement 2FA (or, more realistically, 2FA-enabled SSO) for the applications rather than the VPN connection.
The 2FA VPN thing is, I think, a consequence of how hard it is to set up VPNs. Companies share VPN infrastructure between developers (who need relatively unfettered access) and non-technical staff, because maintaining multiple VPN configurations is so painful. WireGuard fixes that problem.
This is what I'm talking about when I say that WireGuard is a big deal. The current situation, with 2FA logins to very powerful VPN connections, is deeply suboptimal, and is what BeyondCorp was a response to in the first place.
If I was asked by a client today to design a remote access solution for customer support people to access an internal admin app, I might try to devise a site-to-site system (in which case I'd happily use WireGuard) --- deploying host-based VPN for support staff seems like a nightmare. But even if I couldn't, what I could do now that WireGuard is available is retain OpenVPN but drastically ratchet down what it has access to, SAML-ize the admin applications, and migrate developers to WireGuard environments.
