But now that I look at it, it's pretty cool, but it gets one thing wrong. The same thing that was so fuckin' annoying with tun-mode OpenVPN:
It has an internal mapping from destination IP to peer.
Eg, I can do
ip route add 10.13.37.0/24 via 192.168.0.13 dev eth7
and if eth7 only needs to know macaddress of 192.168.0.13. I don't need to tell it that packets to 10.13.37.0/24 should also go via that macaddress.
OTOH, with OpenVPN, I need to _also_ add `iroute 10.13.37.0/24` to the right peer's file in ccd.
And with WireGuard, I need to add whole 10.13.37.0/24 to that peer's AllowedIPs.
I wonder what happens when I add overlapping ranges to AllowedIPs of different peers, I guess everything breaks.
What I'd love to is if the VPN interface could use pubkey where ethernet interface uses mac address, so as to play nicely with other parts of the network stack (like routing table, firewalls, etc), and so that I don't need to have everything in two places.