Currently OVS can be configured with LibreSWAN/StrongSWAN to encrypt traffic between nodes. LibreSWAN has one developer responsible for 93% of the past 1000 commits. StrongSwan has two developers responsible for 90% of the past 1000 commits.

The IPSEC tools are also legacy code bases that are fairly complex to setup, maintain, and debug when something goes wrong.

Wireguard is a modern VPN, and a pleasure to use. The codebase is also significantly simpler. Wireguard consists of under 10,000 lines of C code, whereas the LibreSWAN userspace alone has over 100,000 lines of C code, not even counting kernel modules.

Wireguard also comes with UDP encapsulation, which could reduce the need for other tunnel protocols.

Wireguard is not without flaws. There is currently no mechanism for using a certificate authority, so all nodes would require a public key from all other nodes. But there are proposals to add this feature.

I propose we add wireguard support to ovs-monitor-ipsec in the OVS project.