> SSH is different for two reasons: It runs over TCP, and it runs in
> userspace.
>
> Secondly, because SSH runs in userspace, a lot of the processing (such
> as the TCP handshake) is done by the kernel on the application's behalf.
> So the only way the application has of telling the kernel not to do
> this, is by setting the listen address. Wireguard lives directly in the
> kernel and so can perform the authentication directly after receiving
> the packet, without suffering a context switch to userspace.
>
>
> -Toke

Perhaps worth noting this WG app (TunSafe) for WIN  "runs as a user-mode 
application and does not run inside of the kernel"

https://tunsafe.com/user-guide