> Jason already explained it but maybe it needs to be repeated several more
> times.

No need, it is understood.

> WG security model doesn't rely on which interface, port or subnet it's
> listening on. You can screw your network configuration in myriad ways and
> WG will still save you due to it's design. Private keys are all that matters.
> Keep them secure and forget about the rest of things you know about
> unbound, dnsmasq, bind, ssh, openvpn and ipsec. Use route tables and
> netfilter rules to choose where the network traffic should go. That's all.
>
> ​Jordan

That seems a bit of narrow focus, and sort of insinuating that WG due to 
its design is invincible, when WG is just one piece integrating into a 
broader (server) network landscape.

Also wondering how ssh is discarded when the WG online presence stating:

"WireGuard aims to be as easy to configure and deploy as SSH. A VPN 
connection is made simply by exchanging very simple public keys – 
exactly like exchanging SSH keys"

For that matter it is pretty easy in ssh to limit its socket and 
iface/ip range exposure. Is it due to the inferior design of ssh that 
such security hardening features are made available/considered? If you 
keep the ssh keys safe that should be all that matters, should it not?