> Server has to know what clients to accept in any VPN solution. I still don't see the point.
In OpenVPN and others, the server can just check the certificate presented by a client against a shared CA. The certificate can be signed/emitted by a totally different system.
Wireguard doesn't respond at all (not SYN/ACK stuff) if not provided with a correctly signed packet.
This means you can't scan for wireguard ports without already being configured for them.
I see. Though if you ever want to remove access you'll still not avoid distributing information about individual clients to the VPN servers. It will just be a blacklist style list and not a whitelist like in WG.
