It is not mandatory to wait for next Debian version: we are already testing up to date WireGuard version.
When we'll make WireGuard available to customers, it will be on all servers.
Exactly, it's unavoidable.
With OpenVPN that's currently correct.
However, with WireGuard we need to keep it, because it's written in .conf file generated via Config Generator and stored by users. See below for users' option to change or invalidate it.
Some of our competitors do this.
Some accept only their official client software because of the issue. That's neither good nor acceptable for us, as we don't want to lock user into our software.
Therefore the change you mention might be an Eddie's additional feature but we will try to make Wireguard main branch as secure as Eddie's, whenever possible.
Yes, we still use ifconfig-pool-persist in OpenVPN. It's very different than Wireguard's addresses binary mapping, especially under a legal point of view.
When a client is connected, OpenVPN daemon necessarily needs to link clients' public and VPN IP addresses. As soon as the client disconnects the link is lost.
One of WireGuard controversies is that client's real IP address remains visible with 'wg show' even after client's disconnection. The issue is resolved by removing and re-adding the peer after a disconnection (disconnection in WireGuard is basically a handshake timeout).
Some current testing implementation features are:
Unique WireGuard IPv4 and IPv6 subnets across servers which don't conflict with OpenVPN subnets
Assigning a non-conflicting, pseudo-random, local IP address for each customer's device (for AllowedIPs), similar to remotely forwarded port assignments
Users can renew a local IP address for a device anytime. WireGuard .conf manually used in official client would become invalid. Eddie will automatically update. The same happens when a user regenerates OpenVPN client certificate and key pair: the action invalidates any previously stored OpenVPN profile.
We will offer an API to automate the above, letting users write a script that performs HTTPS calls to change local IP address, download updated .conf, and then wg-quick.
An API to obtain a .conf file (Config Generator without UI) is already in production for OpenVPN and it will be of course available for WireGuard too.
When a device's WireGuard local IP address changes, up to a 10 seconds wait is required. It's the time required to propagate device key onto all VPN servers, in order to update the AllowedIPs peer node.
No other solution allowing us to let our customers use the official WireGuard client with a simple .conf file and, at the same time, preserve their privacy currently exists.
Please keep the above information as a proposal: we are currently studying pros and cons and something may change before WireGuard public beta support in our VPN servers is available.