Honestly I think this is the crux of the issue. Your infrastructure isn't compatible in its current state, so it's a good business decision not to include it. There's absolutely nothing wrong with that; I still love Air. You're exceptional at what you do. But all the other FUD is unnecessary.
it looks like you still miss the point. Wireguard, in its current state, not only is dangerous because it lacks basic features and is an experimental software, but it also weakens dangerously the anonymity layer. Our service aims to provide some anonymity layer, therefore we can't take into consideration something that weakens it so deeply.
We will gladly take Wireguard into consideration when it reaches a stable release AND offers at least the most basic options which OpenVPN has been able to offer since 15 years ago. The infrastructure can be adapted, our mission can't.
We provided a list of missing features causing real, objective security flaws in Wireguard (when meant to provide specific features). We will expand them here below since it looks like you missed the huge implications of the mentioned issues.
If you followed the WireGuard mailing list you'd know Jason states the 'not to be considered production ready' is an ass covering statement and actually WireGuard is fine.
It's not a matter to "cover their asses" as you say.
First, it's a matter of security. If you followed some basic IT security principle, you would know how wrong and dangerous a claim like the one quoted here above is. If you are really in the position to certify that "Wireguard is fine", then do it officially. If you can't do it officially, your words must be considered irrelevant, because they go against the claims of the very Wireguard developers themselves.
Second, it is a matter of lacking features that are essential for any service which aims to provide a decent layer of anonymity.
Wireguard, in its current state, does not meet our requirements. Here below, once again, some points which need to be considered and addressed:
- Wireguard lacks dynamic IP address management. The client needs to be assigned in advance a pre-defined VPN IP address uniquely linked to its key on each VPN server. The impact on the anonymity layer is catastrophic;
- Wireguard client does not verify the server identity (a feature so essential that it will be surely implemented when Wireguard will be no more an experimental sofware); the impact on security caused by this flaw is very high;
- TCP support is missing (third party or anyway additional code is required to use TCP as the tunneling protocol, as you suggest, and that's a problematic regression when compared to OpenVPN);
- there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods.