VXLAN over Wireguard

WireGuard establishes secure IP connectivity between sites. We could add a Layer 2 encapsulation (bridge, TAP, or VXLAN) to run over the WireGuard mesh, but control access at the hub. This separation of concerns mirrors modern data-centre design: a secure underlay and a flexible overlay. It adds overhead, which reduces payload, but it's a solid trade-off for functional services.

We know WireGuard works cleanly across NAT and the public Internet, and we already deliver routed functionality over the same protocol, so adding Ethernet support should be easier.