We originally tried to run everything over WireGuard, but it ends up being a less stable design. It's chicken and egg, because we use the netclient to manage WireGuard, but the messages were sent over WireGuard, meaning if any configuration change breaks the tunnel, you are unable to send messages to the client and it becomes stranded.