Really easy to setup on Linux.
On Linux kernel's mainline.
Simple configuration file format on Windows.
Layer 3+ (no layer2 support)
low LOC count
No dynamic allocations
Only 1 set of crypto protocols, if some are broken update, don't negotiate
Avoids keeping broken crypto, and downgrading
Only responds to encrypted packets
Uses a normal Linux network interfaces
Fail safe, not fail open
Endpoints roam, like in mosh
Identities are just static public keys
Each interface has
A private key
A listening UDP port
A list of peers
Each peer has
It's public IP
A list of associated tunnel IPs
Optionally, an endpoint IP&PORT