Interesting that they're defaulting to tunneling WireGuard over WebSockets. Not great for performance but probably fine for the DevOpsy stuff flyctl is used for. This is something I've wondered about for the future of QUIC/HTTP3. There's a nonzero chance network operators will just block UDP on port 443 altogether rather than properly handling it.
You can absolutely use native WireGuard, including from `flyctl` (it's an option you can set). When UDP doesn't work, it doesn't work at all, and it's hard to debug, so our default is for the thing that we know will work.
(I say this ruefully, having lost the argument about what our default should be.)
Yeah; we're a public cloud platform, not a VPN service, so the key was just making sure everybody could drive our services. The "normie" way to do all of this stuff, at existing public clouds, is just HTTP anyways.
