netbird is a good alternative that has significantly better NAT punching (at least on my network), going through 2-3 layers of NAT just fine. The problem with it is although it does support kernel WireGuard, it works only if both nodes are on the same subnet, or if one of them has a public IP (port forwarding doesn't work, it needs a public IP). Otherwise, it creates a tunnel through NAT (using WebRTC's ICE) and then routes data from the WireGuard interface through that tunnel. This involves copying data multiple times (application → kernel → wireguard → netbird client (userspace) → kernel → network).

So unless you're fine with that limitation, look elsewhere for now.

I really tried to like netbird, but their current hard dependency on auth0 (also when selfhosting) unfortuantly put me off. Your statements regarding NAT punching are on the other hand very interesting.

I'm currently trying out innernet, mostly for the interconnected server nodes (k8s, not for actual real users). Seems to work fine (double NAT + single public coordination server).

Unrelated to Wireguard: I really liked Nebulas certificate-based client setup and its reduntant lighthouses (public coordination servers). May be an alternative if you want something at least a little faster than wireguard-go based implementations.