Hey all,
I'm not familiar with WireGuard so I can only speak in an OpenVPN context. If the following doesn't apply to WireGuard at all than feel free to ignore me.
My main problem with "--script-security" is that its useless. It just causes OpenVPN to spit a line into a log file (and by that time its too late anyways). That isn't a security mechanism.
There also seems to be an expectation that users should understand these config files. I'm not sure why that is. Excuse my speaking in generalities but a majority of users aren't going to understand how OpenVPN works, let alone how the configuration file affects the program. Many users (myself included) simply receive config files from our bosses or our IT guy and trust that they aren't malicious. Call me naive or foolish but I don't review every single file passed my way for malicious content.
Furthermore, I've heard a few times now "config files exec things". Off the top of my head, I can't think of any other applications that execute shell commands listed in their configuration file. I have no idea where that is coming from. Its not a smart practice from a security point of view.
I'm not an OpenVPN expert. I'm just some guy that spent a little time reviewing the source. So I accept that my opinions might be bad. But if I was I dev I'd deprecate the entire system of executing programs listed in the configuration file. I'd try to migrate code into OpenVPN itself or the plugin system. At the very least, prompting the user and asking them for permission to execute whatever command seems like an improvement to me.
-Jake