i also think that it's overkill, especially for a minimalistic tool like wireguard. That's why I mentioned "if you want to be extra paranoid". This forum is for learning, and this question is an open ended learning question, hence, an opportunity to learn about port knocking, even if the actual real life benefit of that would be minuscule.
Good point, kernel updates should be paired with reboots to get kernel patches applied quickly.
Yes wireguard would only accept connections clfrom clients with known certificates, but this is "belt and suspenders" approach. What happens if there's a bug in wireguards packet parsing or certificate processing? Using port knocking would protect against this —very remote— possibility.
VPN software usually is built strong to begin with, and any vulnerabilities discovered will be promptly fixed as well, so updating frequently should suffice. (Why not automate it with unattended-upgrades package?
Using a random high port number will probably hide it well enough for Internet-wide port scanners as well.
if you want to be extra paranoid, you can hide the VPN service behind a port knocker as well.
A good answer to a "why?" question is "why not?"
This can be a great learning or practice opportunity for redundant network links and other interface challenges.
Otoh, Spotify (and probably apple and other big corps) don't even allow you to add RSS URLs, so I wanted to point out they Google was one of the big players which was more open.
i also think that it's overkill, especially for a minimalistic tool like wireguard. That's why I mentioned "if you want to be extra paranoid". This forum is for learning, and this question is an open ended learning question, hence, an opportunity to learn about port knocking, even if the actual real life benefit of that would be minuscule.