In 2026, "just use Tailscale" is the default answer to anything WireGuard-shaped, and for most people it's the right one. This post is for the cases where it isn't — regulated egress, fixed-IP allowlists, agentless contractor access, MSP per-client isolation — and where you end up running a small fleet of classic publicly addressable WG servers on purpose. Setting up one of those servers in 2026 is trivial. AI writes the wg0.conf , docker compose up and wg-easy is running in a minute, generating peers takes one click. The hard part hasn't been setup for years. The hard part is what happens after the second server. The moment you have two, the friction shifts. It's no longer about commands or configs. The questions change. Who has access to what? When was this peer issued? Whose pubkey lives where? How do I revoke a contractor in one place? Setup is solved. Operations are not.…