To add on to this, in some organizations it's easier to assess risk according to RMF and similar frameworks if the application ships with stunnel and is configured from within than it is for the application to require a system-level VPN like Wireguard.
That said, I think Wireguard is easier to analyze on the wire since it has a known binary signature from the first 4 bytes, while stunnel tunnel is indifferentiable from web browsing traffic. For a bad actor looking into exfil or C2, this means an stunnel is probably the sneakier and thus more reliable method of encryption on the wire compared to wireguard.
poemxo|1 month ago
That said, I think Wireguard is easier to analyze on the wire since it has a known binary signature from the first 4 bytes, while stunnel tunnel is indifferentiable from web browsing traffic. For a bad actor looking into exfil or C2, this means an stunnel is probably the sneakier and thus more reliable method of encryption on the wire compared to wireguard.