You are absolutely right on WireGuard QR simplicity, but thing get a little complicated when you have large network spread across different data centers on 3 continents and you have to juggle external devices in between. We are looking at netmaker as a way that could simplify current setup. Today we combine Anycast, WG, BGP, and iptables. Anycast to route the user to nearest WG Server. BGP on the server to route traffic, and iptables to enforce policy. (I left aside data sync and database which are similar to your netmaker design). While pushing the whole route tables to each client is definitely a bad idea, I think a netclient implementation for mobile can at least push all internal routes. Plus maybe the benefit of modifying node config remotely without sending new config and periodic cycling of the keys.