I found WireGuard to actually be especially frustrating, because it doesn't really log anything. If you do a single configuration misstep the packets just won't flow. Then good luck figuring out whether it's the authentication that's wrong (or any of the cert checks in the chain), rounting, MTU, firewall or anything inbetween.
It's kinda horrible. Not that IPsec is any better. OpenVPN at least yells something at you.
I'm wondering whether one can get these notifications through netlink. Not having any way to get the kinds of feedback you're mentioning from a stateful thing is horrible user experience. It doesn't need to cover the firewall part, mtu rejects, etc. Because if it's actually modular, you're supposed to be able use the usual tools (/proc/net and /sys/net for stats and netlink for firewall logs?), hopefully they're usable...
It's kinda horrible. Not that IPsec is any better. OpenVPN at least yells something at you.