Replace OpenVPN with Wireguard

[majst01]

/area robustness
/kind enhancement

/label teamsize/small

Problem Statement: The Gardener VPN implementation between control and data plane currently uses OpenVPN, which is a well-established but somewhat old solution for VPNs. Wireguard is a relatively new, but well-liked contender in the VPN space. It could be possible to replace OpenVPN with Wireguard. As we do not want to spin up a load balancer per control plane (or use one port per control plane) a reverse proxy like mwgp is required.

See: https://gardener.cloud/community/hackathons/2025-06/#%E2%9A%A1%EF%B8%8F-replace-openvpn-with-wireguard

This was started one year ago and should tried to finished in this hackathon.

[majst01]

Current State

We can now create multiple shoots. Istio Ingress can be scaled to more than one replica and the wpex sidecar, which acts as a wireguard-multiplexer will know to which vpn-seed-server a incomming connection must be forwarded. This is done in a way that with the first packet, all configured vpn-seed-servers will get this packet and will either answer or just silently ignore it if the publickey does not match.
NetworkPolicies are managed with appropriate labels on the istio-ingress and the vpn-seed-server.

The following Branches are in use:

• gardener: https://github.com/gardener/gardener/compare/master...metal-stack:gardener:wireguard-3?expand=1
• vpn2: https://github.com/gardener/vpn2/compare/master...metal-stack:vpn2:wireguard-2?expand=1
• wpex: https://github.com/weiiwang01/wpex/compare/main...majst01:wpex:go-1.26?expand=1

[ScheererJ]

We found and fixed gardener/gardener#14776 along the way.