On my VPS that runs FreeBSD I am using wireguard installed via

    doas pkg install wireguard

I set up WireGuard server on the FreeBSD VPS with /usr/local/etc/wireguard/wg0.conf that looks like the following:

    [Interface]
    Address = 10.42.42.1/24, fc42:4242:4242:4242::1/64
    PrivateKey = nbCsCf5Dq48ZCnCgziYoDN/E65XDVQOz7pIXGbD4Lwg=
    ListenPort = 443

    # iPhone X
    [Peer]
    PublicKey = CyHJgqaKgejt0qzHqAnFFAUJV/eNKeWoxrYNPsKQif0=
    AllowedIPs = 10.42.42.3/32, fc42:4242:4242:4242::3/128

    # stuegris
    [Peer]
    PublicKey = j2W3ocwBIYhv/fpk8T9dIh2qPWe7TfJmOprDrqu+cFU=
    AllowedIPs = 10.42.42.4/32, fc42:4242:4242:4242::4/128

    # nova
    [Peer]
    PublicKey = 3mn/IobmsopC2UrqXyIQfBoH9reWZnHiJvTk/yoFWXY=
    AllowedIPs = 10.42.42.7/32, fc42:4242:4242:4242::7/128

    # schumberry
    [Peer]
    PublicKey = 0o4aWdhGYya/FZz0jwQhTFztdwX7tmHdoyxlbjbg3D4=
    AllowedIPs = 10.42.42.10/32, fc42:4242:4242:4242::10/128

To generate the public and private keys I used

    wg genkey | tee server.private | wg pubkey > server.public

    wg genkey | tee iphone.private | wg pubkey > iphone.public

    wg genkey | tee stuegris.private | wg pubkey > stuegris.public

    wg genkey | tee nova.private | wg pubkey > nova.public

    wg genkey | tee schumberry.private | wg pubkey > schumberry.public

And then I printed the values of each of the files to the terminal simply by cat'ing them to the terminal and copying the values into the respective places. For the server, only the private key is used in the config and the server config likewise contains only the public keys for the clients. For each of the clients, as we will see below, the config contains the private key of the client in question and the public key of the server.

The names "server.private", "server.public", "iphone.private", "iphone.public", "stuegris.private", "stuegris.public", etc are just corresponding to the different hosts and devices. Likewise I have comments in the config file corresponding to which host or device each entry is for.

All of theses files "server.private", "server.public", "iphone.private", "iphone.public", and so on are just temporary. After you've created the config files for the server (above) and the clients (below) you can delete these files.

In /etc/rc.conf on the same FreeBSD server I have added

    wireguard_enable="YES"
    wireguard_interfaces="wg0"

If your server is running Linux then the setup will be different in terms of how to enable the service. For example if your server is running a disto that uses systemd, then you'd typically create a WireGuard config similar to mine but place it at /etc/wireguard/wg0.conf and then you'd run

    sudo systemctl enable --now wg-quick@wg0

On each of the clients I have corresponding configurations.

Here is what the configuration of WireGuard client for my MacBook Pro M1 looks like:

    [Interface]
    PrivateKey = 97l4pAqRXZasXU2k5S8BNp7yTa6ZyAWyNVtF3wqTpds=
    Address = 10.42.42.7/32, fc42:4242:4242:4242::7/128

    [Peer]
    PublicKey = B+nP9X0dij38FpF5/lbXe53ua7nl0fk7YMUxuTuKi20=
    AllowedIPs = 10.42.42.0/24, fc42:4242:4242:4242::/64
    Endpoint = wg.example.com:443
    PersistentKeepalive = 25

Here is what the configuration file /etc/wireguard/wg0.conf of WireGuard client on my Linux desktop looks like:

    [Interface]
    PrivateKey = sj5p3T3TdVfD567++cyyv3ChSnkzIuQlHLNgzLEPXpE=
    Address = 10.42.42.10/32, fc42:4242:4242:4242::10/128

    [Peer]
    PublicKey = B+nP9X0dij38FpF5/lbXe53ua7nl0fk7YMUxuTuKi20=
    AllowedIPs = 10.42.42.0/24, fc42:4242:4242:4242::/64
    Endpoint = wg.example.com:443
    PersistentKeepalive = 25

And I do similarily for the other client hosts and devices.

Obviously I've replaced all of the PrivateKey and PublicKey values with other values here. Other than that this is exactly how the setup is like.

Likewise, where it says "wg.example.com:443" you put the actual DNS name and UDP port (still UDP port 443 if you follow my setup) of the host that runs WireGuard server. Alternatively you could put an IP address instead of a DNS name. But in either case it needs to resolve to a static IP address, and the UDP port needs to be open to incoming traffic from the internet. In many cases you can open ports in your router if you want to host the server on your home computer. But I found it simpler to run my WireGuard server on a VPS for several reasons; VPS can be rebooted remotely, IP address is static, and also I don't need to make any changes to my setup even when moving houses and changing ISP because the server is not running from my home but from a VPS provider.

On my MacBook Pro M1 I am using Wireguard with GUI, which has a tray icon. Installed via App Store.

On my grandfather's desktop I am using Wireguard installed via Homebrew with no GUI, and with a custom launchd config file to have it connect and run always and as soon as the computer is booted. I will omit this file for brevity and clarity but can post the contents of that file as well if you would like me to do so.

On iOS I am using the WireGuard app installed via App Store.

On KDE Neon Linux I am using wireguard installed via apt from the default repositories of KDE Neon Linux.

In the above text I have omitted parts of the setup. Let me know if the details that I have included above are sufficient or if you would like to see a full writeup about the whole thing from start to finish. Note however that I do not have time to make a fully detailed writeup about it at present time so in that case it will need to be something that I write at a later point.