WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it. It's that easy. Compared to OpenVPN, Ipsec, or even tinc, this is by far the easiest to configure.
Adapted from a mail conversation
So in this particular setup we have a listening server and a client.
The client tunnels all IP requests (wildcard 0.0.0.0/0) through the wireguard interface.
The server only allows accept connections from one IP (and furthermore checks if the key is OK).
The following cmd will create a private key with a corresponding public key. Create these for both the server and your client.
umask 077
wg genkey | tee private.key | wg pubkey > public.key
A server with a virtual IP 172.16.16.1 (you can use any local LAN IP) is listening on port 51820. Right now, it only accepts connection from one peer (172.16.16.2). Traffics from other peers or with invalid keys are dropped. The server config is as follows
[Interface]
Address = 172.16.16.1/24
ListenPort = 51820
PrivateKey = xxxxxxxx
[Peer]
PublicKey = xxxxxxxxxxxxxx
AllowedIPs = 172.16.16.2/32
On the client side, we have a client with virtual IP 172.16.16.2. As for the peer, we have set a wildcard with 0.0.0.0/0. The endpoint is our server. All traffic is sent through this tunnel (except for maybe LAN traffic).
[Interface]
Address = 172.16.16.2/32
PrivateKey = xxxxxxxxx
DNS = 8.8.8.8
[Peer]
PublicKey = xxxxxxxxxxxxxx
Endpoint = 1.2.3.4:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
You can start and stop your client/server with the wg-quick tool (if you compile by yourself, remember to build this tool as well)
wg-quick up wg0.conf
wg-quick down wg0.conf