umask 077
wg genkey | tee key_server_private.key | wg pubkey > key_server_public.key
wg genkey | tee key_client_private.key | wg pubkey > key_client_public.key

File /etc/wireguard/wg0.conf:

[Interface]
Address = 192.168.99.1/24
ListenPort = 51820
PrivateKey = <key_server_private.key>
SaveConfig = false

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#Client
PublicKey = <key_client_public.key>
AllowedIPs = 192.168.99.2/32

File /etc/wireguard/client_wg0.conf:

[Interface]
Address = 192.168.99.2/24
DNS = 8.8.8.8,8.8.4.4
PrivateKey = <key_client_private.key>

[Peer]
Endpoint = SERVER_HOSTNAME:51820
PublicKey = <key_server_public.key>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Last steps:

sudo wg-quick up wg0
sudo wg
sudo systemctl enable wg-quick@wg0

Generate a qrcode for the mobile client:

qrencode -t ansiutf8 -l L < /etc/wireguard/client_wg0.conf

• https://github.com/adrianmihalko/raspberrypiwireguard
• https://github.com/l-n-s/wireguard-install
• https://www.wireguard.com/install/
• https://www.wireguard.com/quickstart/