Wireguard

wg
  show { <interface> | all | interfaces } [public-key | private-key | preshared-key | listen-port | peers | endpoints | allowed-ips | latest-handshake | persistent-keepalive | bandwidth]
    # Shows current WireGuard configuration of specified <interface>. If no <interface> is specified, <interface> defaults to all. If interfaces is specified, prints a list of all WireGuard interfaces, one per line, and quit. If no options are given after the interface specification, then prints a list of all attributes in a visually pleasing way meant for the terminal. Otherwise, prints specified information grouped by newlines and tabs, meant to be used in scripts. 
  showconf <interface>
    # Shows the current configuration of <interface> in the format described by CONFIGURATION FILE FORMAT below. 
  set <interface> [listen-port <port>] [private-key <file-path>] [preshared-key <file-path>] [peer <base64-public-key> [remove] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...] ]...
    # Sets configuration values for the specified <interface>. Multiple peers may be specified, and if the remove argument is given for a peer, that peer is removed, not configured. If listen-port is not specified, the port will be automatically generated when the interface comes up. Both private-key and preshared-key must be a files, because command line arguments are not considered private on most systems but if you are using bash(1), you may safely pass in a string by specifying as private-key or preshared-key the expression: <(echo PRIVATEKEYSTRING). If /dev/null is specified as the filename for either private-key or preshared-key, the key is removed from the device. The use of preshared-key is optional, and may be omitted; it adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. If allowed-ips is specified, but the value is the empty string, all allowed ips are removed from the peer. The use of persistent-keepalive is optional and is by default off; setting it to 0 or "off", disables it. Otherwise it represents, in seconds, between 10 and 3600 inclusive, how often to send an empty UDP packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds. 
  setconf <interface> <configuration-filename>
    # Sets the current configuration of <interface> to the contents of <configuration-filename>, which must be in the format described by CONFIGURATION FILE FORMAT below. 
  addconf <interface> <configuration-filename>
    # Appends the contents of <configuration-filename>, which must be in the format described by CONFIGURATION FILE FORMAT below, to the current configuration of <interface>. 
  genkey
    # Generates a random private key in base64 and prints it to standard output. 
  genpsk
    # Generates a random preshared key in base64 and prints it to standard output. 
  pubkey
    # Calculates a public key and prints it in base64 to standard output from a corresponding private key (generated with genkey) given in base64 on standard input.

    # A private key and a corresponding public key may be generated at once by calling:
        $ umask 077
        $ wg genkey | tee private.key | wg pubkey > public.key 
  help
    Show usage message. 

umask 077  # This makes sure credentials don't leak in a race condition.
wg genkey | tee privatekey | wg pubkey > publickey

[Interface]
Address = 192.168.2.1
PrivateKey = <server's privatekey>
ListenPort = 51820

[Peer]
PublicKey = <client's publickey>
AllowedIPs = 192.168.2.2/32

[Interface]
Address = 192.168.2.2
PrivateKey = <client's privatekey>
ListenPort = 21841

[Peer]
PublicKey = <server's publickey>
Endpoint = <server's ip>:51820
AllowedIPs = 192.168.2.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

AllowedIPs = 192.168.2.0/24, 192.168.1.0/24

AllowedIPs = 0.0.0.0/0, ::/0

[Interface]
Address = 192.168.2.2
PrivateKey = <client's privatekey>
ListenPort = 21841

[Peer]
PublicKey = <server's publickey>
Endpoint = <server's ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

sudo chown -R root:root /etc/wireguard/
sudo chmod -R og-rwx /etc/wireguard/*

sudo systemctl enable wg-quick@wg0.service

sudo systemctl start wg-quick@wg0.service
sudo systemctl stop wg-quick@wg0.service

wg-quick up wg0
wg-quick down wg0