===== Wireguard Setup =====
Wireguard sucks but I guess there **might** be some use case some day.

==== Beowulf/Buster Install (backports) ====
  # apt-get install linux-headers-`uname -r` wireguard

==== Chimaera/Bullseye Install ====
  # apt-get install wireguard

==== Other Server Configs ====
Enable IP forwarding
  # sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
  # sysctl -p

Allow traffic between peers
  iptables -A FORWARD -i wg0 -j ACCEPT
  iptables -A FORWARD -o wg0 -j ACCEPT

==== Generate a keypair ====
  # cd /etc/wireguard; umask 077; wg genkey > privatekey; wg pubkey < privatekey > publickey

==== Server wg0.conf ====
  [Interface]
  PrivateKey = XXX
  Address = 10.0.0.1/24
  ListenPort = 13301
  # My Peer
  [Peer]
  PublicKey = XXX
  AllowedIPs = 10.0.0.5/32

==== Peer wg0.conf ====
  [Interface]
  Address = 10.0.0.XXX/32
  PrivateKey = XXX
  [Peer]
  PublicKey = Dnxx1Q9aUU2oJUJZDrxscepw6dcBtsF3V/X72/gyZkQ=
  Endpoint = 185.111.188.162:13301
  AllowedIPs = 10.0.0.0/24
  PersistentKeepalive = 25
  DNS = 10.0.0.1

==== Add/Remove clients without killing network ====
Found this answer [[https://serverfault.com/a/1110966|here]] - add peer to server wg0.conf (so peer will be available after future wg0 resets), then manually update routing (without using wg-quick).
  wg set wg0 peer "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=" allowed-ips 10.0.0.##/32
  ip -4 route add 10.0.0.##/32 dev wg0

  wg set wg0 peer "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=" remove
  ip -4 route delete 10.0.0.##/32 dev wg0