Wireguard sucks but I guess there might be some use case some day.

# apt-get install linux-headers-`uname -r` wireguard

# apt-get install wireguard

Enable IP forwarding

# sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
# sysctl -p

Allow traffic between peers

iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT

# cd /etc/wireguard; umask 077; wg genkey > privatekey; wg pubkey < privatekey > publickey

[Interface]
PrivateKey = XXX
Address = 10.0.0.1/24
ListenPort = 13301
# My Peer
[Peer]
PublicKey = XXX
AllowedIPs = 10.0.0.5/32

[Interface]
Address = 10.0.0.XXX/32
PrivateKey = XXX
[Peer]
PublicKey = Dnxx1Q9aUU2oJUJZDrxscepw6dcBtsF3V/X72/gyZkQ=
Endpoint = 185.111.188.162:13301
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25
DNS = 10.0.0.1

Found this answer here - add peer to server wg0.conf (so peer will be available after future wg0 resets), then manually update routing (without using wg-quick).

wg set wg0 peer "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=" allowed-ips 10.0.0.##/32
ip -4 route add 10.0.0.##/32 dev wg0

wg set wg0 peer "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=" remove
ip -4 route delete 10.0.0.##/32 dev wg0