what I've learned:

a wg0.conf will have [interface] and [peer]. interface is self, peer is a peer. obv.

[peer] will have:
  * publickey: the public key for the peer. (duh) that implies that each peer needs a [peer] section.
  * allowed IPs: the _destination_ addresses that the peer in this section can access through you
  * Endpoint: some way for me to point at this peer.

but to allow a connection, you'll have to:
''sudo wg set wg0 peer <public key> allowed-ips 10.8.0.2,10.8.0.100,fd0d:86fa:c3bc::2''

[[https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04|digital ocean tutorial]]

    sudo apt update
    sudo apt install wireguard
    wg genkey | sudo tee /etc/wireguard/private.key
    sudo chmod go= /etc/wireguard/private.key
    sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

*pick* IP addresses. manually. :(

    sudo nano /etc/wireguard/wg0.conf

or vim or whatvever. Sample:
    [Interface]
    PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
    Address = 10.8.0.2/24
    Address = fd0d:86fa:c3bc::2/64
    
    [Peer]
    PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
    AllowedIPs = 10.8.0.0/24, fd0d:86fa:c3bc::/64
    Endpoint = 45.55.54.196:51820

notice: allowed IPs is a comma-separated list. AND, because it's masked, it's a range.

now, jump over to the server. sample:

    sudo wg set wg0 peer PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg= allowed-ips 10.8.0.2,fd24:609a:6c18::2

notice: not a range.

now back to the peer.

    sudo apt install resolvconf
    sudo wg-quick up wg0

check status on both with `sudo wg`

note: since you're routing everything over the "center" of your "wheel", the "spokes" can find each other through it. So most of the time, you only ever need 1 peer. (I suspect android doesn't work correctly with this, yet again: PHOOOOONES!)