what I've learned:

a wg0.conf will have [interface] and [peer]. interface is self, peer is a peer. obv.

[peer] will have:

• publickey: the public key for the peer. (duh) that implies that each peer needs a [peer] section.
• allowed IPs: the _destination_ addresses that the peer in this section can access through you
• Endpoint: some way for me to point at this peer.

but to allow a connection, you'll have to: sudo wg set wg0 peer <public key> allowed-ips 10.8.0.2,10.8.0.100,fd0d:86fa:c3bc::2

digital ocean tutorial

  sudo apt update
  sudo apt install wireguard
  wg genkey | sudo tee /etc/wireguard/private.key
  sudo chmod go= /etc/wireguard/private.key
  sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

*pick* IP addresses. manually. :(

  sudo nano /etc/wireguard/wg0.conf

or vim or whatvever. Sample:

  [Interface]
  PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
  Address = 10.8.0.2/24
  Address = fd0d:86fa:c3bc::2/64
  
  [Peer]
  PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
  AllowedIPs = 10.8.0.0/24, fd0d:86fa:c3bc::/64
  Endpoint = 45.55.54.196:51820

notice: allowed IPs is a comma-separated list. AND, because it's masked, it's a range.

now, jump over to the server. sample:

  sudo wg set wg0 peer PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg= allowed-ips 10.8.0.2,fd24:609a:6c18::2

notice: not a range.

now back to the peer.

  sudo apt install resolvconf
  sudo wg-quick up wg0

check status on both with `sudo wg`

note: since you're routing everything over the "center" of your "wheel", the "spokes" can find each other through it. So most of the time, you only ever need 1 peer. (I suspect android doesn't work correctly with this, yet again: PHOOOOONES!)