Wireguard is an open source software and communication protocol which aims to provide a simpler and safer alternative to OpenVPN.
Compared to OpenVPN both client and server configuration are much simpler and mantaining a PKI is also not required.
Performance wise Wireguard is also faster than OpenVPN.

SERVER: Debian 10 (Codename Buster)

As of today Wireguard is not included in Debian 10 stable repos, so it is required to enable backports to install it:

$ su -c "echo deb http://deb.debian.org/debian buster-backports main >> /etc/apt/sources.list"
$ sudo apt-get -t buster-backports install wireguard

Generate a PUBLIC and PRIVATE key for the server:

$ cd /etc/wireguard
$ su -c "wg genkey > privatekey"
$ su -c "wg pubkey < privatekey > publickey"

Create a configuration file for the server:

$ sudo vi /etc/wireguard/wg0.conf
---
[Interface]
# Server address, need to specify a subnet (/32 for example)
Address = 10.4.0.1/32
ListenPort = 11111
PrivateKey = <server_private_key>
SaveConfig = true

# Used only for clients that forwards all the traffic via Wireguard server
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <server_physical_interface> -j MASQUERADE
# Used only for clients that forwards all the traffic via Wireguard server
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <server_physical_interface> -j MASQUERADE

[Peer]
# Client 1
PublicKey = <client_1_public_key>
# Allowed client IP address: <ip_address>/<netmask_CIDR>
AllowedIPs = 10.4.0.2/32

[Peer]
# Client 2
PublicKey = <client_2_public_key>
# Allowed client IP address: <ip_address>/<netmask_CIDR>
AllowedIPs = 10.4.0.3/32

Enable Wireguard service at boot:

$ sudo systemctl enable --now wg-quick@wg0

CLIENT: Fedora 33

Install the required packages:

$ sudo dnf install wireguard-tools

Generate a PUBLIC and PRIVATE key for the client:

$ cd /etc/wireguard
$ su -c "wg genkey > privatekey"
$ su -c "wg pubkey < privatekey > publickey"

Create a configuration file for the client:

$ sudo vi /etc/wireguard/wg0.conf
---
[Interface]
PrivateKey = <client_private_key>
# Client IP address (same set in server config): <ip_address>/32
Address = 10.4.0.2/32
# DNS server the client should use
DNS = 10.4.0.1

[Peer]
PublicKey = <server_public_key>
# Sets of IPs reachable by the client, 0.0.0.0/0 for any
AllowedIPs = 0.0.0.0/0
Endpoint = <server_host>:<port>
# Send a keepalive packet every X seconds
PersistentKeepalive = 20

VPN can be started and stopped using wg-quick command line tool:

$ wg-quick up wg0
$ wg-quick down wg0

NOTE

As of today Network Manager version included in Fedora 33 has some issues which causes DNS to leak.
Know workarounds don’t seem to work for me.

CLIENT: IOS

Wireguard IOS application can be downladed form Apple Store.
The easiest way to configure the device is generate the certificates and config files locally on a computer, generate a QR Code and use that to load the info onto the Iphone/Ipad.
To convert a client conf file into a QR CODE run the following command:

qrencode --read-from=wg0.conf --type=UTF8 --level=M

NOTE

As of today I wasn’t able to use a local DNS in IOS. Had to switch to 8.8.8.8

CONCLUSION

While setting up Wireguard I encountered a couple of issues both related to dns that I wasn’t able to solve; truth be told they both are problems in other software that result in Wireguard VPN tunnel misbehaviour.
All that glitters is not gold but Wireguard is definitely a big step in the right direction.