Wireguard is a modern and secure VPN client. You can learn more at the project's webpage - www.wireguard.com.

First you're going to need to create public and private keypairs.
cd /etc/wireguard/
mkdir keys && cd keys
umask 077
wg genkey > server.privatekey
wg pubkey < server.privatekey > server.publickey
At this point, you've generated both a public and private key for your wireguard server. I run my service under /etc/wireguard/wg44.conf and my configuration looks as such. The first thing you may notice is that the Address = 192.168.44.1/32 is not part of my public subnet. This address should be in the RFC1918 range and not publicly routable. Clients will use this address 192.168.44.1/32 to communicate with the VPN server once the VPN tunnel comes up.

10.0.0.0        -   10.255.255.255  (10/8 prefix)
172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

The ListenPort = 51821 stanza is what port my server is listening on for remote connections. The DNS = 9.9.9.9, 1.1.1.1 is what pushes out DNS to clients. I use Quad9 and CloudFlare. Everything under the [Peer] directive is remote clients, as well as the IP that has been assigned to them.

[Interface]
Address = 192.168.44.1/32
DNS = 23.190.216.4,10.0.0.1,2602:fa::1
ListenPort = 51821
PrivateKey = [redacted]

[Peer]
PublicKey = oBwuQhCBWAFcBfYGEo/cNCRhVSBKOpJ9gWfYs3LWWUQ=
AllowedIPs = 44.32.91.6/32

[Peer]
PublicKey = SMXDoZE6qmQ4cZdqWWF3Bh8jcFOKZ5Yqg8HgNxNOdlk=
AllowedIPs = 44.32.91.7/32

[Peer]
PublicKey = OIDCENhEguWKBlNZnsdYx2d2uxVtA3gD67qpKsU5ZGc=
AllowedIPs = 44.32.91.8/32

Client setup is much like server setup. First you'll need the essentials; these can be installed by running apt-get -y install wireguard wireguard-tools. At this point, you'll want to elevate your permissions sudo su - (to become root) and then change your working directory cd /etc/wireguard/. At this point you're going to want to generate a public/private keypair.
umask 077
wg genkey > server.privatekey
wg pubkey < n0fuq.privatekey > n0fuq.publickey

Now that you have these two files created (your client.privatekey and client.publickey, you can create a configuration. In this example, I'm going to name the config n0fuq.conf and create the config in /etc/wireguard/n0fuq.conf

[Interface]
PrivateKey = [redacted]
Address = [assigned address space]/32
DNS = 23.190.216.4,10.0.0.1,2602:fa::1

[Peer]
PublicKey = bhz3/33t04SF1k4etwO5JGnXlAsZ8sGxRQTNB/lJ9gw=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 44.32.91.2:51821

Your configuration will look the same (if you're connecting to my VPN server as a client), the PrivateKey = value you can get from reading your previously generated keyfile. cat /etc/wireguard/client.privatekey and copy/pasting the value into /etc/wireguard/n0fuq.conf. The Address = portion will be assigned to you from me.

PLEASE PLEASE PLEASE Keep your .privatekey file safe and secure. Do not e-mail it, e-mail is and never was a safe and secure channel of communication. If you decide to generate your own public/private keypairs, you will need to send me the appropriate ``PublicKey`` information to me; otherwise I will send you a pre-filled out [callsign.conf] configuration file which will be “drag and drop”.

Once your configuration file is in the appropriate folder /etc/wireguard/ you can enable the service with systemctl enable –now wg-quick@[callsign].conf. At this point, your remote connection is going to die to your machine. You should now be able to ping your 44.32.91.# address and SSH/remote connect to your machine with this IP.