I was a bit disappointed to find that I could only use an IP in the Wireguard config. Means that I can't use it for my own system, since my current ISP is unable to provide static IPs and I'm not in a position to change ISPs at the moment. I've been using a dynamic DNS provider for home, but that wouldn't work with Wireguard.
I have a dynamic DNS, and run SME in server-only mode behind a Sophos firewall.
Wireguard on the SME is using the standard settings (current public IP, port 51820).
My firewall is forwarding UDP traffic on port 5182 to port 51820 on the SME server.
When configuring each
client, I manually change the server IP and port to use my dynamic DNS name and the configured firewall port.
I set up my iPhone using the QR code, then edited the client (wireguard -> tap the client -> click 'edit') to set the Endpoint to use DNS and my configured firewall port.
I set up my macbook Air (macOS Ventura) by copying the displayed wireguard client config from server-manager and editing the 'Endpoint' (and optionally the "AllowedIPs"):
#configuration for 192.168.201.10/32 --placeholder--
[Interface]
PrivateKey = 2GdyJNoWayI'mGivingYouARealPrivateKeycxdKGo=
Address = 192.168.201.10/32
DNS = 192.168.100.2
[Peer]
PublicKey = Zy3b3gQqFakePublicKeyoGL9bE0EtDC/eyP2M4EqkvV4=
AllowedIPs = 0.0.0.0/0
Endpoint = 71.178.192.52:51820
#configuration for 192.168.201.10/32 --placeholder--
[Interface]
PrivateKey = 2GdyJNoWayI'mGivingYouARealPrivateKeycxdKGo=
Address = 192.168.201.10/32
DNS = 192.168.100.2
[Peer]
PublicKey = Zy3b3gQqFakePublicKeyoGL9bE0EtDC/eyP2M4EqkvV4=
AllowedIPs = 192.168.100.0/24, a.b.c.d/32, w.x.y.z/32
Endpoint = mysmeserver.tld:5182
I have also configured my wireguard clients:
1) with my home Wifi network listed in "Except these SSIDs"
2) with "AllowedIPs" set to my home LAN and selected internet IPs***
3) with "On-Demand" enabled
*** I was recently stuck in a building with no cell service, and whose guest wifi blocked SSL VPN traffic on port 8443. Wireguard worked so I added my office VPN IPs to "AllowedIPs" and was able to acess my home LAN, connect to my office VPN, and still connect to Teams and Zoom (& Netflix...) directly to avoid any latency induced by passing the traffic through my home office.
[edit: remove blank line added to the 'edited config' block]