Server-to-server Wireguard

On both peers, install the Wireguard module and tools:

apt install wireguard

Create the configuration file at /etc/wireguard/wg0.conf:

[Interface]
Address = 192.168.3.1
PrivateKey = `wg genkey`

[Peer]
PublicKey = `wg pubkey < privkey-of-other-peer`
PresharedKey = `wg genpsk`
AllowedIPs = 192.168.3.2

The PresharedKey must be identical across peers. Make sure to share it over a secure channel.
On at least one of the peers, set Endpoint in the [Peer] section to the internet hostname and listening port of the other peer. Set the listening port by adding Port to the [Interface] section.
You will need to set AllowedIPs to the Address of the other peer. You can use another subnet if 192.168.3.0 is already being used.

Turn on the tunnel using:

wg-quick up wg0

See connection information using:

wg show

Try pinging the other peer:

ping 192.168.3.2