wireguard

Check if kernel module is loaded, load if needed.

kldstat | grep wg
kldload if_wg

start

Create WireGuard interface.

ifconfig wg create name wg0

Set config for that new interface.

wg setconf wg0 /usr/local/etc/wireguard/wg0.conf

Sample config from wg(8).

[Interface]
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
Endpoint = 192.95.5.67:1234
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

Finish configuration.

ifconfig wg0 inet <ip>/<mask> alias # ip/mask from provider
ifconfig wg0 mtu 1420 # optional
ifconfig wg0 up

With interface up and running set DNS and routing.

echo "nameserver <dns>" | resolvconf -a wg0 -x # optional, dns from provider
route -q -n add -inet 0.0.0.0/1 -interface wg0
route -q -n add -inet 128.0.0.0/1 -interface wg0
route -q -n delete -inet <peer_endpoint>
route -q -n add -inet <peer_endpoint> -gateway 192.168.0.1

Check stuff.

wg show wg0
wg showconf wg0

stop

To stop WireGuard.

ifconfig wg0 destroy
resolvconf -d wg0
route -q -n delete -inet <peer_endpoint>