I did get it work, but it took a lot of tries caused by my confusion.
I hope this message speed up other who try to configure wireguard.
I was trying to connect a windows 10 computer to an OpenBsd computer.
The problem was the OpenBSD computer was a 20 minute drive away,
And I didn't want to lock myself and others out if I made a mistake.
Which I did once and had to make the drive.
1) Ifconfig wg0 debug is not useful
2) Ifconfig wg0 -debug is not documented, admittedly it is easy guess
it existence, but the other - options are documented
3) If IP address give to wg0 on the server has to be available to the outside
world to allow establishing connections
This can be done by giving it an external IP address or using a rdr-to in
PF.
4) the IP address of client interface is what will appear as the source address
of client, independent of whatever NATing goes on.
5) You can't use the same wgpeer for multiple clients, each one has to be
unique.
6) The wgpeer and wgaip have be set together, you cannot set the separately.
7) When the packets come in through wg0, the return packet will want to go out
through to default interface
To stop that you will need a route command to direct the packets back to
the wg0 interface, for that you will need the IP addresses involved.
8) To keep your sanity, you want to have a private subnetwork, to be used by
all the clients just for this purpose.
Which allows you to construct the route command and set wgaip values.
9) If you are connecting subnetworks you probably want a separate wg interface
for each subnetwork.
