For hostname.wg0 or another such file if you've already got a wg0 interface.
wgkey CLIENTPRIVATEKEY
wgpeer SERVERPUBLICKEY wgendpoint 198.51.100.42 4433 wgaip 192.0.2.0/24 wgaip 2001:db8:d0c::/64 wgpka 25 wgpsk PRESHAREDKEY
inet 192.0.2.2/24
inet6 2001:db8:d0c::2/64
up
"wgpka" is equivalent to "PersistentKeepalive", and "wgaip" similar to "Address" of the wireguard configuration format. This configuration attempts to route all traffic over the tunnel, though I mostly only use it to handle DNS and SMTP traffic to the server.
Some configure their client to send all traffic through the server:
gemini://perso.pw/blog/articles/openbsd-wireguard-exit.gmi
Another method is to create a custom routing table and only use that for specific commands. Note that the "wgaip" have been modified from the above.
wgkey CLIENTPRIVATEKEY
wgpeer SERVERPUBLICKEY wgendpoint 198.51.100.42 4433 wgaip 0.0.0.0/0 wgaip ::/0 wgpka 25 wgpsk PRESHAREDKEY
inet 192.0.2.2/24
inet6 2001:db8:d0c::2/64
up
!route -T 1 add -inet default 192.0.2.1
!route -T 1 add -inet6 default 2001:db8:d0c::1
To use this rtable, launch the command wrapped by route(8):
$ route -T 1 exec ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=23.512 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 23.512/23.512/23.512/0.000 ms
$ route -T 1 exec ksh
$ id -R
1
$ exit
$ id -R
0
It may be good to check on the server that the traffic is indeed seen on the wg0 interface:
# tcpdump -i wg0 not port 22
tcpdump: listening on wg0, link-type LOOP
22:03:58.065793 client.example.org > dns.google: icmp: echo request
22:03:58.066401 dns.google > client.example.org: icmp: echo reply
...
Be sure to exclude your SSH traffic if you establish the SSH connection over the same wireguard tunnel!