I love Wireguard, but if you want to do this, I think there are only two ways that make sense for most users.
The best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.
Tailscale has some fundamental security assumptions that some people may not like for it to be so reflexively suggested all the time, but also, the last mile of user interface issues plague the whole of cryptography systems.
I used a GL.Inet yellow hockey puck device 8 hours a day for about 6 months in the exact configuration mentioned. Interface and form factor, all are great, but your internet speed will be limited by the CPU. It was woefully under powered for VPN crypto.
As someone who previously led development of a commercial VPN system, I assure you, there are about 100 ways for a VPN to go slower than the network hosting it. Unfortunately.
Two cases I can think of are MTU misconfigurations and constrained CPU on either endpoint, where the node CPU can handle non-VPN network demands but can't handle the VPN demand.
The best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.