Just published a blog after finally making Wireguard work on my ER-X with a private server on AWS. Might be the missing guide for some of you guys as I didn’t find anything like this elsewhere!
Useful EdgeOS tip: If you use dnsmasq as a local dns cache you can use the ipset directive to place the IP addresses returned for certain lookups (e.g. Netflix hostnames) into an ipset and then use that in your firewall modify ruleset such that traffic to those IP addresses isn’t sent via the VPN. Useful for those services which ban VPN access.
Useful VPS tip: If you’re on a slower connection you can always set up your WireGuard server on an Oracle Cloud Infrastructure ‘Always Free’ instance. Speed is capped at 48mbit/s but bandwidth is effectively unlimited.
I have similar setup, but with DigitalOcean instead of AWS. And I use docker (https://hub.docker.com/r/linuxserver/wireguard) in the VPS. Plus, you can add a DNS server, with ad filtering (pihole) and handle DNS filtering needs.