Prepare X.509 keypair for both server and client, with CA certificate
able to authenticate both peers. For example with zeasypki
(http://www.git.stargrave.org/?p=zeasypki.git;a=blob;f=README):

    $ zeasypki ca eddsa udpobfs-ca
    $ zeasypki new ee/eddsa/udpobfs-ca/server-name
    $ zeasypki new ee/eddsa/udpobfs-ca/client
    $ zeasypki keypair ee/eddsa/udpobfs-ca/server-name > server.pem
    $ zeasypki keypair ee/eddsa/udpobfs-ca/client > client.pem
    $ cp ca/eddsa/udpobfs-ca/cer.pem ca.pem
    $ zeasypki dane ee/eddsa/udpobfs-ca/server-name > server.hash

Assume that WireGuard was running peered with [2001:db8::dc]:1194.
Run udpobfs instances to obfuscate traffic between them:

    wg0# wg set endpoint [::1]:4911
    wg0# udpobfs-init -bind [::1]:4911 -dst [2001:db8::ac]:1194 \
        -ca ca.pem -keypair client.pem -name server-name -hash `cat server.hash`

    wg1# wg set listen-port 21194
    wg1# udpobfs-resp -bind [2001:db8::ac]:1194 -dst [::1]:21194 \
        -ca ca.pem -keypair server.pem