How to allow wg-quick to be invoked by a user in sudoers?

[madwebness]

Mostly, I don't have a problem with tweaking the sudoers file and tried to read the manual carefully. But the Wireguard thing (and, I suspect, OpenVPN would've behaved much the same way) apparently involves spawning some other processes, which somehow, sudo doesn't cover. I change my VPN connections 3 or 5 times a day (for various reasons) and it is a vast inconvenience to log into root and run the commands from there each time.

Could anyone write down a set of specific instructions I must add via visudo, such that a particular user only, say user 1001, could run wg-quick program only (and, perhaps, a small set of other programs which wireguard starts itself? And also allow this without a password? The "without a password" thing straightforward, of course - it's one keyword, but what I might not understand well is how to combine it correctly with the set of programs wg-quick runs or requires... or whatever else it does that makes it more difficult than usual to tweak this to my liking.

I'm also not worried much about the security of my keys. User 1001 has very limited internet access restricted by pf. Programs, such as browsers, I would only run under separate users & they have a lot less access to the filesystem in general: they cannot read my home dir at all, let alone /etc/wireguard. I think this makes my keys relatively safe from being leaked to the outside world by some software that is as sneaky as browsers are these days. In any case, the permissions for /etc/wireguard as well as all files in it are set such that only root:wheel is allowed to read or write there.

It's just that not being too familiar with the intricacies of "sudo" makes it rather hard to detect a small mistake, which, in turn leaves the added rule either invalid or simply not-applicable.

As always, I would appreciate a never-disappointing advice on this forum.