diff --git a/flake.lock b/flake.lock
index dee8d09..d434e81 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1632822684,
-        "narHash": "sha256-lt7eayYmgsD5OQwpb1XYfHpxttn43bWo7G7hIJs+zJw=",
+        "lastModified": 1638665590,
+        "narHash": "sha256-nhtfL3z4TizWHemyZvgLvq11FhYX5Ya4ke+t6Np5PKQ=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "9a02de4373e0ec272d08a417b269a28ac8b961b4",
+        "rev": "715e92a13018bc1745fb680b5860af0c5641026a",
         "type": "github"
       },
       "original": {
@@ -133,11 +133,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1636623366,
-        "narHash": "sha256-jOQMlv9qFSj0U66HB+ujZoapty0UbewmSNbX8+3ujUQ=",
+        "lastModified": 1640139330,
+        "narHash": "sha256-Nkp3wUOGwtoQ7EH28RLVJ7EqB/e0TU7VcsM7GLy+SdY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c5ed8beb478a8ca035f033f659b60c89500a3034",
+        "rev": "81cef6b70fb5d5cdba5a0fef3f714c2dadaf0d6d",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1637273221,
-        "narHash": "sha256-ByBCiWlVprVgYGGy2ma7W0DKbtp4Xmj7S5whFrIzO3Q=",
+        "lastModified": 1638383949,
+        "narHash": "sha256-k7oMUrp1cMBj59uihyocJVqi4jbU16ycHQqGTJxH1b0=",
         "owner": "serokell",
         "repo": "serokell.nix",
-        "rev": "1649eceabbe6e148b3c1b322b716e873d312599f",
+        "rev": "faebe5b14155d045ae5d3f76193c8e99e664af1b",
         "type": "github"
       },
       "original": {
diff --git a/hosts/default.nix b/hosts/default.nix
index c59b714..faa49e6 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -256,6 +256,11 @@
     ip = "10.42.20.10";
     mac = "46:37:52:f3:a2:fb";
   }
+  {
+    hostname = "wireguard";
+    ip = "10.42.20.13";
+    mac = "1A:C6:89:21:85:85";
+  }
 /*   {
     hostname = "dhcp";
     ip = "10.42.42.42";
diff --git a/hosts/wireguard/configuration.nix b/hosts/wireguard/configuration.nix
new file mode 100644
index 0000000..9ceba78
--- /dev/null
+++ b/hosts/wireguard/configuration.nix
@@ -0,0 +1,71 @@
+{ config, pkgs, lib, ... }:
+let secrets = import ./secrets.nix;
+in {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    # Import common config
+    ../../common/generic-vm.nix
+    ../../common
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  networking.hostName = "wireguard";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+  environment.systemPackages = with pkgs; [ wireguard ];
+
+  environment.noXlibs = lib.mkForce false;
+
+  networking.firewall.allowedTCPPorts = [ ];
+
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "ens18";
+  networking.nat.internalInterfaces = [ "wg0" ];
+
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "10.42.69.1/24" ];
+      listenPort = 51820;
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.42.69.0/24 -o ens18 -j MASQUERADE
+      '';
+
+      # This undoes the above command
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.42.69.0/24 -o ens18 -j MASQUERADE
+      '';
+
+      privateKey = secrets.serverPrivate;
+      peers = [
+        {
+          publicKey = secrets.laptopPublic;
+          allowedIPs = [ "10.42.69.2/32" ];
+        }
+        {
+          publicKey = secrets.phonePublic;
+          allowedIPs = [ "10.42.69.3/32" ];
+        }
+      ];
+    };
+  };
+
+}
diff --git a/hosts/wireguard/hardware-configuration.nix b/hosts/wireguard/hardware-configuration.nix
new file mode 100644
index 0000000..7247074
--- /dev/null
+++ b/hosts/wireguard/hardware-configuration.nix
@@ -0,0 +1,25 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7085fcd5-71a0-46ed-bc9a-9642ed4b1633";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/779fe897-e5cb-49f0-903d-eb9a7f76c3c7"; }
+    ];
+
+}
\ No newline at end of file
diff --git a/hosts/wireguard/secrets.nix b/hosts/wireguard/secrets.nix
new file mode 100644
index 0000000..a9dc86b
Binary files /dev/null and b/hosts/wireguard/secrets.nix differ
diff --git a/hosts/wireguard/secrets.txt b/hosts/wireguard/secrets.txt
new file mode 100644
index 0000000..fdb2fe8
Binary files /dev/null and b/hosts/wireguard/secrets.txt differ
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..71b6990
Binary files /dev/null and b/secrets.nix differ