diff --git a/hosts/common-desktop.nix b/hosts/common-desktop.nix
index df9dff0..5f1de5d 100644
--- a/hosts/common-desktop.nix
+++ b/hosts/common-desktop.nix
@@ -114,6 +114,7 @@
     ripgrep-all
     rustscan
     whois
+    wireguard-tools
     yt-dlp
   ] ++ [
     bitwarden-desktop
diff --git a/hosts/router/default.nix b/hosts/router/default.nix
index 0a08ece..681fa55 100644
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@@ -78,6 +78,7 @@ in
     transcrypt
     waypipe
     whois
+    wireguard-tools
   ];
 
   # This value determines the NixOS release from which the default
diff --git a/hosts/router/firewall.nix b/hosts/router/firewall.nix
index e26ef8c..a3db09b 100644
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -87,7 +87,7 @@ in
     content = ''
       ${nftIdentifiers}
       define ALLOWED_TCP_PORTS = { ssh }
-      define ALLOWED_UDP_PORTS = { 18596 }
+      define ALLOWED_UDP_PORTS = { ${toString vars.ifs.wg0.listenPort} }
       define ALLOWED_TCP_LAN_PORTS = { ssh, https }
       define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
       set port_forward_v6 {
diff --git a/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age b/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age
deleted file mode 100644
index 07503ad..0000000
--- a/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 D2MY/A YAk0egMScFdPo0uAZzITtgQyPAifDcVUfb957Zhz9Ec
-pAEM+7sbPE8rHBhRV7mTmH1w4mbfKFopMWbwu/3KHCw
---- ykshsqEqKvCCE2kWIPAJPA/DFW7mu6+0x4MQhHgi1yU
-'ÈzÆ€{gÈid\{çEâ•Ätp¢U×g2QC3gßÈJGªV1Ð6·WG_E&»vŽó)°&òüñÞ‘N"§ƒ¯n©_TÍ’¸
\ No newline at end of file
diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age b/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age
index 513d5f2..74fdcce 100644
Binary files a/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age and b/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age differ
diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age b/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age
index a5ce007..fa8af19 100644
--- a/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age
+++ b/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age
@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 D2MY/A P88M0uj4ZphVo3WrRYDu+c7B0Dl7ncctbYkByYmU2wg
-DV3Gn6TQ6iByAlNt0gg8kSZ2r0Gie/wcznZx9M+CC2g
---- KhwGM50BVql02Jq0do2uhXMfgWPPDfbodzDRmZ9n0O4
-r¸›Ô¶aõyY/C¡£JæB®Xº!ñ"F
-¿h‹­Ò(ñL>Œ()Üó»ûòS;·}}2ÐžO.¯óhoqYðK"cˆEÛÕJM?-ËO
\ No newline at end of file
+-> ssh-ed25519 D2MY/A cRVo1AetNYKsb28kGpe6mVpoCyfNcRibeBYhJuXbbEY
+k8XL4XEv4FM6sfU/TOFTg4vlKm61409No/TpCEjTnSk
+--- mT9w1vnx2FrzWw+Zt1wV6UJ+mjHTizrUPVeaTisYQ74
+=—q-SoÁÚpn„”§ÆöIÿ•þZÖ i˜'ƒÖÓ"%M©®¯C&ñ–ÿá«K-E>‹¹ˆ»ûg–BæfXßñ×I¶?@÷D@q®ñ
\ No newline at end of file
diff --git a/hosts/router/secrets/wireguard/wg0-private-key.age b/hosts/router/secrets/wireguard/wg0-private-key.age
index 7bcbe13..74dbba8 100644
--- a/hosts/router/secrets/wireguard/wg0-private-key.age
+++ b/hosts/router/secrets/wireguard/wg0-private-key.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 D2MY/A tvRtTGWnaB0zxqZRba4/XpzwPa61RrnHCk4tT8OfnGQ
-IX85Q5VKxQTl+MnhzwiuTnNMVkR9QrYo/1njrbZeBnQ
---- dmlPIL2T+RFhbO2iLDRa4BxxYSSUQdedV3TK83ooFdA
-ÈgE	7“Ž0`dèV(oÚW±¥»S@‚Û­™œ‡p­–˜çØZÁ€ÐƒTíÇÍ÷¶Uˆû+*ý\QÀ[ý“Ïïx§×29²i5åk
\ No newline at end of file
+-> ssh-ed25519 D2MY/A Xg7XTl/qJqVqvXsHNKcoICq74DeOlquN1CEn1PwxlVY
+FqmPdDgmuUrwZPLW56RhW8o1VXr5l2Xms6IVebpi7bA
+--- nLT/bC55EvoXK6f7DYbMhD3I8Z122bxeGVw1PCds2IM
+!×ûãDlµêôñ°Ý;ÉûKXq8ï4”œ©‰+b‚·p_q4Bý³'8–%þcI„„D±tÓƒV~;v*ÆúW·-¹,[´tÝ‘ì
\ No newline at end of file
diff --git a/hosts/router/vars.nix b/hosts/router/vars.nix
index 302714a..821b473 100644
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -108,6 +108,8 @@ rec {
       p6Size_ = 96;
       ulaPrefix_ = "${ulaPrefix}:0100:0:6";  # ::/96
       ulaSize_ = 96;
+    } // {
+      listenPort = 51944;
     };
   };
 
diff --git a/hosts/router/wireguard.nix b/hosts/router/wireguard.nix
index c98a3b8..61252d4 100644
--- a/hosts/router/wireguard.nix
+++ b/hosts/router/wireguard.nix
@@ -9,28 +9,15 @@ let
     "${ifObj.ulaPrefix}:${toString token}:0/112"
   ];
 
-  mkWg0Peer = token: publickey: {
+  mkWg0Peer = token: publicKey: {
     allowedIPs = peerIps wg0 token;
-    inherit publickey;
+    inherit publicKey;
     pskEnabled = true;
   };
 
   wg0Peers = {
-    "Yura-TPX13" = {
-      allowedIPs = peerIps wg0 3;
-      publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
-      pskEnabled = true;
-    };
-    "Yura-Pixel7Pro" = {
-      allowedIPs = [ "${wg0.p4}.4/32" "${wg0.p6}:4:0/112" ];
-      publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
-      pskEnabled = true;
-    };
-    "AsusS513" = {
-      allowedIPs = [ "${wg0.p4}.100/32" ];
-      publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
-      pskEnabled = false;
-    };
+    "Yura-TPX13" = mkWg0Peer 100 "iFdsPYrpw7vsFYYJB4SOTa+wxxGVcmYp9CPxe0P9ewA=";
+    "Yura-Pixel7Pro" = mkWg0Peer 101 "GPdXxjvnhsyufd2QX/qsR02dinUtPnnxrE66oGt/KyA=";
   };
   peerSecretName = name: "wg0-peer-${name}-psk";
   secrets = config.secrix.services.systemd-networkd.secrets;
@@ -41,6 +28,8 @@ in
     mapPeer = name: peer: {
       name = peerSecretName name;
       value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
+      value.decrypted.user = "systemd-network";
+      value.decrypted.group = "systemd-network";
     };
     peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
   in
@@ -52,11 +41,11 @@ in
     "10-wg0" = {
       netdevConfig = {
         Kind = "wireguard";
-        Name = "wg0";
+        Name = wg0.name;
       };
       wireguardConfig = {
         PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
-        ListenPort = 18596;
+        ListenPort = wg0.listenPort;
       };
       wireguardPeers = map (peer: {
         AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;