diff --git a/.gitignore b/.gitignore
index e69de29..b2d9b35 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,5 @@
+### Nix template
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+
diff --git a/hosts/common-desktop.nix b/hosts/common-desktop.nix
index df9dff0..5f1de5d 100644
--- a/hosts/common-desktop.nix
+++ b/hosts/common-desktop.nix
@@ -114,6 +114,7 @@
     ripgrep-all
     rustscan
     whois
+    wireguard-tools
     yt-dlp
   ] ++ [
     bitwarden-desktop
diff --git a/hosts/router/default.nix b/hosts/router/default.nix
index 0612fea..681fa55 100644
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@@ -8,6 +8,7 @@ in
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./ifconfig.nix
+      ./wireguard.nix
       ./firewall.nix
       ./dns.nix
       ./kea.nix
@@ -77,6 +78,7 @@ in
     transcrypt
     waypipe
     whois
+    wireguard-tools
   ];
 
   # This value determines the NixOS release from which the default
diff --git a/hosts/router/firewall.nix b/hosts/router/firewall.nix
index 430c34b..a3db09b 100644
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -13,6 +13,7 @@ let
         ${ifs.lan30.name},
         ${ifs.lan40.name},
         ${ifs.lan50.name},
+        ${ifs.wg0.name},
     }
     define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
     define ZONE_LAN_EXTRA_NET6 = {
@@ -85,8 +86,10 @@ in
     family = "inet";
     content = ''
       ${nftIdentifiers}
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
+      define ALLOWED_TCP_PORTS = { ssh }
+      define ALLOWED_UDP_PORTS = { ${toString vars.ifs.wg0.listenPort} }
+      define ALLOWED_TCP_LAN_PORTS = { ssh, https }
+      define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
           elements = {
@@ -133,6 +136,10 @@ in
           # but apparently not.
           ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
 
+          # Global input rules
+          tcp dport $ALLOWED_TCP_PORTS accept
+          udp dport $ALLOWED_UDP_PORTS accept
+
           # WAN zone input rules
           iifname $ZONE_WAN_IFS jump zone_wan_input
           # LAN zone input rules
@@ -157,8 +164,7 @@ in
       }
 
       chain zone_wan_input {
-          # Allow SSH from WAN (if needed)
-          tcp dport ssh accept
+          # Allow specific stuff from WAN
       }
 
       chain zone_wan_forward {
@@ -180,8 +186,8 @@ in
           ip protocol icmp accept
 
           # Allow specific services from LAN
-          tcp dport $ALLOWED_TCP_PORTS accept
-          udp dport $ALLOWED_UDP_PORTS accept
+          tcp dport $ALLOWED_TCP_LAN_PORTS accept
+          udp dport $ALLOWED_UDP_LAN_PORTS accept
       }
 
       chain zone_lan_forward {
diff --git a/hosts/router/ifconfig.nix b/hosts/router/ifconfig.nix
index d479a7d..3d419b8 100644
--- a/hosts/router/ifconfig.nix
+++ b/hosts/router/ifconfig.nix
@@ -83,7 +83,7 @@ in
       ia_pd 30/${ifs.lan30.net6} -
       ia_pd 40/${ifs.lan40.net6} -
       ia_pd 50/${ifs.lan50.net6} -
-      # ia_pd 7 -
+      ia_pd 100/${pdFromWan}9::/64 -  # for vpn stuff
       # ia_pd 8 -
 
       # the leases can be assigned to the interfaces,
diff --git a/secrets/cf_api_key.age b/hosts/router/secrets/cf-api-key.age
similarity index 100%
rename from secrets/cf_api_key.age
rename to hosts/router/secrets/cf-api-key.age
diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age b/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age
new file mode 100644
index 0000000..74fdcce
Binary files /dev/null and b/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age differ
diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age b/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age
new file mode 100644
index 0000000..fa8af19
--- /dev/null
+++ b/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A cRVo1AetNYKsb28kGpe6mVpoCyfNcRibeBYhJuXbbEY
+k8XL4XEv4FM6sfU/TOFTg4vlKm61409No/TpCEjTnSk
+--- mT9w1vnx2FrzWw+Zt1wV6UJ+mjHTizrUPVeaTisYQ74
+=—q-SoÁÚpn„”§ÆöIÿ•þZÖ i˜'ƒÖÓ"%M©®¯C&ñ–ÿá«K-E>‹¹ˆ»ûg–BæfXßñ×I¶?@÷D@q®ñ
\ No newline at end of file
diff --git a/hosts/router/secrets/wireguard/wg0-private-key.age b/hosts/router/secrets/wireguard/wg0-private-key.age
new file mode 100644
index 0000000..74dbba8
--- /dev/null
+++ b/hosts/router/secrets/wireguard/wg0-private-key.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A Xg7XTl/qJqVqvXsHNKcoICq74DeOlquN1CEn1PwxlVY
+FqmPdDgmuUrwZPLW56RhW8o1VXr5l2Xms6IVebpi7bA
+--- nLT/bC55EvoXK6f7DYbMhD3I8Z122bxeGVw1PCds2IM
+!×ûãDlµêôñ°Ý;ÉûKXq8ï4”œ©‰+b‚·p_q4Bý³'8–%þcI„„D±tÓƒV~;v*ÆúW·-¹,[´tÝ‘ì
\ No newline at end of file
diff --git a/hosts/router/services.nix b/hosts/router/services.nix
index e6f23a6..b0f8448 100644
--- a/hosts/router/services.nix
+++ b/hosts/router/services.nix
@@ -52,7 +52,7 @@ in
     };
   };
 
-  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
+  secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age;
   systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
   services.caddy = {
     enable = true;
diff --git a/hosts/router/vars.nix b/hosts/router/vars.nix
index cf6e7ec..306bb5b 100644
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -5,8 +5,11 @@ let
     name_,
     domain_,
     p4_,  # /24
+    p4Size_ ? 24,
     p6_,  # /64
+    p6Size_ ? 64,
     ulaPrefix_,  # /64
+    ulaSize_ ? 64,
     token? 1,
     ip6Token_? "::${toString token}",
     ulaToken_? "::${toString token}",
@@ -14,18 +17,18 @@ let
       name = name_;
       domain = domain_;
       p4 = p4_;
-      p4Size = 24;
+      p4Size = p4Size_;
       net4 = "${p4}.0/${toString p4Size}";
       addr4 = "${p4}.${toString token}";
       addr4Sized = "${addr4}/${toString p4Size}";
       p6 = p6_;
-      p6Size = 64;
+      p6Size = p6Size_;
       net6 = "${p6}::/${toString p6Size}";
       ip6Token = ip6Token_;
       addr6 = "${p6}${ip6Token}";
       addr6Sized = "${addr6}/${toString p6Size}";
       ulaPrefix = ulaPrefix_;
-      ulaSize = 64;
+      ulaSize = ulaSize_;
       ulaNet = "${ulaPrefix}::/${toString ulaSize}";
       ulaToken = ulaToken_;
       ulaAddr = "${ulaPrefix}${ulaToken}";
@@ -97,6 +100,17 @@ rec {
       p6_ = "${pdFromWan}a";             # ::/64
       ulaPrefix_ = "${ulaPrefix}:0050";  # ::/64
     };
+    wg0 = mkIfConfig {
+      name_ = "wg0";
+      domain_ = "wg0.${ldomain}";
+      p4_ = "10.18.16";  # .0/24
+      p6_ = "${pdFromWan}9:0:6";  # ::/96
+      p6Size_ = 96;
+      ulaPrefix_ = "${ulaPrefix}:0100:0:6";  # ::/96
+      ulaSize_ = 96;
+    } // {
+      listenPort = 51944;
+    };
   };
 
   extra = {
diff --git a/hosts/router/wireguard.nix b/hosts/router/wireguard.nix
new file mode 100644
index 0000000..97d7837
--- /dev/null
+++ b/hosts/router/wireguard.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+  wg0 = vars.ifs.wg0;
+
+  peerIps = ifObj: token: [
+    "${ifObj.p4}.${toString token}/32"
+    "${ifObj.p6}:${toString token}:0/112"
+    "${ifObj.ulaPrefix}:${toString token}:0/112"
+  ];
+
+  mkWg0Peer = token: publicKey: {
+    allowedIPs = peerIps wg0 token;
+    inherit publicKey;
+    pskEnabled = true;
+  };
+
+  wg0Peers = {
+    "Yura-TPX13" = mkWg0Peer 100 "iFdsPYrpw7vsFYYJB4SOTa+wxxGVcmYp9CPxe0P9ewA=";
+    "Yura-Pixel7Pro" = mkWg0Peer 101 "GPdXxjvnhsyufd2QX/qsR02dinUtPnnxrE66oGt/KyA=";
+  };
+  peerSecretName = name: "wg0-peer-${name}-psk";
+  secrets = config.secrix.services.systemd-networkd.secrets;
+in
+{
+  secrix.services.systemd-networkd.secrets = let
+    pskPeers = lib.attrsets.filterAttrs (name: peer: peer.pskEnabled) wg0Peers;
+    mapPeer = name: peer: {
+      name = peerSecretName name;
+      value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
+    };
+    peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
+
+    allSecrets = {
+      wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
+    } // peerSecrets;
+
+    setSecretOwnership = name: value: value // {
+      decrypted.user = "systemd-network";
+      decrypted.group = "systemd-network";
+    };
+  in lib.attrsets.mapAttrs setSecretOwnership allSecrets;
+
+  systemd.network.netdevs = {
+    "10-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = wg0.name;
+      };
+      wireguardConfig = {
+        PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
+        ListenPort = wg0.listenPort;
+      };
+      wireguardPeers = map (peer: {
+        AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
+        PublicKey = peer.value.publicKey;
+        PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
+      }) (lib.attrsToList wg0Peers);
+    };
+  };
+
+  systemd.network.networks = {
+    "10-wg0" = {
+      matchConfig.Name = "wg0";
+      networkConfig = {
+        IPv4Forwarding = true;
+        IPv6SendRA = false;
+        Address = [ wg0.addr4Sized wg0.addr6Sized wg0.ulaAddrSized ];
+      };
+    };
+  };
+}