diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index a925ea2..fd51e22 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -22,3 +22,7 @@ s3_bucket: "prymn-cache"
 s3_endpoint: "https://75178f9eca227dea51b3db4db2c15a5a.r2.cloudflarestorage.com"
 s3_access_key_id: "{{ vault_s3_access_key_id }}"
 s3_secret_access_key: "{{ vault_s3_secret_access_key }}"
+
+# Wireguard
+wireguard_ip: "10.0.42.1"
+wireguard_network_mask: "24"
diff --git a/host_vars/ulna.papadakis.xyz.yml b/host_vars/ulna.papadakis.xyz.yml
new file mode 100644
index 0000000..d723b9e
--- /dev/null
+++ b/host_vars/ulna.papadakis.xyz.yml
@@ -0,0 +1,2 @@
+ansible_become_pass: "{{ ulna_become_pass | default(omit) }}"
+wireguard_ip: "10.0.42.1"
diff --git a/inventory.yml b/inventory.yml
index d048226..b57cfe5 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -1,10 +1,16 @@
 $ANSIBLE_VAULT;1.1;AES256
-34626236366363333963613532643239643331333637613664653238336431636338303537643936
-3830343365336262633165616535363336313665383261310a383931623831326530313837346137
-35663961343433396461653164613666363331396430393131393038393433346263653331653064
-3162663361623439340a363865633661623563366330336666633766656531663033613131343466
-39366463393839333963326531376436373038386239623937303839336264336462613236623431
-37633635333738316665346463333361363234636465333764643464323830313636616165646365
-39663235323764323564326135333631613665336338646565666362336666633337643065626362
-66663631313434393636326531616261623132633730333439313534636165373635393465616531
-66643663376238653164626364386338363863366661313235353966316664343039
+63613665646438616265666332616134306638336363643763376536386338336265333036633561
+3866393138653031346363613137343238323839633632330a346433343633383938383835373438
+33306235633230633734663937316365643263373964386234613236316132396661643565356639
+3966326363643566360a326135633033396262636661366536653132613939323034346138353434
+63356662653461333537643737353537353862313366356265623333373635323133393462353638
+35646563643231666632666537373633643037376638323132383739613736393035376462313065
+63633366363265396163343633306439313364656161663930623965376337343661323230616532
+35613663373263323839313534623831366334346135383439316439366634343133343462366631
+31663363346138336163633562366130663430626633303733643730333039646663643930626564
+38366466306534366661646564386566303562303733663534666334383639623939616238666237
+34353130663033376534386533633639656161333164646164346136323937623630663638633731
+32353131386538326230633630626530393561623930353963316431663635343131373539633937
+38396539323566616565633161653835306435653639633336626434643562316564346665616662
+39633663343736366264623334653763323763366133343634306162356664386564393232386564
+346330633462313734343039633666616536
diff --git a/templates/wireguard/wg0.netdev.j2 b/templates/wireguard/wg0.netdev.j2
new file mode 100644
index 0000000..c1f7cd9
--- /dev/null
+++ b/templates/wireguard/wg0.netdev.j2
@@ -0,0 +1,25 @@
+[NetDev]
+Name=wg0
+Kind=wireguard
+Description=Wireguard tunnel wg0
+
+[WireGuard]
+ListenPort=51820
+PrivateKey={{ wireguard_private_key.stdout }}
+
+{% for peer in groups['wireguard'] %}
+{% if peer != inventory_hostname %}
+
+[WireGuardPeer]
+PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
+AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
+PersistentKeepalive=25
+
+{% endif %}
+{% endfor %}
+
+# ouroboros
+[WireGuardPeer]
+PublicKey={{ ouroboros_wireguard_public_key }}
+AllowedIPs={{ ouroboros_wireguard_ip }}/32
+PersistentKeepalive=25
diff --git a/templates/wireguard/wg0.network.j2 b/templates/wireguard/wg0.network.j2
new file mode 100644
index 0000000..8266c23
--- /dev/null
+++ b/templates/wireguard/wg0.network.j2
@@ -0,0 +1,5 @@
+[Match]
+Name=wg0
+
+[Network]
+Address={{ wireguard_ip }}/{{ wireguard_network_mask }}
diff --git a/wireguard.yml b/wireguard.yml
new file mode 100644
index 0000000..a0d7e7d
--- /dev/null
+++ b/wireguard.yml
@@ -0,0 +1,59 @@
+---
+- hosts: [wireguard]
+  tasks:
+    - name: Install wireguard packages
+      become: true
+      ansible.builtin.apt:
+        name: wireguard
+        state: present
+
+    - name: Generate keys
+      become: true
+      ansible.builtin.shell: |
+        umask 0077
+        wg genkey > /etc/wireguard/privatekey
+        wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
+      args:
+        creates:
+          - /etc/wireguard/privatekey
+          - /etc/wireguard/publickey
+
+    - name: Register public key
+      become: true
+      ansible.builtin.shell: cat /etc/wireguard/publickey
+      register: wireguard_public_key
+      changed_when: false
+
+    - name: Register private key
+      become: true
+      ansible.builtin.shell: cat /etc/wireguard/privatekey
+      register: wireguard_private_key
+      changed_when: false
+
+    - name: Setup network device
+      become: yes
+      notify: systemd network restart
+      ansible.builtin.template:
+        src: ./templates/wireguard/wg0.netdev.j2
+        dest: /etc/systemd/network/wg0.netdev
+        owner: root
+        group: systemd-network
+        mode: 0640
+
+    - name: Setup network
+      become: yes
+      notify: systemd network restart
+      ansible.builtin.template:
+        src: ./templates/wireguard/wg0.network.j2
+        dest: /etc/systemd/network/wg0.network
+        owner: root
+        group: systemd-network
+        mode: 0640
+
+  handlers:
+    - name: systemd network restart
+      become: true
+      ansible.builtin.service:
+        name: systemd-networkd
+        state: restarted
+        enabled: true