diff --git a/hosts/lkk-nix-1/default.nix b/hosts/lkk-nix-1/default.nix
index bf59697..a8dec23 100644
--- a/hosts/lkk-nix-1/default.nix
+++ b/hosts/lkk-nix-1/default.nix
@@ -20,6 +20,7 @@
       to = 3100;
     }];
     firewall.allowedTCPPorts = [ 80 443 5432 3306 3478 ];
+    firewall.allowedUDPPorts = [ 51820 ];
     firewall.allowedUDPPortRanges = [{
       from = 3478;
       to = 3481;
@@ -52,6 +53,10 @@
         mode = "770";
         owner = "searx";
       };
+      wg-easy-environmentFile = {
+        file = ../../secrets/wg-easy-environmentFile.age;
+        mode = "770";
+      };
     };
     identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
   };
diff --git a/hosts/lkk-nix-1/services/containers/default.nix b/hosts/lkk-nix-1/services/containers/default.nix
index 19213ea..a02f2a3 100644
--- a/hosts/lkk-nix-1/services/containers/default.nix
+++ b/hosts/lkk-nix-1/services/containers/default.nix
@@ -3,5 +3,6 @@
     ./baserow.nix
     ./matomo.nix
     ./wordpress.nix
+    ./wireguard.nix
   ];
 }
diff --git a/hosts/lkk-nix-1/services/containers/wireguard.nix b/hosts/lkk-nix-1/services/containers/wireguard.nix
new file mode 100644
index 0000000..e82cd91
--- /dev/null
+++ b/hosts/lkk-nix-1/services/containers/wireguard.nix
@@ -0,0 +1,14 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."wireguard" = {
+    image = "weejewel/wg-easy";
+    environment = { WG_HOST = "wg.lanakk.com"; };
+    ports = [ "3007:51821/tcp" "51820:51820/udp" ];
+    volumes = [ "wireguard_data:/etc/wireguard" ];
+    extraOptions = [
+      "--cap-add=NET_ADMIN"
+      "--cap-add=SYS_MODULE"
+      "--sysctl=net.ipv4.conf.all.src_valid_mark=1"
+      "--sysctl=net.ipv4.ip_forward=1"
+    ];
+  };
+}
diff --git a/hosts/lkk-nix-1/services/traefik.nix b/hosts/lkk-nix-1/services/traefik.nix
index 7e33a0f..6b140e4 100644
--- a/hosts/lkk-nix-1/services/traefik.nix
+++ b/hosts/lkk-nix-1/services/traefik.nix
@@ -42,6 +42,7 @@
           searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }];
           nextcloud.loadBalancer.servers = [{ url = "http://localhost:3005/"; }];
           invidious.loadBalancer.servers = [{ url = "http://localhost:3006/"; }];
+          wireguard.loadBalancer.servers = [{ url = "http://localhost:3007/"; }];
         };
         routers = {
           api = {
@@ -111,6 +112,16 @@
             service = "invidious";
             entrypoints = "websecure";
           };
+          wireguard = {
+            rule = "Host(`wg.lanakk.com`)";
+            tls = {
+              certResolver = "godaddy";
+              domains = "wg.lanakk.com";
+            };
+            service = "wireguard";
+            middlewares = "auth";
+            entrypoints = "websecure";
+          };
         };
       };
     };
diff --git a/secrets.nix b/secrets.nix
index 1a0f47f..b06af93 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -10,4 +10,6 @@ in {
   "godaddy-api-secret.age".publicKeys = [ root ];
 
   "searx-environmentFile.age".publicKeys = [ root ];
+
+  "wg-easy-environmentFile.age".publicKeys = [ root ];
 }
diff --git a/secrets/wg-easy-environmentFile.age b/secrets/wg-easy-environmentFile.age
new file mode 100644
index 0000000..73a3c02
Binary files /dev/null and b/secrets/wg-easy-environmentFile.age differ