diff --git a/flake.nix b/flake.nix
index 473f42d..7970c61 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,6 +31,7 @@
       ./modules/unstable.nix
       ./modules/zmotd.nix
       ./modules/sops.nix
+      ./modules/wireguard.nix
       ./modules/users/admin.nix
       ./overlays
 
diff --git a/hosts/crayon/default.nix b/hosts/crayon/default.nix
index c16c088..b343d1d 100644
--- a/hosts/crayon/default.nix
+++ b/hosts/crayon/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
   imports = [
     ./hardware-configuration.nix # Include the results of the hardware scan.
@@ -9,4 +9,11 @@
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
+
+  wireguard = {
+    enable = true;
+    # pub: gq0/fX4EF/3jUNJSW5C3ythZjMVAWYqQdAVRw1eUC1Y=
+    privateKeyFile = config.sops.secrets."wireguard/crayon".path;
+    externalInterface = "enp1s0";
+  };
 }
diff --git a/modules/sops.nix b/modules/sops.nix
index f769a40..8bb471d 100644
--- a/modules/sops.nix
+++ b/modules/sops.nix
@@ -16,6 +16,7 @@
     secrets = {
       "mail/me" = {};
       "jellyfin/zachary" = {};
+      "wireguard/crayon" = {};
     };
   };
 }
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
new file mode 100644
index 0000000..f6b7f41
--- /dev/null
+++ b/modules/wireguard.nix
@@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+{
+  options.wireguard = {
+    enable = lib.mkEnableOption "wireguard";
+    port = lib.mkOption {
+      default = 51820;
+      description = "The port for wireguard to use.";
+      type = lib.types.int;
+    };
+    externalInterface = lib.mkOption {
+      description = "The external networking interface for wireguard to use.";
+      type = lib.types.str;
+    };
+    internalInterface = lib.mkOption {
+      default = "wg0";
+      description = "The networking interface for wireguard to use.";
+      type = lib.types.str;
+    };
+    privateKeyFile = lib.mkOption {
+      description = "The path to the private key of the wireguard server.";
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf config.wireguard.enable {
+    networking.nat.enable = true;
+    networking.nat.externalInterface = config.wireguard.externalInterface;
+    networking.nat.internalInterfaces = [ config.wireguard.internalInterface ];
+    networking.firewall.allowedUDPPorts = [ config.wireguard.port ];
+    networking.wireguard.interfaces = {
+      ${config.wireguard.internalInterface} = {
+        # Determines the IP address and subnet of the server's end of the tunnel interface.
+        ips = [ "10.100.0.1/24" ];
+        listenPort = config.wireguard.port;
+
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+        # This undoes the above command
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+        # Path to the servers private key file.
+        privateKeyFile = config.wireguard.privateKeyFile;
+
+        # TODO: add config option?
+        peers = [
+          {
+            publicKey = "L+NlTn0E9pgCoEoTYs4aDewZSMmyeyC1Os9DCdwYTjY=";
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets.yaml b/secrets.yaml
index 2b4befe..772d0cb 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -4,6 +4,8 @@ jellyfin:
     zachary: ENC[AES256_GCM,data:GIDgfsxhU4fZVjP/cTmTvIA1aeP4lbd3Fz6tbPLdyL37KD+IKERgkxJmGwtt9GNwnJBsHE/xpH8ZAvloS1DykZZtEaqB0H6wuA==,iv:FM0d4tiQPzyoEiqEQF5YvNeClHXOhP+q+TaKGeyg/TE=,tag:v+sYDwQiCX7o+g7plcnQFg==,type:str]
 users:
     crown: ENC[AES256_GCM,data:6UAYcafxflvbsTXC1N3Ff0hAlWGjveYDUzbcXPSGfPX0uXg++bfjRwYo3JFgfJpJ/KN4MODPSxgjFAFnoZOnkyxk0UDSppDagQ==,iv:PWmxuj2caqRLASjftbl0tovNq2t1WoDoviJXs/OO8yI=,tag:EwJhROsHfj5cPkpxUCy+uw==,type:str]
+wireguard:
+    crayon: ENC[AES256_GCM,data:pQ4nOzcON+yCqgisBQO8LIdfi9GmXE9YcPzBRgu9Fdzx0R6p4dEK+DVBuDg=,iv:vq0uDgZlLwXVZMwE3xTWZDP20uaAcT4I0D7qLS61ApI=,tag:btVyZREPAgfcC694/Wusmg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -37,8 +39,8 @@ sops:
             MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN
             R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-09T02:00:10Z"
-    mac: ENC[AES256_GCM,data:9Jg3aXMMe8Yhf3CycD+UPqlTg0E619dmOJENRe2sfwROdKxOXhiFqnuI4t262XW3IMpJdCbv3RIblklF6vPaqqJWkPqj4Jt2niF4Bq0oR+cRM+rAElYAZ6vviCWnjTjOhTD/UB2RYPFH77Ce7RQmR4c5H4D6uLaw1g3+9TLJPTE=,iv:p4mF2S1n+mTV+ny3hKbQ+tYqh+4HGURyUP9hiSdMZjs=,tag:dWCa87XTwH3mBHshUMxjiQ==,type:str]
+    lastmodified: "2025-11-26T18:38:21Z"
+    mac: ENC[AES256_GCM,data:V3lKQj0ZWIPl2RPpnv7tRBG8sH6W9+rfnPy0z6g+3SZGmKtwhcgqVBG/VPMKhuyseNZ4vxE23lD7Ol44PchMgd/OCJqJF6TUl3A4LIqkK8Ji0m0cPcC3hsFaI8rChkWcLse30qcoQov4NbP7yElpf76Bh/NqBFgOqCjDD0Pp/NU=,iv:897reifxaub96UDCKCsWNxabVCSzYLmsIrrkXCxBgoM=,tag:0d4iQhLA/YxR7wrtUVxXqA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1