diff --git a/host/montalin/applications/vpn.nix b/host/montalin/applications/vpn.nix
index 06242dd..6d432f4 100644
--- a/host/montalin/applications/vpn.nix
+++ b/host/montalin/applications/vpn.nix
@@ -1,30 +1,40 @@
 { config, pkgs, lib, ... }:
 let
-   meta = import ../../../meta;
-   network = meta.network.virtual;
-   networkName = "mgmt";
-   networkConfig = network.${networkName};
-   hostName = config.networking.hostName;
+  meta = import ../../../meta;
+  network = meta.network.virtual;
+  networkName = "mgmt";
+  networkConfig = network.${networkName};
+  hostName = config.networking.hostName;
 in {
   networking.wireguard.enable = true;
   networking.wireguard.interfaces = {
     "wg-${networkName}" = {
-      ips = [ "${networkConfig.hosts.${hostName}.v4.ip}/${toString networkConfig.v4.bitmask}" ];
+      ips = [
+        "${networkConfig.hosts.${hostName}.v4.ip}/${
+          toString networkConfig.v4.bitmask
+        }"
+      ];
       privateKeyFile = "/secrets/wireguard/private/${networkName}";
       generatePrivateKeyFile = true;
 
-      peers = let 
-         reachablePeerHosts = lib.filterAttrs
-                       (host: netconf: host != hostName && netconf.endpoint != null)
-                       networkConfig.hosts;
-       in lib.mapAttrsToList (host: netconf: {
-        presharedKeyFile = netconf.presharedKeyFile or null; # Generate with wg genpsk
-        publicKey = netconf.publicKey;
-        endpoint = netconf.endpoint;
-        allowedIPs = [ netconf.v4.ip ];
-        persistantKeepalive = netconf.persistentKeepalive;
-      }) reachablePeerHosts;
+      peers = let
+        mapHostToPeerConfig = (host: netconf: {
+
+          # Generate the preshared key with wg genpsk
+          presharedKeyFile =
+            "/secrets/wireguard/preshared/${networkName}-${host}";
+          publicKey = netconf.publicKey;
+
+          endpoint = netconf.endpoint;
+
+          allowedIPs = [ netconf.v4.ip ];
+          persistantKeepalive = netconf.persistentKeepalive;
+        });
+        reachablePeerHosts = lib.filterAttrs (host: netconf:
+          host != hostName
+          && (netconf.endpoint != null || networkConfig.server == hostName))
+          networkConfig.hosts;
+      in lib.mapAttrsToList mapHostToPeerConfig reachablePeerHosts;
     };
   };
-
 }
diff --git a/meta/network.nix b/meta/network.nix
index 3ebd382..a4aca64 100644
--- a/meta/network.nix
+++ b/meta/network.nix
@@ -60,7 +60,6 @@
           v4.ip = "10.249.0.1";
           endpoint = "calanda.plessur.net.qo.is:12913";
           publicKey = "76nV1jgexHJ898hTLbMRz1BjguFp6YCHpoV52GuNDzc=";
-          presharedKeyFile = "/secrets/wireguard/preshared/mgmt-montalin";
           persistentKeepalive = null;
         };
         #calanda.v4.ip    = "10.249.0.2";
@@ -70,7 +69,6 @@
           v4.ip = "10.249.0.5";
           endpoint = null;
           publicKey = "dvv3ad9mWU9opTa8R9yPN4l1xfwdcMH0e/Rrv0GXPS4=";
-          presharedKeyFile = "/secrets/wireguard/preshared/mgmt-hummelberg";
           persistentKeepalive = 25; # Might be behind NAT
         };
       };