diff --git a/host/montalin/applications/default.nix b/host/montalin/applications/default.nix
index e82a143..0971988 100644
--- a/host/montalin/applications/default.nix
+++ b/host/montalin/applications/default.nix
@@ -3,8 +3,8 @@
   imports = [
     ./cloud.nix
     ./feedreader.nix
+    ./vpn.nix
     #./dns.nix #TODO
-    #./feedreader.nix #TODO
     #./wallabag.nix #TODO
     #./id.nix #TODO
     #./mx.nix #TODO
diff --git a/host/montalin/applications/vpn.nix b/host/montalin/applications/vpn.nix
new file mode 100644
index 0000000..06242dd
--- /dev/null
+++ b/host/montalin/applications/vpn.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+let
+   meta = import ../../../meta;
+   network = meta.network.virtual;
+   networkName = "mgmt";
+   networkConfig = network.${networkName};
+   hostName = config.networking.hostName;
+in {
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    "wg-${networkName}" = {
+      ips = [ "${networkConfig.hosts.${hostName}.v4.ip}/${toString networkConfig.v4.bitmask}" ];
+      privateKeyFile = "/secrets/wireguard/private/${networkName}";
+      generatePrivateKeyFile = true;
+
+      peers = let 
+         reachablePeerHosts = lib.filterAttrs
+                       (host: netconf: host != hostName && netconf.endpoint != null)
+                       networkConfig.hosts;
+       in lib.mapAttrsToList (host: netconf: {
+        presharedKeyFile = netconf.presharedKeyFile or null; # Generate with wg genpsk
+        publicKey = netconf.publicKey;
+        endpoint = netconf.endpoint;
+        allowedIPs = [ netconf.v4.ip ];
+        persistantKeepalive = netconf.persistentKeepalive;
+      }) reachablePeerHosts;
+    };
+  };
+
+}