diff --git a/host/montalin/applications/default.nix b/host/montalin/applications/default.nix
index 0971988..3bfdfb2 100644
--- a/host/montalin/applications/default.nix
+++ b/host/montalin/applications/default.nix
@@ -3,7 +3,6 @@
   imports = [
     ./cloud.nix
     ./feedreader.nix
-    ./vpn.nix
     #./dns.nix #TODO
     #./wallabag.nix #TODO
     #./id.nix #TODO
diff --git a/host/montalin/applications/vpn.nix b/host/montalin/applications/vpn.nix
deleted file mode 100644
index 168d08d..0000000
--- a/host/montalin/applications/vpn.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  meta = import ../../../meta;
-  network = meta.network.virtual;
-  networkName = "mgmt";
-in {
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-    "wg-${networkName}" =
-      pkgs.lib.qois.wireguard.makeInterface config.networking.hostName
-      networkName network.${networkName};
-  };
-}
diff --git a/host/montalin/networking.nix b/host/montalin/networking.nix
index 8d97142..50de8a2 100644
--- a/host/montalin/networking.nix
+++ b/host/montalin/networking.nix
@@ -24,6 +24,8 @@ in {
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts =
+    [ meta.network.virtual.mgmt.server.port ];
 
   services.qois.luks-ssh = {
     enable = true;
@@ -33,4 +35,14 @@ in {
     gateway = plessur-net.dmz.v4.gateway;
     sshPort = 2222;
   };
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = let
+    network = meta.network.virtual;
+    networkName = "mgmt";
+  in {
+    "wg-${networkName}" =
+      pkgs.lib.qois.wireguard.makeInterface config.networking.hostName
+      networkName network.${networkName};
+  };
 }
diff --git a/lib/wireguard.nix b/lib/wireguard.nix
index d927f9c..62dfd59 100644
--- a/lib/wireguard.nix
+++ b/lib/wireguard.nix
@@ -12,18 +12,20 @@
     persistentKeepalive = hostconf.persistentKeepalive;
   });
 
-  makeInterface = (hostName: netname: netconfig: {
-    ips = [
-      "${netconfig.hosts.${hostName}.v4.ip}/${toString netconfig.v4.bitmask}"
-    ];
-    privateKeyFile = "/secrets/wireguard/private/${netname}";
-    generatePrivateKeyFile = true;
+  makeInterface = (hostName: netname: netconfig:
+    let isHub = netconfig.server.hostname == hostName;
+    in {
+      ips = [
+        "${netconfig.hosts.${hostName}.v4.ip}/${toString netconfig.v4.bitmask}"
+      ];
+      listenPort = if isHub then netconfig.server.port else null;
+      privateKeyFile = "/secrets/wireguard/private/${netname}";
+      generatePrivateKeyFile = true;
 
-    peers = let
-      reachablePeerHosts = lib.filterAttrs (host: hostconf:
-        host != hostName
-        && (hostconf.endpoint != null || netconfig.server == hostName))
-        netconfig.hosts;
-    in lib.mapAttrsToList (mapHostToPeerConfig netname) reachablePeerHosts;
-  });
+      peers = let
+        reachablePeerHosts = lib.filterAttrs (host: hostconf:
+          host != hostName && (hostconf.endpoint != null || isHub))
+          netconfig.hosts;
+      in lib.mapAttrsToList (mapHostToPeerConfig netname) reachablePeerHosts;
+    });
 }
diff --git a/meta/network.nix b/meta/network.nix
index a4aca64..48ff44d 100644
--- a/meta/network.nix
+++ b/meta/network.nix
@@ -47,18 +47,21 @@
   };
 
   virtual = {
-    mgmt = {
+    mgmt = rec {
       # TODO: Introduce virtual network type
       v4 = {
         id = "10.249.0.0";
         bitmask = 23;
       };
-      server = { hostname = "montalin"; };
+      server = {
+        hostname = "montalin";
+        port = 51820;
+      };
 
       hosts = {
         montalin = {
           v4.ip = "10.249.0.1";
-          endpoint = "calanda.plessur.net.qo.is:12913";
+          endpoint = "calanda.plessur.net.qo.is:${server.port}";
           publicKey = "76nV1jgexHJ898hTLbMRz1BjguFp6YCHpoV52GuNDzc=";
           persistentKeepalive = null;
         };