diff --git a/server.yml b/server.yml
index dfbe021..cff1100 100644
--- a/server.yml
+++ b/server.yml
@@ -182,6 +182,12 @@ services:
      - /etc/ssl/certs:/etc/ssl/certs:ro
      - /usr/share/ca-certificates:/usr/share/ca-certificates:ro
 
+  - name: wg
+    image: nemunaire/wg-manager:ffeb1c11a389f9d39c19c0eb26c47c982a7b8639-dirty
+    command: ["/bin/wg-manager", "-bind=172.17.0.15:81" ]
+    capabilities:
+     - all
+
   - name: ns
     image: nemunaire/unbound:ed3ccbb5340aefd48c53a97743fdc6edc7011103-amd64
     net: /run/netns/dmz-ns
@@ -397,6 +403,7 @@ files:
               local-zone: "adlin.nemunai.re" typetransparent
               local-data: "adlin.nemunai.re TXT \"8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d\""
               local-data: "auth.adlin.nemunai.re A 172.23.255.2"
+              local-data: "wg.adlin.nemunai.re A 172.17.0.15"
       remote-control:
              control-enable: no
       forward-zone:
@@ -650,6 +657,13 @@ files:
       server 51.15.180.229
     mode: "0440"
 
+  - path: etc/wireguard/wg0.conf
+    contents: |
+      [Interface]
+      PrivateKey = SCGCKDuTm4PMOw+LXdK/2s8mxnv145QHOohKRq3vc2A=
+      ListenPort = 12912
+      Address = 172.23.191.254/18
+    mode: "0644"
 
   - path: srv/tftp
     directory: true