diff --git a/server.yml b/server.yml
index 93c104b..cab8d53 100644
--- a/server.yml
+++ b/server.yml
@@ -1,7 +1,8 @@
 kernel:
   image: linuxkit/kernel:5.4.19
 #  cmdline: "console=tty0 console=ttyS0"
-  cmdline: "console=tty0 adlin.network=alt"
+#  cmdline: "console=tty0 adlin.network=alt"
+  cmdline: "console=tty0"
 
 init:
   - linuxkit/init:a4fcf333298f644dfac6adf680b83140927aa85e
@@ -37,7 +38,25 @@ onboot:
       bindNS:
         net: /run/netns/login
 
-    # Network: DMZ ####################################################
+    # Network: internet DMZ ###########################################
+
+    # wg-manager
+  - name: wg-iface-setup
+    image: linuxkit/ip:v0.7
+    command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.32.251/24 dev vethin-wg; ip link set vethin-wg up; grep adlin.network=alt /proc/cmdline > /dev/null && ip route add default via 10.224.32.254 || ip route add default via 10.224.32.1; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ]
+    net: new
+    binds:
+     - /etc/iptables/rules-wg.v4:/etc/iptables/rules.v4
+     - /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf
+    runtime:
+      interfaces:
+        - name: vethin-wg
+          add: veth
+          peer: veth-wg
+      bindNS:
+        net: /run/netns/dmzi-wg
+
+    # Network: services DMZ ###########################################
 
     # token-validator
   - name: validator-iface-setup
@@ -184,9 +203,10 @@ services:
 
   - name: wg
     image: nemunaire/wg-manager:a2c7f6c737d968ba8ef79c9b95ce29d707036d28
-    command: ["/bin/wg-manager", "-bind=172.17.0.15:81" ]
+    command: ["/bin/wg-manager", "-bind=:80" ]
     capabilities:
      - all
+    net: /run/netns/dmzi-wg
 
   - name: ns
     image: nemunaire/unbound:ed3ccbb5340aefd48c53a97743fdc6edc7011103-amd64
@@ -282,7 +302,6 @@ files:
 
       ip l add br-ext type bridge
       ip a add 172.23.255.1/24 dev br-ext;
-      ip a add 172.17.0.15/16 dev br-ext;
       ip a add 10.224.32.252/24 dev br-ext;
       ip a add 172.23.0.1/17 dev br-ext;
       ip link set eth0 master br-ext;
@@ -294,14 +313,13 @@ files:
         ip route add default via 10.224.32.254 ||
         ip route add default via 10.224.32.1
 
-      wg-quick up wg0
-
       /sbin/iptables-restore < /etc/iptables/rules.v4;
     mode: "0755"
 
-  - path: etc/sysctl.d/99-ipfwd.conf
+  - path: etc/sysctl.d/99-adlin-net.conf
     contents: |
       net.ipv4.ip_forward = 1
+      net.ipv4.conf.all.arp_ignore = 2
       net.ipv6.conf.all.disable_ipv6 = 1
     mode: "0644"
   - path: etc/sysctl.d/00-linuxkit.conf
@@ -354,7 +372,7 @@ files:
       COMMIT
       *filter
       :INPUT DROP [0:0]
-      :FORWARD ACCEPT [0:0]
+      :FORWARD DROP [0:0]
       :OUTPUT ACCEPT [0:0]
       [0:0] -A INPUT -i lo -j ACCEPT
       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
@@ -363,12 +381,14 @@ files:
       [0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT
       [0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
       [0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
-      [0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
-      [0:0] -A INPUT -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 81 -j ACCEPT
-      [0:0] -A INPUT -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p tcp -d 172.23.0.254 --dport 80 -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p tcp ! -s 172.17.0.0/16 -d 172.17.0.15 -j REJECT --reject-with icmp-net-unreachable
+      [0:0] -A INPUT -i br-ext -p tcp -d 172.17.0.15 --dport 80 -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p udp -d 172.17.0.15 --dport 12912 -j ACCEPT
       [0:0] -A INPUT -p udp --sport 7000 -j DROP
       [0:0] -A INPUT -p udp --dport 7000 -j DROP
       [0:0] -A INPUT -j LOG
+      [0:0] -A INPUT -j REJECT --reject-with icmp-port-unreachable
       [0:0] -A FORWARD -i wg0 -o br-ext -j ACCEPT
       [0:0] -A FORWARD -o wg0 -i br-ext -j ACCEPT
       [0:0] -A FORWARD -i br-int -j ACCEPT
@@ -380,6 +400,7 @@ files:
       [0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
       [0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
       [0:0] -A FORWARD -j LOG
+      [0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
       COMMIT
     mode: "0440"
 
@@ -446,8 +467,7 @@ files:
           #gzip  on;
           resolver 9.9.9.9;
           server {
-              listen 80 default;
-              listen [::]:80 default;
+              listen 172.23.0.1:80 default;
               location = /{
                   return 403;
               }
@@ -729,6 +749,26 @@ files:
       Address = 172.23.191.254/18
     mode: "0644"
 
+  - path: etc/iptables/rules-wg.v4
+    contents: |
+      *nat
+      :PREROUTING ACCEPT [0:0]
+      :INPUT ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :POSTROUTING ACCEPT [0:0]
+      [0:0] -A POSTROUTING -o vethin-wg ! -d 172.17.0.0/16 -j MASQUERADE
+      COMMIT
+      *filter
+      :INPUT ACCEPT [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      [0:0] -A FORWARD -i wg0 -o vethin-wg -j ACCEPT
+      [0:0] -A FORWARD -o wg0 -i vethin-wg -j ACCEPT
+      [0:0] -A FORWARD -j LOG
+      [0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
+      COMMIT
+    mode: "0440"
+
   - path: srv/tftp
     directory: true
     mode: "0755"
@@ -777,7 +817,7 @@ files:
     mode: "0755"
 
   - path: srv/tftp/bzImage
-    source: challenge-kernel
+    source: /var/tftp/adlin/bzImage
     mode: "0644"
   - path: srv/tftp/login-initrd.img
     source: tftp/login-initrd.img