diff --git a/flake.nix b/flake.nix
index 35c2ad2..2de254e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -175,6 +175,7 @@
           ./modules/linux/nixos
           # Still no specific modules here
           # ./modules/cross-platform/nixos
+          agenix.nixosModules.default
           # Setup home manager for my user
           home-manager.nixosModules.home-manager
           {
diff --git a/modules/linux/nixos/default.nix b/modules/linux/nixos/default.nix
index 11cd280..bde78c6 100644
--- a/modules/linux/nixos/default.nix
+++ b/modules/linux/nixos/default.nix
@@ -23,6 +23,7 @@
     ./sunshine.nix
     ./nh.nix
     ./ollama.nix
+    ./secrets.nix
   ];
 
   crony.bluetooth.enable = lib.mkDefault true;
diff --git a/modules/linux/nixos/secrets.nix b/modules/linux/nixos/secrets.nix
new file mode 100644
index 0000000..647d471
--- /dev/null
+++ b/modules/linux/nixos/secrets.nix
@@ -0,0 +1,10 @@
+{
+  age = {
+    secrets = {
+      wg-desktop = {
+        file = ../../../secrets/wg-desktop.age;
+      };
+    };
+    identityPaths = ["/home/crony/.ssh/main"];
+  };
+}
diff --git a/modules/linux/nixos/wireguard.nix b/modules/linux/nixos/wireguard.nix
index 7986a08..5d8d4e6 100644
--- a/modules/linux/nixos/wireguard.nix
+++ b/modules/linux/nixos/wireguard.nix
@@ -8,19 +8,10 @@
   };
 
   config = lib.mkIf config.crony.wireguard.enable {
-    # Allow for wireguard traffic
-    networking.firewall = {
-      # if packets are still dropped, they will show up in dmesg
-      logReversePathDrops = true;
-      # wireguard trips rpfilter up
-      extraCommands = ''
-        ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
-        ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
-      '';
-      extraStopCommands = ''
-        ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
-        ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
-      '';
+    # Setup wireguard
+    networking.wg-quick.interfaces.wg0 = {
+      autostart = false;
+      configFile = "${config.age.secrets.wg-desktop.path}";
     };
   };
 }
diff --git a/modules/servers/heimdall/default.nix b/modules/servers/heimdall/default.nix
index 1dec27f..c38e947 100644
--- a/modules/servers/heimdall/default.nix
+++ b/modules/servers/heimdall/default.nix
@@ -2,5 +2,7 @@
   imports = [
     ./uptime-kuma.nix
     ./ntfy-sh.nix
+    ./wireguard.nix
+    ./secrets.nix
   ];
 }
diff --git a/modules/servers/heimdall/secrets.nix b/modules/servers/heimdall/secrets.nix
new file mode 100644
index 0000000..3a24741
--- /dev/null
+++ b/modules/servers/heimdall/secrets.nix
@@ -0,0 +1,9 @@
+{
+  age = {
+    secrets = {
+      wg-heimdall = {
+        file = ../../../secrets/wg-heimdall.age;
+      };
+    };
+  };
+}
diff --git a/modules/servers/heimdall/wireguard.nix b/modules/servers/heimdall/wireguard.nix
new file mode 100644
index 0000000..bd01782
--- /dev/null
+++ b/modules/servers/heimdall/wireguard.nix
@@ -0,0 +1,24 @@
+{config, ...}: {
+  networking = {
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = ["wg0"];
+    };
+    firewall = {
+      allowedTCPPorts = [53];
+      allowedUDPPorts = [53 51820];
+    };
+    wg-quick.interfaces.wg0.configFile = "${config.age.secrets.wg-heimdall.path}";
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "wg0";
+    };
+  };
+
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 7d9c34a..33dcced 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,4 +11,6 @@ let
   systems = [heimdall];
 in {
   "traefik.age".publicKeys = systems ++ users;
+  "wg-heimdall.age".publicKeys = systems ++ users;
+  "wg-desktop.age".publicKeys = systems ++ users;
 }
diff --git a/secrets/wg-desktop.age b/secrets/wg-desktop.age
new file mode 100644
index 0000000..bb91178
--- /dev/null
+++ b/secrets/wg-desktop.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 2P4nKw PmQyF+dwOGsxBl9Cb8fPAF2szc58PxBDQYQHQHjj3To
+4JC0/xuiU+hQRw2JP7F/AbQR7ewNygTIcYDr99kRRsI
+-> ssh-ed25519 fd/ZLQ xzfSyCwim1CDwS+EipluJsp6PFQap5CAAVqcFjcmq2w
+1v6DZMND3RUx8bYLNegFCulI6t6YJWc7R140o5YuJNw
+--- gT2MyDArAIxv/DbiaPNesbtHjBROCp55KtVX1cQfUNQ
+
ʆ����`%~}^�P��db�Z��s�
&i���3��.�
Qǔs�ct5?,[�1PRq����0�,Wgay�HJ���b���tt���ezT
l�c6����
Ϯ�Ǵ�z�(i��Q8��> 3�9��P/sK��>���Iί�h�Ri��J��|d#O<7�N����!���]+g��:���O�z�
m8�����K�F���Lv-�s�f%-�g�z��'�֓7H>c�
+%�r�К��D�K!���F�y���!e{���Zi0T�^f0tq�WlI.6洤�B;
+#9^�bJ��Da�=!����+�no�!��
+�1���\���1�K#+a4}&i��=�'Q��pŌp�o'�2�P.����\67|f4Ͷ��/�~̅$�?�&C�?K��
\ No newline at end of file
diff --git a/secrets/wg-heimdall.age b/secrets/wg-heimdall.age
new file mode 100644
index 0000000..1dbfa81
Binary files /dev/null and b/secrets/wg-heimdall.age differ