diff --git a/machines/.sops.yaml b/machines/.sops.yaml
index 44f2af4..720f546 100644
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -34,3 +34,10 @@ creation_rules:
       - *machine_durruti
       age:
       - *admin_atlan
+  - path_regex: secrets/keys/wireguard/.*
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
\ No newline at end of file
diff --git a/machines/lucia/configuration.nix b/machines/lucia/configuration.nix
index 7184763..12c87d8 100644
--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -7,6 +7,7 @@ in
   imports =
     [ # Include the results of the hardware scan.
       ../modules/malobeo_user.nix
+      ./wireguard.nix
     ];
 
   sops.defaultSopsFile = ./secrets.yaml;
diff --git a/machines/lucia/wireguard.nix b/machines/lucia/wireguard.nix
new file mode 100644
index 0000000..2e533c0
--- /dev/null
+++ b/machines/lucia/wireguard.nix
@@ -0,0 +1,54 @@
+{config, pkgs, ...}:
+{
+  # enable NAT
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "eth0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = [ "10.100.0.1/24" ];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = 51820;
+
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      # This undoes the above command
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKey = config.sops.secrets.wireguard_private.path;
+
+      peers = [
+        # List of allowed peers.
+        { # Feel free to give a meaningfull name
+          # Public key of the peer (not a file path).
+          publicKey = "SfokXbgmvSmodgPFoVHjwmHE3nriQ3OTQ+hISU/3eW4=";
+          # To decrypt the private key to use
+
+          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          allowedIPs = [ "10.100.0.2/32" ];
+
+        }
+      ];
+    };
+  };
+}
\ No newline at end of file