diff --git a/boxes/copernicus/default.nix b/boxes/copernicus/default.nix
index 0d35339..0ba1c65 100644
--- a/boxes/copernicus/default.nix
+++ b/boxes/copernicus/default.nix
@@ -107,13 +107,26 @@
     hostName = "copernicus";
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 6000 ];
-      allowedTCPPortRanges = [
-        { from = 1714; to = 1764; } # KDE Connect
-      ];
-      allowedUDPPortRanges = [
-        { from = 1714; to = 1764; } # KDE Connect
-      ];
+      interfaces = {
+        eno1 = {
+          allowedTCPPorts = [ 6000 ];
+          allowedTCPPortRanges = [
+            { from = 1714; to = 1764; } # KDE Connect
+          ];
+          allowedUDPPortRanges = [
+            { from = 1714; to = 1764; } # KDE Connect
+          ];
+        };
+        wg0 = {
+          # allow everything bound to the wg0 interface
+          allowedTCPPortRanges = [
+            { from = 1; to = 35565; }
+          ];
+          allowedUDPPortRanges = [
+            { from = 1; to = 35565; }
+          ];
+        };
+      };
     };
   };
 
diff --git a/boxes/copernicus/services/default.nix b/boxes/copernicus/services/default.nix
index 740af87..777283e 100644
--- a/boxes/copernicus/services/default.nix
+++ b/boxes/copernicus/services/default.nix
@@ -3,5 +3,6 @@
 {
   imports = [
     ./photoprism.nix
+    ./wireguard.nix
   ];
 }
diff --git a/boxes/copernicus/services/wireguard.nix b/boxes/copernicus/services/wireguard.nix
new file mode 100644
index 0000000..c4957f1
--- /dev/null
+++ b/boxes/copernicus/services/wireguard.nix
@@ -0,0 +1,24 @@
+{ lib, config, pkgs, ... }:
+
+{
+  networking = {
+    firewall.allowedUDPPorts = [ 51820 ];
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.100.0.2/24" ];
+        listenPort = 51820;
+
+        privateKeyFile = "/home/usr/wg-keys/private";
+        peers = [
+          { # netbox
+            publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
+            allowedIPs = [ "10.100.0.0/24" ]; # only stuff in the wg-subnet (10.100.0.*)
+            endpoint = "149.28.63.115:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix
index a79440b..720c563 100644
--- a/boxes/netbox/default.nix
+++ b/boxes/netbox/default.nix
@@ -16,6 +16,7 @@
       ./fail2ban.nix
       ./nginx.nix
       ./franklincce.nix
+      ./wireguard.nix
     ];
 
   nix = {
diff --git a/boxes/netbox/wireguard.nix b/boxes/netbox/wireguard.nix
new file mode 100644
index 0000000..b33fa31
--- /dev/null
+++ b/boxes/netbox/wireguard.nix
@@ -0,0 +1,36 @@
+{ lib, config, pkgs, ... }:
+
+{
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "eth0";
+      internalInterfaces = [ "wg0" ];
+    };
+    firewall.allowedUDPPorts = [ 51820 ];
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.100.0.1/24" ];
+
+        listenPort = 51820;
+
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+
+        privateKeyFile = "/home/ryan/wg-keys/private";
+
+        peers = [
+          { # copernicus
+            publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}