diff --git a/hetzner-vpn1.nix b/hetzner-vpn1.nix
index da00bf0..d16db0f 100644
--- a/hetzner-vpn1.nix
+++ b/hetzner-vpn1.nix
@@ -16,5 +16,53 @@
     users.users.root.openssh.authorizedKeys.keys = [
       ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
     ];
+
+    environment = {
+      systemPackages = with pkgs; [iptables wireguard-tools];
+    };
+
+    # wireguard server for public ip
+    # enable NAT
+    networking.nat.enable = true;
+    networking.nat.externalInterface = "eth0";
+    networking.nat.internalInterfaces = ["wg0"];
+    networking.firewall = {
+      allowedUDPPorts = [51820];
+    };
+
+    networking.wireguard.interfaces = {
+      # "wg0" is the network interface name. You can name the interface arbitrarily.
+      wg0 = {
+        # Determines the IP address and subnet of the server's end of the tunnel interface.
+        ips = ["10.100.0.1/24"];
+
+        # The port that WireGuard listens to. Must be accessible by the client.
+        listenPort = 51820;
+
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+
+        # This undoes the above command
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+
+        # Path to the private key file
+        privateKeyFile = "/root/wireguard/keys/private";
+
+        peers = [
+          # List of allowed peers.
+          {
+            # Phone
+            publicKey = "/sjNk9rXaMdrCHD2kmut1AXD1UhF1xcZ4ju+EmFGcCk=";
+            # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+            #allowedIPs = ["10.100.0.2/32"];
+          }
+        ];
+      };
+    };
   };
 }