diff --git a/.sops.yaml b/.sops.yaml
index 4dd0e8b..999a2c8 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -22,10 +22,6 @@ creation_rules:
     key_groups:
       - pgp: [*clara]
         age: [*wireguard]
-  - path_regex: secrets\/wireguard\/server.yaml
-    key_groups:
-      - pgp: [*clara]
-        age: [*wg-server]
   - path_regex: secrets\/paperless\/*
     key_groups:
       - pgp: [*clara]
diff --git a/configs/containers/netcup_pve/wg_server_container.nix b/configs/containers/netcup_pve/wg_server_container.nix
index c3ce97f..f4e0535 100644
--- a/configs/containers/netcup_pve/wg_server_container.nix
+++ b/configs/containers/netcup_pve/wg_server_container.nix
@@ -10,6 +10,5 @@
 
   imports = [
     ../../container_config.nix
-    ../../services/wg_server.nix
   ];
 }
diff --git a/configs/services/wg_server.nix b/configs/services/wg_server.nix
index 2a8294c..13e3be0 100644
--- a/configs/services/wg_server.nix
+++ b/configs/services/wg_server.nix
@@ -9,15 +9,24 @@ in {
   # set up secret key
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets.private_key = {
-      sopsFile = ../../secrets/wireguard/server.yaml;
+    secrets.wg_private_key = {
+      sopsFile = ../../secrets/wireguard/secrets.yaml;
     };
   };
 
   networking = {
     firewall.allowedUDPPorts = [ wg_port ];
     firewall.rejectPackets = true;
-    firewall.trustedInterfaces = [ "wg0" ];
+    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
+    interfaces.wgbr.ipv4 = {
+      routes = [ ];
+      addresses = [
+        {
+          address = "10.8.1.1";
+          prefixLength = 24;
+        }
+      ];
+    };
 
     wg-quick.interfaces = {
       wg0 = {
@@ -26,7 +35,25 @@ in {
         listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
         # Path to the private key file (see sops).
-        privateKeyFile = "/run/secrets/private_key";
+        privateKeyFile = "/run/secrets/wg_private_key";
+
+        peers = [
+          # For a client configuration, one peer entry for the server will suffice.
+
+          {
+            # Public key of the server (not a file path).
+            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";
+
+            # Forward all the traffic via VPN.
+            allowedIPs = [ "10.8.0.0/16" ];
+
+            # Set this to the server IP and port.
+            endpoint = "202.61.230.52:51820";
+
+            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+            persistentKeepalive = 25;
+          }
+        ];
       };
     };
   };
diff --git a/flake.lock b/flake.lock
index 2ae3068..b08a612 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1761672384,
-        "narHash": "sha256-o9KF3DJL7g7iYMZq9SWgfS1BFlNbsm6xplRjVlOCkXI=",
+        "lastModified": 1761114652,
+        "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "08dacfca559e1d7da38f3cf05f1f45ee9bfd213c",
+        "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
         "type": "github"
       },
       "original": {
diff --git a/secrets/wireguard/server.yaml b/secrets/wireguard/server.yaml
deleted file mode 100644
index af658f4..0000000
--- a/secrets/wireguard/server.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-private_key: ENC[AES256_GCM,data:iXKk9DcEIkNaXDETG57hfSv0WddPP+qRTdNVLxx+CwQbyNR4ztv7Pni9OSc=,iv:Pz4KBIK20enX9wEpIaie9CZB/uj2QNvNZWuSgfduNjM=,tag:TtNroYuNeZnjhLsz/hpvRw==,type:str]
-sops:
-    age:
-        - recipient: age15ydstgk0fmmgy2ugmqufyqhqsqypd2mvy89enzwczz0m8ar2kvzqlcdsm8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnpsbU1GWE1zVnJRTlhq
-            WkJ6cUgwNzZjcGRKNVB5bVJyRi90MURnblVBCjZLaGxDWER4RWx6enppcXJ6dGt3
-            K2dweFFQUHl0Unp3cVJod3psaHpZTG8KLS0tIGJVWG1MaXZvZU9vSmxEclVEWFJG
-            RU5Ockp6ZEYrV1NqYnZqMWlaYjhyMlEKF1aUbVF5yojF3bq6I0+zAqpUsoqS3CPG
-            /FXz8Tx94u2+JTUjJd4h0h1XRCC9RvH41nqKhevJqvPLD7tcHvTMWQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-31T20:33:11Z"
-    mac: ENC[AES256_GCM,data:o2FvPNCXig9e16ooYsUKmVQp0Jy96dCYepQhKBVukjvEd/LfTAfGOTzE1fadz8BBnD4gzWecr+q8eIVb4KY4AaLM9+wnY5y8uSUVdXAtuez0F+voMt+lHG+rlM57ND24njHPfXQsYXcXoIYlQ5rREkPoOlNw4jK6rNBhXZ66T+8=,iv:tsQZeQf2591TjGhP1/JDWbvcHbIbjpNzeeQ+pgZDRA8=,tag:sKHgFvCokobhcXyBHNPEGw==,type:str]
-    pgp:
-        - created_at: "2025-10-31T20:31:17Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAzwtBoBqH5ZOAQ//Rrci3hcOvlGGCnwddQ5DrJMjhGzmcp2L1cCNK0K+jSGO
-            QgrEul3w+UgUk+TbuB9Is9ihFxQROItG8/SsK1urfY5a8CdrOghsDCoTSLFaiQ8/
-            ocY1hNkjN/UhC3a90lSqw0CC2VCcj7VGiSx/0y2yWO1rN9N0FhS4Yh+pFkIH7WPY
-            mCQuyNIruwxQ4y1y5R4U3micFylpGW2/STbqK6Z9GzRWnZ+Fc0WSrVmuEUcNm5oQ
-            1bVwqcaSNsgrox753qsh05S/JX8iI5DVz4lBiUYWLwpkgTMxvjZC7TN+W1xfEyWH
-            zoIdpVNE5d2ENgCm1KS0PtwBgfZVHS1xNiivzqe4a55ez9lVZMk0FeRg9iyTNHxz
-            Lgb9NyFmKBg3S1EjEMvxLiU2dXP0SNstihQXW+IHnSCySODjE42sunpSE+EpWd7a
-            TMimZOhCNlcOLHvwfwl+qy6AlrCezBvUxGpfnnhkTFZ0QtM6uQ6k7+/PFM2cQuVe
-            2uDWN2jJKSSJ6neDrOqFd6Nbe/XLxEKmfpDt08T7F58B4FwpYeyyuATkex1MEXW2
-            ++46/NW7zzz5ZiT4j5awEAv5mb1z1445v4QaR0C+Xhu4LgsKQxylJpT8GHdMD1U0
-            66ZbyqAAjc6H5CiL2fhN4ukb1NvIeUaTUqMzx74wy6UrFbyb3iWAt3S/upzoF8TS
-            XAGJ62H20fTN1gzUYEyuYbrdT59v+B4iStyhFvFKajTlVtQHjwSubV/eZ++NvuKq
-            V7jSNZZWQVClJBWl7H5AdEu1GfroM44n55hxnsEvc4m5J7S7CLP2J1igfQDr
-            =yhw8
-            -----END PGP MESSAGE-----
-          fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0