diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix
index b03d601..88fd94f 100644
--- a/nixos/hosts/wheatley/configuration.nix
+++ b/nixos/hosts/wheatley/configuration.nix
@@ -3,6 +3,7 @@
   pkgs,
   inputs,
   outputs,
+  config,
   modulesPath,
   ...
 }: {
@@ -56,6 +57,40 @@
   services.cage.program = "${pkgs.stremio}/bin/stremio";
   services.cage.enable = true;
 
+  sops.secrets."protonvpn-priv-key".mode = "0440";
+  sops.secrets."protonvpn-priv-key".owner = config.users.users.wireguard.name;
+
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = ["10.2.0.2/32"];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = 51820;
+
+      dns = ["10.2.0.1"];
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = config.sops.secrets."protonvpn-priv-key".path;
+
+      peers = [
+        # List of allowed peers.
+        {
+          # Feel free to give a meaning full name
+          # Public key of the peer (not a file path).
+          publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg=";
+          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "146.70.86.114:51820";
+        }
+      ];
+    };
+  };
+
   networking.firewall = {
     enable = true;
     allowPing = false;
diff --git a/nixos/hosts/wheatley/secrets/sops.yaml b/nixos/hosts/wheatley/secrets/sops.yaml
index 5594a50..4c62416 100644
--- a/nixos/hosts/wheatley/secrets/sops.yaml
+++ b/nixos/hosts/wheatley/secrets/sops.yaml
@@ -1,5 +1,6 @@
 wireless.env: ENC[AES256_GCM,data:a5sUW0Lc4GRd9aUJwHbmQvzvRB8WaRjMSQ==,iv:+3ncL38E3aqbejoCzzeBtMukLk4n/AQBJELlqhXDqSA=,tag:buY9Mp10DAEEEKqSyHwB3g==,type:str]
 lillian-password: ENC[AES256_GCM,data:GY7WyfLRc/q4fecnazWzfoZsruN/F0ar7mJ9RaqTHSb9K6xhEmifmJeqpR5xGIJYW6MYciCsZ9YmRsJbuSHTIlo9PrCTYBGvXg==,iv:bzml3abPox3RdvtKBQiBAcVXHUdGAn0ETMsDpBtT8T0=,tag:2iaBJ4hFFBUbonslTvQH5Q==,type:str]
+protonvpn-priv-key: ENC[AES256_GCM,data:s4LAq1Rqm+jGaK3OKcjIBCQYXPs3oEuTKJMAM+gFxIpZdwcJCIU7uyoCy6c=,iv:zoWv5u0xgJHldwdRGRv3bXI1kasaWQz1YD7wt0J890I=,tag:cFXnayZRq13UqP+XWuHnWw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +16,8 @@ sops:
             Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div
             bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-22T11:57:45Z"
-    mac: ENC[AES256_GCM,data:V9vscu55woZjJGFV3aDgdHKqmIopYw6cajdOHG1/45Qel6l5YJkt8VyLMzYlUOlFGatXBlfTB7VC9zhhaY4lduww2XLrARcTk61BT+GSHp5sawND+RIDghY6CJBuoPUbtsfmmlmg+J2DljBlSbrcVmvfjMV12Ql6Zb8PEPM9K68=,iv:TFrDt1XpuIFLUyDN6+8n+0OypBkr1OrZOmXWvnY9ApI=,tag:EfsFhToEGFCZJSXh0WBrIw==,type:str]
+    lastmodified: "2024-12-04T16:49:22Z"
+    mac: ENC[AES256_GCM,data:I+cWQh8NyXBMaciGvwk/oW0VlpV9j3yOwHUTsfd3t6dfY5EwVwVBHv6ZhdN53w5nB/nThhnnDH32fT7rPZ0X9CfgBuS1Sa05ASnZ460kezAqUIYNoNs5Zmbz3OYJTImMj8oFcg6q9dtCBO5BFfQvBj+21iwlNt9bRehqbsN0M/0=,iv:na3ytABXIhmv9Iq+abQQDT43n5q9j9Jc30+7S3lft5w=,tag:aS0HvqIx5H4kN5M9/OqQuA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.1