diff --git a/configuration.nix b/configuration.nix
index 5192986..151116e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -35,13 +35,57 @@ in
   networking.useDHCP = false;
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
-  # Route internet traffic via USB modem (=phone) on other computer
+  # Networking configuration (static IPs for each node is defined in node/*.nix)
+
   networking.nameservers = [ "9.9.9.9" ];
   networking.defaultGateway = {
     address = "192.168.1.254";
     interface = "eno1";
   };
 
+  # Wireguard VPN configuration
+  networking.wireguard.interfaces.wg0 = {
+    privateKeyFile = "/root/wireguard-keys/private";
+    peers = [
+      { # Hammerhead
+        publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic=";
+        allowedIPs = [ "10.42.0.1/32" ];
+        endpoint = "5.135.179.11:51349";
+        persistentKeepalive = 10;
+      }
+      { # Spoutnik
+        publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
+        allowedIPs = [ "10.42.0.2/32" ];
+        endpoint = "77.141.67.109:42136";
+        persistentKeepalive = 10;
+      }
+      { # Shiki
+        publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg=";
+        allowedIPs = [ "10.42.0.206/32" ];
+        endpoint = "37.187.118.206:51820";
+        persistentKeepalive = 10;
+      }
+      { # Carcajou
+        publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
+        allowedIPs = [ "10.42.0.21/32" ];
+        endpoint = "91.160.50.156:33721";
+        persistentKeepalive = 10;
+      }
+      { # Carcajou
+        publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
+        allowedIPs = [ "10.42.0.22/32" ];
+        endpoint = "91.160.50.156:33722";
+        persistentKeepalive = 10;
+      }
+      { # Caribou
+        publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
+        allowedIPs = [ "10.42.0.23/32" ];
+        endpoint = "91.160.50.156:33723";
+        persistentKeepalive = 10;
+      }
+    ];
+  };
+
   # Set your time zone.
   time.timeZone = "Europe/Paris";
 
@@ -117,6 +161,7 @@ in
     htop
     links
     git
+    docker-compose
   ];
 
   programs.vim.defaultEditor = true;
@@ -220,6 +265,7 @@ in
   networking.firewall.allowedUDPPorts = [
     4648                    # Nomad
     8301 8302               # Consul
+    node_config.networking.wireguard.interfaces.wg0.listenPort
   ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
diff --git a/node/carcajou.nix b/node/carcajou.nix
index 25b835c..15e4395 100644
--- a/node/carcajou.nix
+++ b/node/carcajou.nix
@@ -18,4 +18,9 @@
   #     prefixLength = 64;
   #   }
   # ];
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.42.0.22/16" ];
+    listenPort = 33722;
+  };
 }
diff --git a/node/cariacou.nix b/node/cariacou.nix
index 7d3c28f..9374744 100644
--- a/node/cariacou.nix
+++ b/node/cariacou.nix
@@ -18,4 +18,9 @@
   #     prefixLength = 64;
   #   }
   # ];
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.42.0.21/16" ];
+    listenPort = 33721;
+  };
 }
diff --git a/node/caribou.nix b/node/caribou.nix
index 906b6fc..30b382e 100644
--- a/node/caribou.nix
+++ b/node/caribou.nix
@@ -19,6 +19,11 @@
   #   }
   # ];
 
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.42.0.23/16" ];
+    listenPort = 33723;
+  };
+
   # OR use USB modem plugged in here
   #networking.interfaces.enp0s20u1.useDHCP = true;