diff --git a/ansible/roles/gateway/files/haproxy.cfg b/ansible/roles/gateway/files/haproxy.cfg
index d224be5..a7b4c73 100644
--- a/ansible/roles/gateway/files/haproxy.cfg
+++ b/ansible/roles/gateway/files/haproxy.cfg
@@ -40,7 +40,7 @@ defaults
 listen https
 	bind *:443
 	mode tcp
-	server default {{ upstream }}:443 check send-proxy
+	server default {{ wireguard.intersect_ip }}:443 check send-proxy
 
 listen http
 	bind *:80
@@ -48,15 +48,15 @@ listen http
 	stats show-node
 	stats uri /haproxy
 	stats auth stats:{{ haproxy_stats_pass }}
-	server default {{ upstream }}:80 check
+	server default {{ wireguard.intersect_ip }}:80 check
 
 
 listen matrix
 	bind *:8448
 	mode tcp
-	server default {{ upstream }}:8448 check
+	server default {{ wireguard.intersect_ip }}:8448 check
 
 listen gitea
 	bind *:3022
 	mode tcp
-	server default {{ upstream }}:3022 check
+	server default {{ wireguard.intersect_ip }}:3022 check
diff --git a/ansible/roles/gateway/files/wireguard.conf b/ansible/roles/gateway/files/wireguard.conf
new file mode 100644
index 0000000..4cd3c56
--- /dev/null
+++ b/ansible/roles/gateway/files/wireguard.conf
@@ -0,0 +1,9 @@
+[Interface]
+Address = {{ wireguard.server_ip }}
+PrivateKey = {{ wireguard.server_private_key }}
+ListenPort = {{ wireguard.server_port }}
+
+[Peer]
+# intersect
+PublicKey = {{ wireguard.intersect_public_key }}
+AllowedIPs = {{ wireguard.intersect_ip }}/32
diff --git a/ansible/roles/gateway/tasks/haproxy.yml b/ansible/roles/gateway/tasks/haproxy.yml
index 846a024..be9269e 100644
--- a/ansible/roles/gateway/tasks/haproxy.yml
+++ b/ansible/roles/gateway/tasks/haproxy.yml
@@ -6,11 +6,7 @@
 
 - name: Import vault
   include_vars:
-    file: vault.yml
-
-- name: Define context
-  set_fact:
-    upstream: 10.23.0.2
+    file: vars/gateway.yml
 
 - name: Haproxy config
   template:
diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml
index 65b7421..a81573e 100644
--- a/ansible/roles/gateway/tasks/main.yml
+++ b/ansible/roles/gateway/tasks/main.yml
@@ -1,3 +1,7 @@
+- name: Import wireguard variables
+  include_vars:
+    file: vars/wireguard.yml
+
 - name: Configure HAproxy
   include: haproxy.yml
 
diff --git a/ansible/roles/gateway/tasks/wireguard.yml b/ansible/roles/gateway/tasks/wireguard.yml
index cafd744..a34a3b2 100644
--- a/ansible/roles/gateway/tasks/wireguard.yml
+++ b/ansible/roles/gateway/tasks/wireguard.yml
@@ -29,3 +29,21 @@
       - wireguard-tools
   become: true
   become_user: root
+
+- name: Wireguard server config
+  template:
+    src: files/wireguard.conf
+    dest: /etc/wireguard/wg0.conf
+    backup: yes
+  become: true
+  become_user: root
+  register: wireguard_conf
+
+- name: Enable wireguard
+  service:
+    name: wg-quick@wg0
+    state: reloaded
+    enabled: true
+  when: wireguard_conf.changed
+  become: true
+  become_user: root
diff --git a/ansible/roles/gateway/vars/vault.yml b/ansible/roles/gateway/vars/gateway.yml
similarity index 100%
rename from ansible/roles/gateway/vars/vault.yml
rename to ansible/roles/gateway/vars/gateway.yml
diff --git a/ansible/vars/wireguard.yml b/ansible/vars/wireguard.yml
new file mode 100644
index 0000000..a84d8ef
--- /dev/null
+++ b/ansible/vars/wireguard.yml
@@ -0,0 +1,26 @@
+$ANSIBLE_VAULT;1.1;AES256
+32306163623065373337346431363262336565326231316162383363346337616538616536383235
+3735316334343437373065386533366332303139353466340a633639643233356136383431653065
+37636637373562323561303235333733663164663037643632653562383461646561616238666331
+6433393062313035340a353535393737646538633563633639393061653634386231373663663461
+31323334363733393938616161666139356564626534613839626332653961363163346265333937
+63646133616430353264303636663034366630323861303666313234363134343462343235623734
+34306233663263383237626237363731343565303235303932353038353937303234386630383838
+65633266353539656533396133646664316561313732656131303561336339343835643638643035
+37663338363438353638663936353232623332623366356635313962303964633266613130386233
+62323764386535653637626637303562316234333239393435633234373437653232326361653638
+35613766656437306566343866663236333536323532646635613833383863336564613933666635
+30343036626637333330663030386135636538663361623134366336653762363965653234346561
+66633530326366313138376137306432376531333230383839376131366433636461393264353363
+38336231396237316262326132373032303938623762366465323139656438333466343230353137
+38656137383361316532353137663736303736323935323830376437313462623632303331363739
+61343037323663633830633638313032643165306365636630386237646266346139333664663437
+38323030363437386638363431623863346361636364396636383934663739303635316136323937
+30663034613665663236303936396164343430336536363538396234623663613837643737333733
+31393665626361343032303865376566633333333939373866323762663432623366313263613937
+31313139663131623366333532636137383563306233343139616562343163323337643362363237
+31623039363863613732633861323038366632643439376632386139653030643066643566646436
+65316430343561613332323665366332316332386563323963313638363266356237363461373762
+61656431666631633235633636393761653061356264333734643936306532333238356264306536
+64386230343065346330333061396639343937306530353831643365373038393361633334346633
+3964