diff --git a/ansible/roles/gateway/files/limit-unstable.conf b/ansible/roles/gateway/files/limit-unstable.conf
new file mode 100644
index 0000000..3350f2c
--- /dev/null
+++ b/ansible/roles/gateway/files/limit-unstable.conf
@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=unstable
+Pin-Priority: 90
diff --git a/ansible/roles/gateway/tasks/haproxy.yml b/ansible/roles/gateway/tasks/haproxy.yml
new file mode 100644
index 0000000..846a024
--- /dev/null
+++ b/ansible/roles/gateway/tasks/haproxy.yml
@@ -0,0 +1,29 @@
+- name: Install Haproxy
+  apt:
+    name: haproxy
+  become: true
+  become_user: root
+
+- name: Import vault
+  include_vars:
+    file: vault.yml
+
+- name: Define context
+  set_fact:
+    upstream: 10.23.0.2
+
+- name: Haproxy config
+  template:
+    src: files/haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+    validate: /usr/sbin/haproxy -c -- %s
+    backup: yes
+  become: true
+  become_user: root
+  register: haproxy_config
+
+- name: Restart Haproxy
+  service:
+    name: haproxy
+    state: reloaded
+  when: haproxy_config.changed
diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml
index 846a024..65b7421 100644
--- a/ansible/roles/gateway/tasks/main.yml
+++ b/ansible/roles/gateway/tasks/main.yml
@@ -1,29 +1,5 @@
-- name: Install Haproxy
-  apt:
-    name: haproxy
-  become: true
-  become_user: root
+- name: Configure HAproxy
+  include: haproxy.yml
 
-- name: Import vault
-  include_vars:
-    file: vault.yml
-
-- name: Define context
-  set_fact:
-    upstream: 10.23.0.2
-
-- name: Haproxy config
-  template:
-    src: files/haproxy.cfg
-    dest: /etc/haproxy/haproxy.cfg
-    validate: /usr/sbin/haproxy -c -- %s
-    backup: yes
-  become: true
-  become_user: root
-  register: haproxy_config
-
-- name: Restart Haproxy
-  service:
-    name: haproxy
-    state: reloaded
-  when: haproxy_config.changed
+- name: Configure wireguard
+  include: wireguard.yml
diff --git a/ansible/roles/gateway/tasks/wireguard.yml b/ansible/roles/gateway/tasks/wireguard.yml
new file mode 100644
index 0000000..cafd744
--- /dev/null
+++ b/ansible/roles/gateway/tasks/wireguard.yml
@@ -0,0 +1,31 @@
+- name: Add unstable apt repo
+  lineinfile:
+    path: /etc/apt/sources.list.d/unstable.list
+    state: present
+    line: 'deb http://deb.debian.org/debian/ unstable main'
+  register: install_unstable_apt
+  become: true
+  become_user: root
+
+- name: Limit unstable apt repo
+  copy:
+    src: limit-unstable.conf
+    dest: /etc/apt/preferences.d/limit-unstable
+  become: true
+  become_user: root
+  register: limit_unstable_apt
+
+- name: Update apt repos
+  apt:
+    update_cache: true
+  become: true
+  become_user: root
+  when: install_unstable_apt.changed or limit_unstable_apt.changed
+
+- name: Install Wireguard
+  apt:
+    name:
+      - wireguard
+      - wireguard-tools
+  become: true
+  become_user: root