diff --git a/roles/edge_vps/tasks/20_wireguard.yaml b/roles/edge_vps/tasks/20_wireguard.yaml
new file mode 100644
index 0000000..339061a
--- /dev/null
+++ b/roles/edge_vps/tasks/20_wireguard.yaml
@@ -0,0 +1,19 @@
+---
+- name: Install WireGuard
+  ansible.builtin.apt:
+    name: wireguard
+    state: present
+    update_cache: true
+
+- name: Deploy WireGuard config
+  ansible.builtin.template:
+    src: wireguard/wg0.conf.j2
+    dest: "{{ edge_vps_wireguard_config_dir }}/{{ edge_vps_wireguard_interface }}.conf"
+    mode: "0600"
+  notify: restart wireguard
+
+- name: Enable WireGuard
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ edge_vps_wireguard_interface }}"
+    enabled: true
+    state: started
diff --git a/roles/edge_vps/templates/wireguard/wg0.conf.j2 b/roles/edge_vps/templates/wireguard/wg0.conf.j2
new file mode 100644
index 0000000..2026eff
--- /dev/null
+++ b/roles/edge_vps/templates/wireguard/wg0.conf.j2
@@ -0,0 +1,25 @@
+[Interface]
+Address = {{ edge_vps_wireguard_address }}
+ListenPort = {{ edge_vps_wireguard_port }}
+PrivateKey = {{ vault_edge_vps.wireguard.private_key }}
+
+PostUp   = sysctl -w net.ipv4.ip_forward=1
+PostUp   = iptables -A FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
+PostUp   = iptables -A FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
+{% for route in edge_vps_wireguard_routes | default([]) %}
+PostUp   = ip route add {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
+{% endfor %}
+PostDown = iptables -D FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
+PostDown = iptables -D FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
+{% for route in edge_vps_wireguard_routes | default([]) %}
+PostDown = ip route del {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
+{% endfor %}
+
+{% for peer in vault_edge_vps.wireguard.peers %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.public_key }}
+PresharedKey = {{ peer.preshared_key }}
+AllowedIPs = {{ peer.allowed_ips }}
+
+{% endfor %}