diff --git a/devices/cluster/modules/caddy.nix b/devices/cluster/modules/caddy.nix
index fa98501..02935fe 100644
--- a/devices/cluster/modules/caddy.nix
+++ b/devices/cluster/modules/caddy.nix
@@ -103,10 +103,7 @@ in {
 
           games.reverseProxy = "${dockerIP}:8074";
 
-          # FIXME: what's the IP?
-          #wgui.extraConfig = ''
-          #  reverse_proxy ???:51821
-          #'';
+          wgui.reverseProxy = "${servivi}:51821";
 
           lan = {
             reverseProxy = "${servivi}:3020";
diff --git a/devices/nas/modules/arion/default.nix b/devices/nas/modules/arion/default.nix
index 7b53b81..ce5b4d4 100644
--- a/devices/nas/modules/arion/default.nix
+++ b/devices/nas/modules/arion/default.nix
@@ -12,6 +12,7 @@ in {
     ./music/jbots/compose.nix
     ./nextcloud/compose.nix
     ./resume/compose.nix
+    ./wg-easy/compose.nix
   ];
 
   arion = {
diff --git a/devices/nas/modules/arion/wg-easy/compose.nix b/devices/nas/modules/arion/wg-easy/compose.nix
new file mode 100644
index 0000000..7a27cce
--- /dev/null
+++ b/devices/nas/modules/arion/wg-easy/compose.nix
@@ -0,0 +1,40 @@
+{config, ...}: let
+  inherit (config.arion) rwDataDir;
+
+  rwPath = rwDataDir + "/wg-easy";
+in {
+  arion.projects."wg-easy"."wg-easy" = {
+    image = ./images/wg-easy.nix;
+    restart = "always";
+    privileged = true;
+
+    capabilities = {
+      NET_ADMIN = true;
+      SYS_MODULE = true;
+    };
+
+    sysctls = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv4.conf.all.src_valid_mark" = 1;
+    };
+
+    dns = ["1.0.0.1"];
+
+    environment = {
+      WG_HOST = "166.62.179.208";
+      WG_PORT = "51820";
+      WG_DEFAULT_ADDRESS = "10.6.0.x";
+      WG_DEFAULT_DNS = "1.0.0.1";
+    };
+
+    volumes =[
+       "${rwPath}/data:/etc/wireguard"
+    ];
+
+    ports = [
+      "53:51820/udp"
+      "51822:51820/udp"
+      "51821:51821/tcp"
+    ];
+  };
+}
diff --git a/devices/nas/modules/arion/wg-easy/images/wg-easy.nix b/devices/nas/modules/arion/wg-easy/images/wg-easy.nix
new file mode 100644
index 0000000..2f45148
--- /dev/null
+++ b/devices/nas/modules/arion/wg-easy/images/wg-easy.nix
@@ -0,0 +1,8 @@
+pkgs:
+pkgs.dockerTools.pullImage {
+  imageName = "weejewel/wg-easy";
+  imageDigest = "sha256:ea65f283dfeb62628ce942ce38974f9db05177aa27ab69b787115b78591552f3";
+  sha256 = "1cv9s2pgqxqwp7lq2jzf8l58jn9cdhl3gkql6xjf0v5xgj0wifw1";
+  finalImageName = "weejewel/wg-easy";
+  finalImageTag = "latest";
+}