diff --git a/coreos-config/plays/common.yaml b/coreos-config/plays/common.yaml
index dce18eb..5be8290 100644
--- a/coreos-config/plays/common.yaml
+++ b/coreos-config/plays/common.yaml
@@ -271,4 +271,9 @@
         enabled: true
         masked: false
         daemon_reload: true
-
+- name: Setup Infrastructure Wireguard
+  tags:
+    - setup
+    - setup_wireguard
+    - setup_vpn
+  ansible.builtin.import_playbook: vpn.yaml
diff --git a/coreos-config/plays/templates/wg_infra.conf.j2 b/coreos-config/plays/templates/wg_infra.conf.j2
new file mode 100644
index 0000000..2ba73ec
--- /dev/null
+++ b/coreos-config/plays/templates/wg_infra.conf.j2
@@ -0,0 +1,27 @@
+# DO NOT PFUSCH IN THIS FILE!
+# ANSIBLE WILL NOT CARE AND RUIN YOUR DAY!
+# CONSIDER YOUSELF WARNED.
+
+[Interface]
+Address = {{ wg_addr | mandatory }}/32
+MTU = 1280
+SaveConfig = false
+ListenPort = 52000
+PrivateKey = {{ wg_private_key | mandatory }}
+
+{% for node in nodes %}
+{% set hvar=hostvars[node] %}
+# node: {{ hvar.inventory_hostname }}
+[peer]
+PublicKey = {{ hvar.wg_public_key | mandatory }}
+AllowedIPs = {{ hvar.wg_addr | mandatory }}/32
+
+{% if hvar.ansible_default_ipv6 is defined and ansible_default_ipv6 is defined and hvar.ansible_default_ipv6.scope == "global" and ansible_default_ipv6.scope == "global" %}
+Endpoint = [{{ hvar.ansible_default_ipv6.address | mandatory }}]:52000
+{% else %}
+Endpoint = [{{ hvar.ansible_default_ipv4.address | mandatory }}]:52000
+{% endif %}
+{% if hvar.wg_keepalive is defined %}
+PersistentKeepalive = {{ hvar.wg_keepalive }}
+{% endif %}
+{% endfor %}
diff --git a/coreos-config/plays/vpn.yaml b/coreos-config/plays/vpn.yaml
new file mode 100644
index 0000000..d08a411
--- /dev/null
+++ b/coreos-config/plays/vpn.yaml
@@ -0,0 +1,57 @@
+---
+- name: Setup VPN Meshnetwork
+  hosts: all
+  become: true
+  become_user: root
+  gather_facts: true
+  vars:
+    nodes: "{{ groups['all'] }}"
+  tasks:
+    - name: Generate Keymaterial
+      become: true
+      block:
+        - name: Generate Private Key
+          ansible.builtin.shell:
+            executable: /bin/bash
+            cmd: |
+             set -o pipefail
+             wg genkey | tee /etc/wireguard/privatekey
+            creates: /etc/wireguard/privatekey
+        - name: Register Private Key
+          ansible.builtin.slurp:
+            src: /etc/wireguard/privatekey
+          register: private_key_b64
+          changed_when: false
+        - name: Register Public Key
+          ansible.builtin.shell:
+            executable: /bin/bash
+            cmd: |
+              set -o pipefail
+              cat /etc/wireguard/privatekey | wg pubkey
+          register: public_key
+          changed_when: false
+        - name: Set facts
+          ansible.builtin.set_fact:
+            wg_private_key: "{{ private_key_b64.content | b64decode }}"
+            wg_public_key: "{{ public_key.stdout }}"
+    - name: Deploy Config
+      ansible.builtin.template:
+        src: wg_infra.conf.j2
+        dest: /etc/wireguard/wg_infra.conf
+        owner: root
+        group: root
+        mode: 0600
+      notify:
+        - Restart wireguard
+    - name: Enable systemd service
+      ansible.builtin.systemd:
+        name: wg-quick@wg_infra
+        enabled: true
+
+  handlers:
+    - name: Restart wireguard
+      ansible.builtin.systemd:
+        name: wg-quick@wg_infra
+        state: restarted
+
+# vim: ft=yaml.ansible