diff --git a/bundles/wireguard/files/wg.netdev b/bundles/wireguard/files/wg.netdev
index 375bada..c6abf78 100644
--- a/bundles/wireguard/files/wg.netdev
+++ b/bundles/wireguard/files/wg.netdev
@@ -10,7 +10,9 @@ ListenPort=${port}
 [WireGuardPeer]
 PublicKey=${pubkey}
 AllowedIPs=0.0.0.0/0
+% if psk:
 PresharedKey=${psk}
+% endif
 % if endpoint:
 Endpoint=${endpoint}
 % endif
diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py
index 4298dde..0d8d13d 100644
--- a/bundles/wireguard/items.py
+++ b/bundles/wireguard/items.py
@@ -25,7 +25,7 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()):
             'peer': peer,
             'port': config['my_port'],
             'privatekey': node.metadata.get('wireguard/privatekey'),
-            'psk': config['psk'],
+            'psk': config.get('psk'),
             'pubkey': config['pubkey'],
             'specials': repo.libs.s2s.WG_AUTOGEN_SETTINGS.get(peer, {}),
         },
diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py
index 3c055ba..1aa6e4a 100644
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@@ -253,7 +253,7 @@ def interface_ips(metadata):
             my_ip = '{}/31'.format(config['my_ip'])
 
         ips = {my_ip}
-        if snat_ip:
+        if snat_ip and peer in repo.libs.s2s.WG_AUTOGEN_NODES:
             ips.add(snat_ip)
 
         their_ip = config['their_ip']
@@ -289,12 +289,14 @@ def snat(metadata):
         forward.add(f'iifname wg_{config["iface"]} accept')
         forward.add(f'oifname wg_{config["iface"]} accept')
 
-        if snat_ip:
+        if snat_ip and peer in repo.libs.s2s.WG_AUTOGEN_NODES:
             postrouting.add('ip saddr {} ip daddr != {} snat to {}'.format(
                 config['my_ip'],
                 config['their_ip'],
                 snat_ip,
             ))
+        elif config.get('masquerade', False):
+            postrouting.add(f'oifname wg_{peer} masquerade')
 
     return {
         'nftables': {