diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py
index 95abe56..08a7cd2 100644
--- a/nodes/sophie/vmhost.py
+++ b/nodes/sophie/vmhost.py
@@ -2,13 +2,14 @@ nodes['sophie.vmhost'] = {
     'hostname': '172.19.164.2',
     'bundles': {
         'backup-client',
+        'hetzner-dyndns',
         'lm-sensors',
-        'nfs-server',
         'mosquitto',
+        'nfs-server',
         'smartd',
         'vmhost',
+        'wireguard',
         'zfs',
-        'hetzner-dyndns'
     },
     'groups': {
         'debian-bookworm',
@@ -24,7 +25,7 @@ nodes['sophie.vmhost'] = {
         },
         'hetzner-dyndns': {
             'zone': 'sophies-kitchen.eu',
-            'record': 'home.router',
+            'record': 'router.home',
             'api_key': vault.decrypt('encrypt$gAAAAABoABHrRTTyOAAFIsHK_g-bubDoNJidbAQ6_0VXyqfal8-wpVMuPPlrw-OtbI1AjNU6Rd1_gKTvwYtNYO9X6RuvuW3TCCH_eitpsoylVEQ0X6SDFNQAFfjkRlOgEiFl85oyTazl'),
         },
         'interfaces': {
@@ -72,6 +73,21 @@ nodes['sophie.vmhost'] = {
                 },
             },
         },
+        'nftables': {
+            'forward': {
+                '50-router': [
+                    'ct state { related, established } accept',
+                    'oifname br1 accept',
+                ],
+            },
+            'input': {
+                '50-wireguard': [
+                    'udp dport 1194 accept',
+                    'udp dport 10348 accept',
+                    'udp dport 10349 accept',
+                ],
+            },
+        },
         'smartd': {
             'disks': {
                 '/dev/nvme0',
@@ -115,6 +131,29 @@ nodes['sophie.vmhost'] = {
                 },
             },
         },
+        'wireguard': {
+            'snat_ip': '172.19.137.2',
+            'peers': {
+                'thinkpad': {
+                    'endpoint': None,
+                    'exclude_from_monitoring': True,
+                    'my_ip': '172.19.165.64',
+                    'my_port': 10348,
+                    'their_ip': '172.19.165.65',
+                    'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
+                    'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
+                },
+                'smartphone': {
+                    'endpoint': None,
+                    'exclude_from_monitoring': True,
+                    'my_ip': '172.19.165.66',
+                    'my_port': 10349,
+                    'their_ip': '172.19.165.67',
+                    'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
+                    'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
+                },
+            },
+        },
         'zfs': {
             'pools': {
                 'storage': {