diff --git a/hosts/common/net.nix b/hosts/common/net.nix
index 6f1ac882..cec2f2c7 100644
--- a/hosts/common/net.nix
+++ b/hosts/common/net.nix
@@ -40,4 +40,33 @@
     '';
     generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
   };
+
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  # TODO: remove this hacky `if` block
+  networking.wireguard.interfaces.wg-home = lib.mkIf (config.networking.hostName != "servo") {
+    privateKeyFile = config.sops.secrets.wg_home_privkey.path;
+    # client IP (TODO: make host-specific)
+    ips = [ "10.100.0.20/32" ];
+    listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+    peers = [
+      {
+        # server pubkey
+        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+
+        # accept traffic from any IP addr on the other side of the tunnel
+        allowedIPs = [ "0.0.0.0/0" ];
+
+        endpoint = "uninsane.org:51820";
+
+        # send keepalives every 25 seconds to keep NAT routes live
+        persistentKeepalive = 25;
+      }
+    ];
+  };
+
+  sops.secrets."wg_home_privkey" = {
+    sopsFile = ../../secrets/universal/wg_home_privkey.bin;
+    format = "binary";
+  };
 }
diff --git a/hosts/servo/net.nix b/hosts/servo/net.nix
index 3a392229..4f9c3ace 100644
--- a/hosts/servo/net.nix
+++ b/hosts/servo/net.nix
@@ -159,7 +159,7 @@
   # create a new routing table that we can use to proxy traffic out of the root namespace
   # through the ovpns namespace, and to the WAN via VPN.
   networking.iproute2.rttablesExtraConfig = ''
-  5 ovpns
+    5 ovpns
   '';
   networking.iproute2.enable = true;
 
@@ -167,6 +167,40 @@
     sopsFile = ../../secrets/servo.yaml;
   };
 
+
+  # host a wireguard VPN which allows access to other wg clients and forwards to internet
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.wireguard.interfaces.wg-home = {
+    privateKeyFile = config.sops.secrets.wg_home_privkey.path;
+    listenPort = 51820;
+    ips = [
+      "10.0.10.5/24"
+    ];
+    peers = [
+      {
+        # peers and host all use the same key
+        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+        allowedIPs = [ "10.0.10.0/24" ];
+      }
+      # {
+      #   # lappy
+      #   publicKey = "TODO";
+      #   allowedIPs = [ "10.0.10.20/32" ];
+      # }
+      # {
+      #   # desko
+      #   publicKey = "TODO";
+      #   allowedIPs = [ "10.0.10.22/32" ];
+      # }
+      # {
+      #   # moby
+      #   publicKey = "TODO";
+      #   allowedIPs = [ "10.0.10.48/32" ];
+      # }
+    ];
+  };
+
+
   # HURRICANE ELECTRIC CONFIG:
   # networking.sits = {
   #   hurricane = {
diff --git a/secrets/universal/wg_home_privkey.bin b/secrets/universal/wg_home_privkey.bin
new file mode 100644
index 00000000..fe1fefa6
--- /dev/null
+++ b/secrets/universal/wg_home_privkey.bin
@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:50c9YIh5/mxk0PMGCI8OtEUjzvi8H/6umaN3ZP7MEHa70gXS2gJvmht/3ma6,iv:OvnpFxXbhzMFuuxkQFCecr2DUlqWDgDNJ3cGkGlG8G4=,tag:36iEWn4pM+9MrklYMR+42A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkS1o3UkFpTkdLL2tRNG8r\nMmFjb2pBTnlXYVc5cEVzUkcwRWV6aWl6YmdRCk5pa2Q0V1NTWUJxWkJEeVZIbXhH\nK1l2KzZ0NE1JQVJGdDhzRUVBc2o3UzgKLS0tIDFDNkROTWNvYmMwOTR0eWxPdmE3\nL3FHMTZaQ252d212d3hMQ3lnNnU1QkEKxuckX3jmHbR8UoGHgeGOD7cq6/Fzlj4B\nwkuWuOG+8N6Z3RuMwdGERxxzqiQZaaUMsvaWuSpOENT55/2o654J2g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQN1Z5NE9ZYzdoSzk3eW95\nM0RiUy9WdVQ4R0R0WE0vSmdyQXpaRitzOURNCjNYQkhRZE9NUjlKVVRhUHlPem93\nUUdlNklESGxqZWt4ODlSSWxrWFZnYXMKLS0tIFNELzNYaFp5T2d0anBHSXFScVVu\nM1FLcVdXaDY3ZWZWZ3daZXNnSjNjV0UKWNHPJ/8KgTmkJR+5omVjzp3OLyz/NsQU\nghNRhEJaX6waOH/sXyLKnRkkrrzSfORyFisfGc+uGC1+7F3johVQdg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxS1ptbG0yTEJzWnhBOG52\nVXdrM1lpSkNWWXNVQXMrNWxGSEFlS2h2c1RjClQ0K2tqVjVVZjk5YmIwVW5CbWI4\nMWtENDZXcEI4elljU2pHWFVjNW14NkEKLS0tIFNLRXFmdUNrOXQ3YWs2UXlBKzZT\nZTV1VDNzU0p5VDk0cHg5bkdxL2oxSWsKWWjgG/bA9UOruAQhvPKh5hT32hWwmw50\nf3MACcF+PMYNUQVzUFR3EAMe4U6A2R7bGOOSNflklJ74znQtm9gBsQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5aEp3V0xablF5ekZ3OTJT\neTZGMTUyNC9qMG1qWG9VdzA4Vm1HSEdpUUFrCkd2b2drOVVMQk5Za2x6WUJtM0wy\neFdndXVmQVYzMDJ1a1hhMStWTjlnT3MKLS0tIElOc1RjN3B5TmVHNjBJVjZxR2Uw\nQ0xjaWZBWk5VQ0RCQWhHU1J5QWl1VWcKCPspteJbcAIWU3kEmQ3lBd+/jmVvnXrU\nGplajH0n+vEPesEUwQZ2+2rzKtKpfcsL4JLIP+qJ6CYt2vSTEt/LKA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObjBhWjVyRXI3ayszcUR6\ncTAweksySTZhZHNRVm54OUdGTVFzWlgxNkhzCmQ3eFlHQ09xdEErb0t0MmEvWTlx\ndmVKbFhRWHNTNVJGaXgwMVcydmlYM0kKLS0tIE9ZbHJGYkJmd2lsaXpibnlkeThM\nQnBHYjRCZWdhSjFES2FHZ25yWGxoWWMKJeaLXPxsqdq7qnv9/c8wEZav9aF2ql04\nGLd60we3gGLi0hmztgzErreuBN7WUNLVRU9laFIMuNv8+On12LcHmA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZ21IY2xRYnRoRHUvRy9I\nbStiblNNNmJBUitQZFBGTmVWLzUrWVg1T1VvCjJXQnhDcnFDdEp3ampnT1d2dVVa\nb0RodENFN3JYdGQ5L1RWeEFTQUVQZUUKLS0tIFNuZ0R2WEdING15eHhHd1VKNHlL\nbHdGYXFoRGgzdzNVZm1oNWEvWS9pM2MKJptfiZhRVlG/pdyce5lXLKEEJz+Zkhyc\nh88n7nUgmpt876CDyssKTMsE9AEsMe4HTITmFPJ/Tawo3oG8F2Qqxg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZEYvSVBPVTBad0VvQ21Y\nckVQYnNiZWxNSmdIRnN0NmVKSmgvL2VBeGlzCit0ZTJkdE1samtQeGRWZnhBSVJR\nNFArR29xYnhwbEY1cUt5MWxiL0diaEUKLS0tIEtLemZQWVV5QkFZWEd0RFltZHo3\nZmNLcWMzRzNpNHBKTzUybFBYNlhvRTgKL8K4uy8BFi651jRe8E+Ay3bbvgfIbmQ6\npn63oLsaOZ2BwpcuqSN+gz5XHqaTMdje69+m8/e9VlNQnAJGdwmW0Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMStPdVFTVUJpNzFEUmpi\nUUpKVjk3WEFlNWxhY3ErMWUxZ3FwK3VQYmhvCmRENkEvTEpkUjFFTFh6TUM0YU9G\nM0JiaXVYQ1dUV2xNWnJBUC9JQzg2QUEKLS0tIFBZc3FnNGsvaTZDVy9aOVlpc1pt\neFNnZWhadWQ4NFdCY05ZUDF6bnIxQTAKdGHkxjSzyEPjx3n9Zv94oZFQtihv3Llo\nUCyCdXkYXgK1n9G3A+60bX8IKE86t7AF9n/r8afmIzRiOGNU/PLlEg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-01-19T09:21:24Z",
+		"mac": "ENC[AES256_GCM,data:txvXxDFVDBGJGndePZ+Bun2/+0MReMU7JSlcE02ERPMoKr5nix3WWYWxngbXLCCXkqtacor7gsH8I+YYDwci4nnrr0DuLFpT/4K8x2SWsceD0XthbctjaFWsxjRx9ot9bRfkVjVJbIeGo7q/oOhv/QNdY8jOhLuMClPejK/xZQA=,iv:CSPEDPn3O6vcUNJ9HFEF9iCm3kninFUe4jg7UKSX2oo=,tag:hM3SyWvly7/EPn/TOciroA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file