diff --git a/playbooks/wireguard.play.yml b/playbooks/wireguard.play.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e16a7b9558046f752e472054fc467e5dca1c8259
--- /dev/null
+++ b/playbooks/wireguard.play.yml
@@ -0,0 +1,71 @@
+---
+- name: WireGuard Tunnel
+ hosts: all
+ become: true
+ vars_files:
+ - ./secrets/wireguard_keys.yml
+ vars:
+ interfaces:
+ H1:
+ eth0:
+ address: "1.0.0.3"
+ netmask: "255.255.255.0"
+ wg0:
+ address: "10.0.0.1"
+ port: 51820
+ netmask: "255.255.255.0"
+
+ H2:
+ eth0:
+ address: "3.0.0.3"
+ netmask: "255.255.255.0"
+ wg0:
+ address: "10.0.0.2"
+ port: 51820
+ netmask: "255.255.255.0"
+
+ keys:
+ H1:
+ private:
+ key: "{{ private_keys.H1 }}"
+ public:
+ key: "OMlLks+cwFWshIcrcZK+RJUf841Ra3lcdVLTcxwetUs="
+ H2:
+ private:
+ key: "{{ private_keys.H2 }}"
+ public:
+ key: "PtT28gd4JRts2KZlumjTG2cMWsEWXEN+lM4EsXJUjDY="
+
+ tasks:
+ - name: Setup WireGuard hosts
+ ansible.builtin.template:
+ src: "templates/wireguard.j2"
+ dest: "/etc/wireguard/wg0.conf"
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ when: inventory_hostname == "H1" or inventory_hostname == "H2"
+
+ - name: Enable WireGuard service
+ ansible.builtin.systemd:
+ name: wg-quick@wg0
+ state: restarted
+ enabled: true
+
+ - name: Restrict access to webpage via tunnel
+ ansible.builtin.command:
+ cmd: "sed -i 's/listen 80/listen 10.0.0.2:80/' /etc/nginx/sites-enabled/default"
+ when: inventory_hostname == "H2"
+ notify: Restart nginx
+
+ - name: Testing connectivity
+ ansible.builtin.command:
+ cmd: "wget 10.0.0.2 -O h2.html"
+ when: inventory_hostname == "H1"
+
+ handlers:
+ - name: Restart nginx
+ ansible.builtin.systemd:
+ name: nginx
+ state: restarted
+ enabled: true