diff --git a/provision/hosts/kestrel/configuration.nix b/provision/hosts/kestrel/configuration.nix
index a8fbf237..0ae31965 100644
--- a/provision/hosts/kestrel/configuration.nix
+++ b/provision/hosts/kestrel/configuration.nix
@@ -62,13 +62,6 @@
       backup.enable = true;
       ssh.enable = true;
       terminal.enable = true;
-      wireguard-client = {
-        enable = true;
-        host = "kestrel";
-        address = [ "192.168.3.3/24" ];
-        publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
-        endpoint = "66.218.43.87";
-      };
     };
   };
 }
diff --git a/provision/hosts/osprey/configuration.nix b/provision/hosts/osprey/configuration.nix
index dbdf9f5a..b8040668 100644
--- a/provision/hosts/osprey/configuration.nix
+++ b/provision/hosts/osprey/configuration.nix
@@ -8,7 +8,7 @@
 
   # Set networking options
   networking.hostName = "osprey"; 
-  networking.firewall.checkReversePath = "loose";
+  networking.firewall.checkReversePath = false;
   networking.firewall.enable = false;
 
   # Enable docker 
@@ -49,13 +49,6 @@
     system = {
       ssh.enable = true;
       terminal.enable = true;
-      wireguard-client = {
-        enable = true;
-        host = "osprey";
-        address = [ "192.168.3.5/24" ];
-        publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
-        endpoint = "66.218.43.87";
-      };
     };
   };
 }
diff --git a/provision/modules/system/default.nix b/provision/modules/system/default.nix
index 462c0f4d..b2e001a1 100644
--- a/provision/modules/system/default.nix
+++ b/provision/modules/system/default.nix
@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./backup.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
+  imports = [ ./backup.nix ./ssh.nix ./terminal.nix ];
 }
diff --git a/provision/modules/system/wireguard-client.nix b/provision/modules/system/wireguard-client.nix
deleted file mode 100644
index f6b0f28e..00000000
--- a/provision/modules/system/wireguard-client.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{ config, lib, pkgs, user, ... }:
-
-let cfg = config.modules.system.wireguard-client;
-
-in {
-  options.modules.system.wireguard-client = with lib; {
-    enable = lib.mkEnableOption "wireguard-client";
-    host = lib.mkOption { type = with types; str; };
-    address = lib.mkOption { type = with types; listOf str; };
-    publicKey = lib.mkOption { type = with types; str; };
-    endpoint = lib.mkOption { type = with types; str; };
-    autostart = lib.mkOption {
-      type = with types; bool;
-      default = false;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    # Create qr code for phones with:
-    # qrencode -t ansiutf8 < myfile_here
-    environment.systemPackages = with pkgs; [ 
-      qrencode # Command-line utility for generating QR codes from text or data.
-    ];
-    networking.firewall = {
-      allowedUDPPorts = [ 51820 ];
-    };
-    # deploy needed secrets
-    age.secrets."wireguard/${cfg.host}".file = ../../secrets/wireguard/${cfg.host}.age;
-    networking.wg-quick.interfaces = {
-      wg0 = {
-        address = cfg.address;
-        listenPort = 51820; 
-        privateKeyFile = "/run/agenix/wireguard/${cfg.host}";
-        autostart = cfg.autostart;
-        peers = [{
-            publicKey = cfg.publicKey;
-            allowedIPs = [ "0.0.0.0/0" "::/0" ];
-            endpoint = "${cfg.endpoint}:51820"; 
-            persistentKeepalive = 25;
-        }];
-      };
-    };
-  };
-}
diff --git a/resources/wireguard/adjudicator.conf b/resources/wireguard/adjudicator.conf
index 80e6685c..81b75abd 100644
--- a/resources/wireguard/adjudicator.conf
+++ b/resources/wireguard/adjudicator.conf
@@ -8,4 +8,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 66.218.43.87:51820
+Endpoint = 1.2.3.4:51820
diff --git a/resources/wireguard/bulwark.conf b/resources/wireguard/bulwark.conf
index 8927cae2..d3fa838d 100644
--- a/resources/wireguard/bulwark.conf
+++ b/resources/wireguard/bulwark.conf
@@ -8,4 +8,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 66.218.43.87:51820
+Endpoint = 1.2.3.4:51820
diff --git a/resources/wireguard/kestrel.conf b/resources/wireguard/kestrel.conf
index db4957fa..b829140f 100644
--- a/resources/wireguard/kestrel.conf
+++ b/resources/wireguard/kestrel.conf
@@ -7,4 +7,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 66.218.43.87:51820
+Endpoint = 1.2.3.4:51820
diff --git a/resources/wireguard/osprey.conf b/resources/wireguard/osprey.conf
new file mode 100644
index 00000000..5a4020ec
--- /dev/null
+++ b/resources/wireguard/osprey.conf
@@ -0,0 +1,10 @@
+[Interface]
+# your own IP on the wireguard network
+Address = 192.168.3.5/24
+PrivateKey = <replace with secret>
+[Peer]
+PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
+# restrict this to the wireguard subnet if you don't want to route everything to the tunnel
+AllowedIPs = 0.0.0.0/0, ::/0
+# ip and port of the peer
+Endpoint = 1.2.3.4:51820