diff --git a/infra/modules/vpn/ansible/main.yml b/infra/modules/vpn/ansible/main.yml
index c2c21fdc..d0f3444f 100644
--- a/infra/modules/vpn/ansible/main.yml
+++ b/infra/modules/vpn/ansible/main.yml
@@ -7,8 +7,5 @@
 
 - hosts: all
   become: yes
-  tasks:
-    - apt:
-        update_cache: yes
   roles:
     - name: wireguard
diff --git a/infra/modules/vpn/ansible/roles/wireguard/defaults/main.yml b/infra/modules/vpn/ansible/roles/wireguard/defaults/main.yml
new file mode 100644
index 00000000..4a991835
--- /dev/null
+++ b/infra/modules/vpn/ansible/roles/wireguard/defaults/main.yml
@@ -0,0 +1 @@
+internal_subnet: 10.13.13.0
diff --git a/infra/modules/vpn/ansible/roles/wireguard/tasks/main.yml b/infra/modules/vpn/ansible/roles/wireguard/tasks/main.yml
index e19a3fc8..3d233bc6 100644
--- a/infra/modules/vpn/ansible/roles/wireguard/tasks/main.yml
+++ b/infra/modules/vpn/ansible/roles/wireguard/tasks/main.yml
@@ -1,3 +1,7 @@
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
 - name: Install Wireguard
   apt:
     name: wireguard
@@ -8,11 +12,16 @@
     creates: /etc/wireguard/privatekey
 
 - name: Register private key
-  shell: cat /etc/wireguard/privatekey
+  slurp:
+    src: /etc/wireguard/privatekey
   register: wireguard_private_key
-  changed_when: false
 
 - name: Register public key
-  shell: cat /etc/wireguard/publickey
+  slurp:
+    src: /etc/wireguard/publickey
   register: wireguard_public_key
-  changed_when: false
+
+- name: Generate wg0 config
+  template:
+    src: wg0.conf.j2
+    dest: /etc/wireguard/wg0.conf
diff --git a/infra/modules/vpn/ansible/roles/wireguard/templates/wg0.conf.j2 b/infra/modules/vpn/ansible/roles/wireguard/templates/wg0.conf.j2
index 039a595a..2a403ace 100644
--- a/infra/modules/vpn/ansible/roles/wireguard/templates/wg0.conf.j2
+++ b/infra/modules/vpn/ansible/roles/wireguard/templates/wg0.conf.j2
@@ -1,6 +1,6 @@
 [Interface]
-Address = {{ interface }}.1
+Address = {{ internal_subnet | ansible.netcommon.ipmath(1) }}
 ListenPort = 51820
-PrivateKey = {{ wireguard_private_key }}
+PrivateKey = {{ wireguard_private_key['content'] | b64decode }}
 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE