diff --git a/infra/modules/vpn/ansible/main.yml b/infra/modules/vpn/ansible/main.yml
new file mode 100644
index 00000000..906ae6ec
--- /dev/null
+++ b/infra/modules/vpn/ansible/main.yml
@@ -0,0 +1,4 @@
+- hosts: all
+  tasks:
+    - name: Ping
+      ansible.builtin.ping:
diff --git a/infra/modules/vpn/cloud-init.yaml.tpl b/infra/modules/vpn/cloud-init.yaml.tpl
new file mode 100644
index 00000000..82ddf72e
--- /dev/null
+++ b/infra/modules/vpn/cloud-init.yaml.tpl
@@ -0,0 +1,4 @@
+#cloud-config
+
+ssh_authorized_keys:
+  - ${ssh_public_key}
diff --git a/infra/modules/vpn/main.tf b/infra/modules/vpn/main.tf
index 9b6e3c30..494576bf 100644
--- a/infra/modules/vpn/main.tf
+++ b/infra/modules/vpn/main.tf
@@ -1,5 +1,51 @@
+resource "tls_private_key" "ssh" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "local_file" "ssh_private_key" {
+  content         = tls_private_key.ssh.private_key_pem
+  filename        = "${path.module}/private.pem"
+  file_permission = "0600"
+}
+
 resource "lxd_container" "vpn" {
   name      = "vpn"
   image     = "ubuntu:20.04"
   ephemeral = false
+
+  config = {
+    "limits.cpu"    = 1
+    "limits.memory" = "256MiB"
+    "user.user-data" = templatefile(
+      "${path.module}/cloud-init.yaml.tpl",
+      {
+        ssh_public_key = tls_private_key.ssh.public_key_openssh
+      }
+    )
+  }
+
+  device {
+    name = "eth0"
+    type = "nic"
+
+    properties = {
+      nictype = "macvlan"
+      parent  = "eno1"
+    }
+  }
+}
+
+resource "null_resource" "ansible" {
+  triggers = {
+    ansible_hash = md5(join("", [for f in fileset("${path.module}/ansible/", "**") : file("${path.module}/ansible/${f}")]))
+  }
+
+  provisioner "local-exec" {
+    command = "ansible-playbook -u ubuntu -i ${lxd_container.vpn.ip_address}, --private-key ${local_file.ssh_private_key.filename} ${path.module}/ansible/main.yml"
+
+    environment = {
+      ANSIBLE_HOST_KEY_CHECKING = "False"
+    }
+  }
 }
diff --git a/infra/modules/vpn/terraform.tf b/infra/modules/vpn/terraform.tf
new file mode 100644
index 00000000..01b0ce6d
--- /dev/null
+++ b/infra/modules/vpn/terraform.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    lxd = {
+      source  = "terraform-lxd/lxd"
+      version = "1.5.0"
+    }
+  }
+}