diff --git a/tasks/network.yml b/tasks/network.yml
index 29d2741..f4d4add 100644
--- a/tasks/network.yml
+++ b/tasks/network.yml
@@ -3,6 +3,8 @@
   template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
     mode: '0640'
   loop:
     - {
diff --git a/tasks/transmission.yml b/tasks/transmission.yml
index 4b27767..1fd29de 100644
--- a/tasks/transmission.yml
+++ b/tasks/transmission.yml
@@ -1,3 +1,6 @@
+# TODO: stop transmission daemon beforehand, config does not seem to apply
+# during active service
+
 - name: copy transmission template
   template:
     src: 'templates/transmission.j2'
diff --git a/templates/network/wg0.netdev.j2 b/templates/network/wg0.netdev.j2
index 9a831cd..1997052 100644
--- a/templates/network/wg0.netdev.j2
+++ b/templates/network/wg0.netdev.j2
@@ -7,12 +7,12 @@ Description=WireGuard tunnel wg0
 
 [WireGuard]
 ListenPort={{ vpn_port }}
-PrivateKeyFile={{ vpn_server_key_path }}
+PrivateKey={{ vpn_server_key }}
 
 {% for peer in vpn_peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
-PresharedKeyFile={{ peer.preshared_key_path }}
+PresharedKey={{ peer.preshared_key }}
 AllowedIPs={{ peer.ip }}/32
 {% if not loop.last %}
 
diff --git a/templates/network/wg0.network.j2 b/templates/network/wg0.network.j2
index 2e96448..cdee26f 100644
--- a/templates/network/wg0.network.j2
+++ b/templates/network/wg0.network.j2
@@ -4,4 +4,4 @@
 Name={{ vpn_interface }}
 
 [Network]
-Address={{ vpn_listen_address }}/24
+Address={{ vpn_listen_address }}/{{ vpn_subnet }}
diff --git a/templates/nftables.j2 b/templates/nftables.j2
index 95dc43e..55eaa7a 100644
--- a/templates/nftables.j2
+++ b/templates/nftables.j2
@@ -22,7 +22,7 @@ table ip filter {
     iifname "br0" tcp dport {{ ssh_port }} accept comment "SSH"
     iifname "br0" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
 
-    iifname "br0" tcp dport {{ vpn_port }} accept comment "Wireguard"
+    iifname "br0" udp dport {{ vpn_port }} accept comment "Wireguard"
 
     iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
     iifname "{{ vpn_interface }}" tcp dport {{ transmission_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission"
diff --git a/vars/vpn.yml b/vars/vpn.yml
index b3b0f3d..7d7779e 100644
--- a/vars/vpn.yml
+++ b/vars/vpn.yml
@@ -1,4 +1,5 @@
 vpn_listen_address: '10.0.0.1'
+vpn_subnet: '24'
 vpn_local_ip: '192.168.178.185'
 vpn_port: '51902'
 vpn_interface: 'wg0'
@@ -8,6 +9,14 @@ vpn_destination_range: '10.0.0.1/32'
 
 vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub'
 vpn_server_key_path: '/etc/wireguard/keys/private/server.key'
+vpn_server_key:  !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36316631633737623637633465336534323661346562326361616561326262373930376539633264
+          6438653132356266353037666466373833643633343338380a373964646339663965306332393361
+          63393630653931336430333639326364666131346437666638383738323537656632346131616436
+          3137656634316632340a326139373963626364653934303830653466356533636664396161643734
+          30383661393361336561666366663637333166323732326664376431363463346132656335306436
+          3163386561623765396236316263616631323134626537383839
 
 vpn_peers:
   - {
@@ -16,6 +25,7 @@ vpn_peers:
       public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=',
       preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.key',
       preshared_key_source_path: 'files/wireguard/preshared-desktop.key',
+      preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n613030653137313136613864613432613261303064373562313863353736656562343333333639323736656634663861373236353934653335643630633061340a643063633439383435316230633164666161386530373839393934643137313735353031306264663237626665356561356261306230376365643830633532370a343037393832386332323962626434303034393561373664306630623465306138646661386562306131343633323134393437393235636563346435383366373566333038396233383437656562613066383232333466623130333635303136"
     }
   - {
       name: 'laptop',
@@ -23,4 +33,5 @@ vpn_peers:
       public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=',
       preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.key',
       preshared_key_source_path: 'files/wireguard/preshared-laptop.key',
+      preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n336435613338343639663239376633313631363439663837633832656331323039653638343366316630346137336665646461633437643066653164623537390a633862383165613032626434633063333564636662376635353638313435356530303430356336336533343137313061343637363465663436363465663664390a643832643133656330666661646535343034303235623464383532313431363035636530643966333532376236623239393363666266316363303061376565343263396433613339383661393130326562323766643135313365613766663063"
     }