diff --git a/ansible/roles/home-net/handlers/main.yml b/ansible/roles/home-net/handlers/main.yml
new file mode 100644
index 0000000..94cb9dd
--- /dev/null
+++ b/ansible/roles/home-net/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+# handlers file for wg_vpn
+
+- name: restart wireguard
+  service: name=wg-quick@wg0.service state=restarted
diff --git a/ansible/roles/home-net/tasks/rpi.yml b/ansible/roles/home-net/tasks/rpi.yml
new file mode 100644
index 0000000..19b2f39
--- /dev/null
+++ b/ansible/roles/home-net/tasks/rpi.yml
@@ -0,0 +1,30 @@
+---
+
+- name: install wireguard
+  apt:
+    name:
+      - wireguard
+      - wireguard-dkms
+      - wireguard-tools        
+    update_cache: yes
+    state: latest
+
+- name: Enable IP forwarding
+  sysctl: name={{ item }} value=1 state=present
+  with_items:
+    - net.ipv4.ip_forward
+    - net.ipv6.conf.all.forwarding    
+
+- name: Configure firewall (Ubuntu)
+  ufw: rule=allow port=51820 proto=udp
+  when: ansible_distribution == "Ubuntu"
+
+- name: Create wireguard config directory
+  file: state=directory path=/etc/wireguard owner=root group=root mode=0700
+
+- name: Install wireguard configuration
+  template: src=wg0.conf dest=/etc/wireguard/wg0.conf owner=root group=root mode=0600
+  notify: restart wireguard
+
+- name: Start wireguard
+  service: name=wg-quick@wg0.service enabled=yes state=started    
diff --git a/ansible/roles/home-net/templates/main.yml b/ansible/roles/home-net/templates/main.yml
new file mode 100644
index 0000000..92c2f67
--- /dev/null
+++ b/ansible/roles/home-net/templates/main.yml
@@ -0,0 +1,11 @@
+[Interface]
+PrivateKey = {{ wireguard_clients[3]['privkey'] }}
+Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }}
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wireguard_server_pubkey }}
+Endpoint = vpn.awful.club:51820
+AllowedIPs = 10.200.219.0/24
diff --git a/ansible/roles/home-net/templates/wg0.conf b/ansible/roles/home-net/templates/wg0.conf
new file mode 100644
index 0000000..92c2f67
--- /dev/null
+++ b/ansible/roles/home-net/templates/wg0.conf
@@ -0,0 +1,11 @@
+[Interface]
+PrivateKey = {{ wireguard_clients[3]['privkey'] }}
+Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }}
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wireguard_server_pubkey }}
+Endpoint = vpn.awful.club:51820
+AllowedIPs = 10.200.219.0/24
diff --git a/ansible/wg_homeportal.yml b/ansible/wg_homeportal.yml
new file mode 100644
index 0000000..ced4453
--- /dev/null
+++ b/ansible/wg_homeportal.yml
@@ -0,0 +1,8 @@
+---
+
+- name: setup on prem portal wg host.
+  hosts: larva.home.jowj.net
+  tasks:
+    - debug: msg="Deploying wg portal"
+  roles:
+    - { name: home-net, tags: ['home-net'] }