diff --git a/flake.lock b/flake.lock
index 8aea434a..538492b7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -344,11 +344,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1645815118,
-        "narHash": "sha256-y2gArx6byPdlE/ON7mit3oq9fYg/Aw8tNd7MmOJvS+A=",
+        "lastModified": 1647968696,
+        "narHash": "sha256-5C93Xzq4Ux97tTHMET0mJXjdGdYyyKmIa8oUG1hGsXc=",
         "ref": "master",
-        "rev": "eb0ae3249b44e54b6e6ad400f7ebdb56c38258e4",
-        "revCount": 123,
+        "rev": "ad8b39dd71795ee9aecb6ce8cbd62f7e41f2669d",
+        "revCount": 124,
         "type": "git",
         "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
       },
diff --git a/flake.nix b/flake.nix
index 8382a8e0..6d333e35 100644
--- a/flake.nix
+++ b/flake.nix
@@ -245,6 +245,7 @@
               nixpkgs.overlays = with secrets.overlays; [
                 freifunk ospf
               ];
+              sops.defaultSopsFile = "${secrets}/hosts/freifunk/secrets.yaml";
             }
           ];
         };
diff --git a/hosts/containers/freifunk/default.nix b/hosts/containers/freifunk/default.nix
index 40afcc56..6ab8f7f7 100644
--- a/hosts/containers/freifunk/default.nix
+++ b/hosts/containers/freifunk/default.nix
@@ -73,9 +73,13 @@ in {
     '';
   };
 
-  # Required for krops: ssh git
-  services.openssh.enable = true;
-  environment.systemPackages = with pkgs; [ tcpdump ];
+  environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools ];
+
+  sops.secrets."wireguard/vpn6/privateKey" = {
+    group = "systemd-network";
+    mode = "0440";
+  };
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   systemd.network = {
     netdevs = {
@@ -87,6 +91,27 @@ in {
           Name = meshLoopback;
         };
       };
+      # Freifunk Dresden Backbone
+      vpn6 = {
+        enable = true;
+        netdevConfig = {
+          Name = "vpn6";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
+          ListenPort = 5007;
+          # Mark for routing with the upstream routing table
+          FirewallMark = upstreamMark;
+        };
+        wireguardPeers = [ {
+          wireguardPeerConfig = {
+            Endpoint = "vpn4.freifunk-dresden.de:5007";
+            PublicKey = "7R3K3rGtCZprgqz5/iWql4yLg9BrsaNiv5XQwJ7csn4=";
+            AllowedIPs = "0.0.0.0/0";
+          };
+        } ];
+      };
     };
     networks = {
       # Wired mesh interface