diff --git a/nixy/configuration.nix b/nixy/configuration.nix
index dd758c8..8fb7b24 100644
--- a/nixy/configuration.nix
+++ b/nixy/configuration.nix
@@ -35,6 +35,10 @@
         sopsFile = ./secrets/wg_privkey_proton.yaml;
       };
 
+      "wg_endpoint_proton" = {
+        sopsFile = ./secrets/wg_privkey_proton.yaml;
+      };
+
       "borgbase_enc_key" = {
         sopsFile = ./secrets/borgbase_enc_key.yaml;
         owner = config.users.users.akill.name;
@@ -148,19 +152,6 @@
           }
         ];
       };
-
-      proton = {
-        ips = [ "10.2.0.2/32" ];
-        privateKeyFile = config.sops.secrets."wg_privkey_proton".path;
-        peers = [
-          {
-            publicKey = builtins.readFile ../common/wg_pubkey_proton;
-            allowedIPs = [ "10.2.0.0/24" ];
-            endpoint = "109.236.81.166:51820";
-            persistentKeepalive = 25;
-          }
-        ];
-      };
     };
   };
 
@@ -208,6 +199,50 @@
           ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
         };
       };
+
+      "netns@" = {
+        description = "%I network namespace";
+        before = ["network.target"];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = "${pkgs.iproute}/bin/ip netns add %I";
+          ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
+        };
+      };
+
+      "wg_proton" = {
+        description = "wg network interface";
+        bindsTo = ["netns@wg.service"];
+        requires = ["network-online.target"];
+        after = ["netns@wg.service"];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = pkgs.writers.writeBash "wg-up" ''
+            set -e
+            ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}")
+            ${pkgs.iproute}/bin/ip link add proton_wg type wireguard
+            ${pkgs.iproute}/bin/ip link set proton_wg netns wg
+            ${pkgs.iproute}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg
+            ${pkgs.iproute}/bin/ip netns exec wg \
+              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${config.sops.secrets."wg_privkey_proton".path}"
+            ${pkgs.iproute}/bin/ip netns exec wg \
+              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \
+                endpoint "$ENDPOINT_IP:51820" \
+                persistent-keepalive "25" \
+                allowed-ips "0.0.0.0/0"
+            ${pkgs.iproute}/bin/ip -n wg link set lo up
+            ${pkgs.iproute}/bin/ip -n wg link set proton_wg up
+            ${pkgs.iproute}/bin/ip -n wg route add default dev proton_wg
+          '';
+          ExecStop = pkgs.writers.writeBash "wg-down" ''
+            ${pkgs.iproute}/bin/ip -n wg route del default dev proton_wg
+            ${pkgs.iproute}/bin/ip -n wg link del proton_wg
+          '';
+        };
+      };
+
     };
 
     extraConfig = ''