diff --git a/modules/config/devices/config/ceres.nix b/modules/config/devices/config/ceres.nix
index e1fd88a..723cca4 100755
--- a/modules/config/devices/config/ceres.nix
+++ b/modules/config/devices/config/ceres.nix
@@ -28,7 +28,7 @@ in
     options = ownerExclusiveReadWriteMask;
   };
   wireguard = {
-    ip0 = "10.0.0.1";
+    ip0 = "10.100.0.1";
   };
   storage0 = {
     mount = "/mnt/media/${ceresStorageDriveName}";
diff --git a/modules/config/devices/config/mars.nix b/modules/config/devices/config/mars.nix
index 4d14165..5ea9e56 100755
--- a/modules/config/devices/config/mars.nix
+++ b/modules/config/devices/config/mars.nix
@@ -19,7 +19,7 @@ in
     options = ownerWriteOthersReadMask;
   };
   wireguard = {
-    ip0 = "10.0.0.2";
+    ip0 = "10.100.0.2";
   };
   storage0 = {
     mount = "/mnt/media/games";
diff --git a/modules/config/instances/config/web.nix b/modules/config/instances/config/web.nix
index 590f58b..4f8a1c9 100755
--- a/modules/config/instances/config/web.nix
+++ b/modules/config/instances/config/web.nix
@@ -22,6 +22,7 @@ in
     address1 = "0.0.0.0"; # All
     address2 = "192.168.50.1"; # Router
     address3 = "192.168.50.0"; # Router
+    address4 = "192.168.1.0"; # Router
   };
   remotehost = {
     address0 = "24.76.173.0";
diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix
index 671ed7f..0da0033 100755
--- a/systems/ceres/config/wireguard.nix
+++ b/systems/ceres/config/wireguard.nix
@@ -1,14 +1,8 @@
-{
-  config,
-  flake,
-  pkgs,
-  ...
-}:
+{ config, flake, ... }:
 let
   inherit (flake.config.services.instances) wireGuard;
   inherit (flake.config.machines.devices) mars ceres;
   service = wireGuard;
-  hostIP = "${ceres.wireguard.ip0}/24";
 in
 {
   networking = {
@@ -29,36 +23,15 @@ in
       internalInterfaces = [ "wg0" ];
     };
 
-    wg-quick.interfaces = {
+    wireguard.interfaces = {
       wg0 = {
-        address = [
-          hostIP
-          "fdc9:281f:04d7:9ee9::1/64"
-        ];
+        ips = [ "${ceres.wireguard.ip0}/24" ];
         listenPort = service.ports.port1;
         privateKeyFile = config.sops.secrets."${service.name}-private".path;
-        postUp = ''
-          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE
-          ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
-        '';
-
-        # Undo the above
-        preDown = ''
-          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE
-          ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
-        '';
         peers = [
           {
             publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ=";
-            presharedKeyFile = config.sops.secrets."${service.name}-mars-public".path;
-            allowedIPs = [
-              "${mars.wireguard.ip0}/32"
-              "fdc9:281f:04d7:9ee9::2/128"
-            ];
+            allowedIPs = [ "${mars.wireguard.ip0}/32" ];
           }
         ];
       };
@@ -83,7 +56,6 @@ in
           [
             "private"
             "public"
-            "mars-public"
           ]
       );
     };
diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix
index d8240d9..2ae6428 100755
--- a/systems/mars/config/wireguard.nix
+++ b/systems/mars/config/wireguard.nix
@@ -5,30 +5,23 @@ let
   service = wireGuard;
 in
 {
-  networking.wg-quick.interfaces = {
-    wg0 = {
-      address = [
-        "${mars.wireguard.ip0}/24"
-        "fdc9:281f:04d7:9ee9::2/64"
-      ];
-      dns = [
-        "${ceres.wireguard.ip0}"
-        "fdc9:281f:04d7:9ee9::1"
-      ];
-      privateKeyFile = config.sops.secrets."${service.name}-mars-private".path;
-      peers = [
-        {
-          publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
-          presharedKeyFile = config.sops.secrets."${service.name}-public".path;
-          allowedIPs = [
-            "192.168.1.0/24"
-            "0.0.0.0/0"
-            "::/0"
-          ];
-          endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}";
-          persistentKeepalive = 25;
-        }
-      ];
+  networking = {
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "${mars.wireguard.ip0}/32" ];
+        privateKeyFile = config.sops.secrets."${service.name}-mars-private".path;
+        peers = [
+          {
+            publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
+            allowedIPs = [
+              "${ceres.wireguard.ip0}/32"
+              "${web.localhost.address4}/24"
+            ];
+            endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
     };
   };
 
@@ -50,7 +43,6 @@ in
           [
             "mars-private"
             "mars-public"
-            "public"
           ]
       );
     };