diff --git a/.forgejo/workflows/nix_build.yaml b/.forgejo/workflows/nix_build.yaml
index 39dfacc..2941102 100644
--- a/.forgejo/workflows/nix_build.yaml
+++ b/.forgejo/workflows/nix_build.yaml
@@ -64,6 +64,9 @@ jobs:
       - name: nix build sternchen
         run: nix build .#nixosConfigurations.sternchen.config.system.build.toplevel
 
+      - name: nix build usbstick
+        run: nix build .#nixosConfigurations.usbstick.config.system.build.toplevel
+
       - name: commit & push
         if: ${{ github.event_name == 'schedule' }}
         # only if all nix builds are fine we update our branch
diff --git a/machines/usbstick/configuration.nix b/machines/usbstick/configuration.nix
index fd1aed7..0f48409 100644
--- a/machines/usbstick/configuration.nix
+++ b/machines/usbstick/configuration.nix
@@ -5,6 +5,7 @@
     ./hardware-configuration
     #./tinc.nix
     #./syncthing.nix
+    ./network-wireguard-wg0.nix
 
   ];
 
diff --git a/machines/usbstick/network-wireguard-wg0.nix b/machines/usbstick/network-wireguard-wg0.nix
new file mode 100644
index 0000000..941c489
--- /dev/null
+++ b/machines/usbstick/network-wireguard-wg0.nix
@@ -0,0 +1,33 @@
+{ config, factsGenerator, clanLib, ... }:
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
+  clan.core.facts.services.wireguard_ip = factsGenerator.public {
+    "wireguard.wg0.cidr" = "10.100.0.100/32";
+    "wireguard.wg0.ip" = "10.100.0.100";
+  };
+
+  # Enable WireGuard
+  networking.wg-quick.interfaces = {
+    # Hub and Spoke Setup
+    # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
+    wg0 = {
+      address = [
+        config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
+      ];
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+      privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
+      mtu = 1280;
+
+      peers = [
+        {
+          publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
+          allowedIPs = [
+            (clanLib.readFact "wireguard.wg0.cidr" "orbi")
+          ];
+          endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
+        }
+      ];
+    };
+  };
+}