diff --git a/nixos/machines/orbi/network-wireguard.nix b/nixos/machines/orbi/network-wireguard.nix
index 77216dc..8fdc9c9 100644
--- a/nixos/machines/orbi/network-wireguard.nix
+++ b/nixos/machines/orbi/network-wireguard.nix
@@ -53,6 +53,16 @@
           publicKey = "ZNnlmPdxAGYtaUvOU2V47tcEhcB06LBCXkSxIvWZL2k=";
           allowedIPs = [ "10.100.0.7/32" ];
         }
+        {
+          # ipad
+          publicKey = "E8TJTPQT0jK9vzDrwqX4fIGQtM640gc6qALVTZgmfRo=";
+          allowedIPs = [ "10.100.0.8/32" ];
+        }
+        {
+          # ipad tina
+          publicKey = "aOlfGT2c/4v7U7faLXyCyiCHe8iSAOedblKgbJONxnM=";
+          allowedIPs = [ "10.100.0.9/32" ];
+        }
       ];
     };
   };
diff --git a/scripts/wireguard-client.sh b/scripts/wireguard-client.sh
new file mode 100644
index 0000000..4e13f21
--- /dev/null
+++ b/scripts/wireguard-client.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+#
+# Create a new wireguard client
+
+client_name="ipad tina"
+client_ip=10.100.0.9
+private_key=$( wg genkey )
+public_key=$( echo "$private_key" | wg pubkey )
+
+cat <<EOF > client.conf
+[Interface]
+Address = ${client_ip}/32
+MTU = 1280
+ListenPort = 51820
+PrivateKey = ${private_key}
+
+[Peer]
+PublicKey = uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=
+Endpoint = ingolf-wagner.de:51820
+AllowedIPs = 10.100.0.1/24
+EOF
+
+cat <<EOF
+## nixos configuration:
+
+{
+  # ${client_name}
+  publicKey = "${public_key}";
+  allowedIPs = [ "${client_ip}/32" ];
+}
+
+## client configuration
+
+is in ./client.conf
+
+### QR Code
+
+for quick configuration
+
+EOF
+
+qrencode -t ansiutf8 < client.conf