diff --git a/network.yml b/network.yml
new file mode 100644
index 00000000..72875d35
--- /dev/null
+++ b/network.yml
@@ -0,0 +1,8 @@
+---
+# Deploy tunnel
+- hosts: boeing.adm.crans.org
+  vars:
+    # Debian mirror on adm
+    debian_mirror: http://mirror.adm.crans.org/debian
+  roles:
+    - wireguard
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 00000000..bf89f3c7
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Add Debian unstable repository
+  apt_repository:
+    repo: "deb {{ debian_mirror }} unstable main"
+    state: present
+
+- name: Limit unstable packages
+  template:
+    src: apt/preferences.d/limit-unstable.j2
+    dest: /etc/apt/preferences.d/limit-unstable
+
+- name: Install wireguard
+  apt:
+    update_cache: true
+    name: wireguard
diff --git a/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2 b/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
new file mode 100644
index 00000000..5de43d80
--- /dev/null
+++ b/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+Package: *
+Pin: release a=unstable
+Pin-Priority: 90