diff --git a/_build/build-all.sh b/_build/build-all.sh
index 22aec8c..21f1481 100755
--- a/_build/build-all.sh
+++ b/_build/build-all.sh
@@ -37,6 +37,14 @@ abuild -F
 cd ${ROOT}/apk/vmmgr
 abuild -F
 
+cd ${ROOT}/apk/wireguard
+apk add libmnl-dev linux-virt-dev linux-firmware-none
+FLAVOR=virt abuild -F
+
+cd ${ROOT}/apk/wireguard-tools
+apk add libmnl-dev
+abuild -F
+
 # Build apd pack runtimes
 cd ${ROOT}/lxc-shared
 lxc-build alpine3.8
diff --git a/_vm.sh b/_vm.sh
index 4225675..f233e64 100755
--- a/_vm.sh
+++ b/_vm.sh
@@ -86,7 +86,7 @@ chroot /mnt setup-timezone -z Europe/Prague
 # Install basic system
 apk --no-cache add apache2-utils gettext
 wget https://repo.spotter.cz/_vm.tar -O - | tar xf - -C /mnt
-chroot /mnt apk --no-cache add bridge ca-certificates curl e2fsprogs-extra gettext iptables kbd-misc libressl lxc postfix nginx openssh-server openssh-sftp-server util-linux wireguard-virt@et wireguard-tools-wg@et acme-sh@vm vmmgr@vm
+chroot /mnt apk --no-cache add bridge ca-certificates curl e2fsprogs-extra gettext iptables kbd-misc libressl lxc postfix nginx openssh-server openssh-sftp-server util-linux wireguard-virt@vm wireguard-tools-wg@vm acme-sh@vm vmmgr@vm
 chroot /mnt newaliases
 mkdir -p /mnt/var/log/lxc
 for SERVICE in cgroups consolefont crond iptables networking nginx ntpd postfix swap urandom vmmgr; do
diff --git a/apk/vmmgr b/apk/vmmgr
index d6f738c..19b16c1 160000
--- a/apk/vmmgr
+++ b/apk/vmmgr
@@ -1 +1 @@
-Subproject commit d6f738c47ec52d11918d5c0e9edc096270b14b8a
+Subproject commit 19b16c124498479d6f9d9790da12320ba33eb33c
diff --git a/apk/wireguard-tools/APKBUILD b/apk/wireguard-tools/APKBUILD
new file mode 100644
index 0000000..d70554c
--- /dev/null
+++ b/apk/wireguard-tools/APKBUILD
@@ -0,0 +1,66 @@
+# Contributor: Stuart Cardall <developer@it-offshore.co.uk>
+# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
+
+# NOTE: pkgrel must match _toolsrel in wireguard-vanilla
+pkgname=wireguard-tools
+pkgver=0.0.20190601
+pkgrel=0
+pkgdesc="Next generation secure network tunnel: userspace tools"
+arch='all'
+url='https://www.wireguard.com'
+license="GPL-2.0"
+makedepends="libmnl-dev"
+depends="$pkgname-wg $pkgname-wg-quick"
+subpackages="
+	$pkgname-doc
+	$pkgname-bash-completion:bashcomp:noarch
+	$pkgname-wg:_split
+	$pkgname-wg-quick:_split:noarch
+	"
+options="!check"
+source="https://git.zx2c4.com/WireGuard/snapshot/WireGuard-$pkgver.tar.xz
+	alpine-compat.patch
+	"
+builddir="$srcdir"/WireGuard-$pkgver
+
+build() {
+	cd "$builddir"
+	make -C src/tools
+}
+
+package() {
+	cd "$builddir"
+	mkdir -p "$pkgdir/usr/share/doc/$pkgname"
+
+	make -C src/tools \
+		DESTDIR="$pkgdir" \
+		WITH_BASHCOMPLETION=yes \
+		WITH_WGQUICK=yes \
+		WITH_SYSTEMDUNITS=no \
+		install
+
+	find "$builddir"/contrib/examples -name '.gitignore' -delete
+	cp -rf "$builddir"/contrib/examples "$pkgdir/usr/share/doc/$pkgname/"
+}
+
+_split() {
+	local cmd=${subpkgname/$pkgname-}
+	pkgdesc="$pkgdesc ($cmd)"
+	case $cmd in
+		wg-quick) depends="$pkgname-wg iproute2 bash openresolv" ;;
+		*) depends= ;;
+	esac
+	mkdir -p "$subpkgdir"/usr/bin
+	mv "$pkgdir"/usr/bin/$cmd "$subpkgdir"/usr/bin/
+}
+
+bashcomp() {
+	depends="bash"
+	pkgdesc="WireGuard bash completions"
+
+	mkdir -p "$subpkgdir"/usr
+	mv "$pkgdir"/usr/share "$subpkgdir"/usr
+}
+
+sha512sums="d667e42b90fbda85b005ae2966689dadc9975c1a53ca5ddfff44214ed55ad7d55d451008c225a4619c834bd7af598af1f127d76a8a3a86cf2e6d886ea0638cf3  WireGuard-0.0.20190601.tar.xz
+4577574333f023217ae6e0945807e1ccd2dec7caa87e329b1d5b44569f6b5969663ad74f8154b85d3dc7063dd762649e3fa87c7667e238ffb77c0e5df9245a5e  alpine-compat.patch"
diff --git a/apk/wireguard-tools/alpine-compat.patch b/apk/wireguard-tools/alpine-compat.patch
new file mode 100644
index 0000000..1268ffb
--- /dev/null
+++ b/apk/wireguard-tools/alpine-compat.patch
@@ -0,0 +1,12 @@
+diff --git a/src/tools/wg-quick/linux.bash b/src/tools/wg-quick/linux.bash
+--- a/src/tools/wg-quick/linux.bash
++++ b/src/tools/wg-quick/linux.bash
+@@ -201,7 +201,7 @@
+ 	cmd ip $proto rule add table main suppress_prefixlength 0
+ 	while read -r key _ value; do
+ 		[[ $value -eq 1 ]] && sysctl -q "$key=2"
+-	done < <(sysctl -a -r '^net\.ipv4.conf\.[^ .=]+\.rp_filter$')
++	done < <(sysctl -a 2>/dev/null | sed -n -r 's#^(net\.ipv4.conf\.[^ .=]+\.rp_filter).*$#\1#p')
+ 	return 0
+ }
+ 
diff --git a/apk/wireguard/APKBUILD b/apk/wireguard/APKBUILD
new file mode 100644
index 0000000..a32133a
--- /dev/null
+++ b/apk/wireguard/APKBUILD
@@ -0,0 +1,99 @@
+# Contributor: Stuart Cardall <developer@it-offshore.co.uk>
+# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
+
+# wireguard version
+_ver=0.0.20190601
+_rel=0
+
+# kernel version
+_kver=4.19.41
+_krel=0
+
+_kpkgver="$_kver-r$_krel"
+
+# for custom kernels set $FLAVOR
+_extra_flavors=
+if [ -z "$FLAVOR" ]; then
+	_flavor=vanilla
+	case $CARCH in
+	x86|x86_64) _extra_flavors="virt";;
+	esac
+else
+	_flavor=$FLAVOR
+fi
+_kpkg=linux-$_flavor
+
+pkgname=wireguard-$_flavor
+pkgver=$_kver
+pkgrel=2
+pkgrel=$(($pkgrel + $_krel))
+
+pkgdesc="Next generation secure network tunnel: kernel modules for $_flavor"
+arch="all"
+url="https://www.wireguard.com"
+license="GPL-2.0"
+depends="linux-$_flavor=$_kpkgver"
+makedepends="
+	libmnl-dev
+	linux-$_flavor-dev=$_kpkgver
+	linux-firmware-none
+	"
+install_if="wireguard-tools-wg=$_ver-r$_rel linux-$_flavor=$_kpkgver"
+options="!check"
+source="https://git.zx2c4.com/WireGuard/snapshot/WireGuard-$_ver.tar.xz"
+builddir="$srcdir"/WireGuard-$_ver
+
+for f in $_extra_flavors; do
+	makedepends="$makedepends linux-$f-dev=$_kpkgver"
+	subpackages="$subpackages wireguard-$f:_extra"
+done
+
+prepare() {
+	default_prepare
+	if [ -z "$FLAVOR" ]; then
+		(	. "$startdir"/../../main/linux-$_flavor/APKBUILD
+			[ "$_kver" != "$pkgver" ] && die "please update _kver to $pkgver"
+			[ "$_krel" != "$pkgrel" ] && die "please update _krel to $pkgrel"
+			return 0
+		)
+	fi
+	if [ -z "$FLAVOR" ]; then
+		(	. "$startdir"/../../community/wireguard-tools/APKBUILD
+			[ "$_ver" != "$pkgver" ] && die "please update _ver to $pkgver"
+			[ "$_rel" != "$pkgrel" ] && die "please update _rel to $pkgrel"
+			return 0
+		)
+	fi
+	local flavor=
+	for flavor in $_flavor $_extra_flavors; do
+		cp -r "$builddir" "$srcdir"/$flavor
+	done
+}
+
+build() {
+	unset LDFLAGS
+	local flavor= kabi=
+	for flavor in $_flavor $_extra_flavors; do
+		kabi="$_kver-$_krel-$flavor"
+		make -C "$srcdir/$flavor"/src \
+			KERNELDIR=/lib/modules/$kabi/build module
+	done
+}
+
+package() {
+	local kabi="$_kver-$_krel-$_flavor"
+	install -Dm644 "$srcdir"/$_flavor/src/wireguard.ko \
+		"$pkgdir/lib/modules/$kabi/extra/wireguard.ko"
+}
+
+_extra() {
+	flavor=${subpkgname##*-}
+	depends="linux-$flavor=$_kpkgver"
+	install_if="wireguard-tools-wg=$_ver-r$_rel linux-$flavor=$_kpkgver"
+	pkgdesc="Next generation secure network tunnel: kernel modules for $flavor"
+	local kabi="$_kver-$_krel-$flavor"
+	install -Dm644 "$srcdir"/virt/src/wireguard.ko \
+		"$subpkgdir/lib/modules/$kabi/extra/wireguard.ko"
+}
+
+sha512sums="d667e42b90fbda85b005ae2966689dadc9975c1a53ca5ddfff44214ed55ad7d55d451008c225a4619c834bd7af598af1f127d76a8a3a86cf2e6d886ea0638cf3  WireGuard-0.0.20190601.tar.xz"