diff --git a/README.md b/README.md
index 3fcb866..89c9e2e 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,4 @@
 # nix
 
+bastion.mtz.lasuite.federez: nePNA6RDzgNeSC7deXqeoK2rGGei65tBNnCEN6ZKkEI=
+bastion.ren.lasuite.federez: tSnZQM0s1EaN2uvCgYP8xkLXt+NccBBPJj5UBzV3h2Y=
\ No newline at end of file
diff --git a/secrets/bastion/wg-private-zone-1.age b/secrets/bastion/wg-private-zone-1.age
new file mode 100644
index 0000000..0126eb6
--- /dev/null
+++ b/secrets/bastion/wg-private-zone-1.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 AoNqxQ knbcHLEYnoQjMfF+ZNck0wpAceeb8ooq3A8bzoLgFy8
+W+CESgJr8Ck3JQ61I2G7vPpycfIcWp/gUt1pIk2XaWE
+-> ssh-ed25519 Ql/wMw a7yY5Jvs6n//AiCDnPX19jjlmvZKXivO33Cg0aMjQ08
+2I0uy0Nk2w1Kg7CYu3lyOJUqZNbb3WaQudwviXlZB4A
+-> ssh-ed25519 Ecp4NA cn8KR9O3a/DXUt5nwCvNBToAbClwvb5P7AYpey11dTs
+Xg7veR9JMgjSzBf4dfqmJdJ/byZADiiwBvUzOkQb/+A
+-> ssh-ed25519 vHebMw pgh2K90AbukQANSsagUTpHWBJUCcBVPIRXNhiUFS7Sw
+3QaFQ6DkZq9UhK6/l2nu5IOESN6VRnxoRgSkIWBFLqk
+-> ssh-ed25519 um7xWA y1cegmPgkhOFFML7ZgMvXqV2ZCx44LyxHbgga6wDkg8
+qDoj0U0Ky0V5S3dSUIahsjkB7y2VFROtK3CoLog/VUY
+-> ssh-ed25519 oRtTqQ 06JdS8UUfhneHp7NE2vAVde0uwcwirgFDy2QFTPdPxE
+3JaKSODSeWx59iCv8b1THvUY8kH7KPE6BNPuAS28E6o
+--- Q/FVLEXjSsvWbtq29gvNrXKS0CmFgHay48x5PvT5vOM
+ËBÝÍ:îA×Ö˜bäõ˜h­<™öp`özj�`¶ÔG@¦Ù¼WcghêÊæú»²³TƈÉãÓÝúYöÖu…Öþó_N™�XÞ˜ºIhn
\ No newline at end of file
diff --git a/secrets/bastion/wg-private-zone-2.age b/secrets/bastion/wg-private-zone-2.age
new file mode 100644
index 0000000..25fe977
--- /dev/null
+++ b/secrets/bastion/wg-private-zone-2.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 AoNqxQ 70DTIbXzMPbLII1tQzjnPSVcSnPL7DeRO2OhSQkZIQ8
+EOnW7swnuwE+FXcnMAE9xbhqwmV/PAhrKqnZEnvn80g
+-> ssh-ed25519 Ql/wMw abCAkodTVDy0q4WZS9OzEpGnLa0tB9cW4jpk9nwslx8
+1OEMzTHAjEbv03UH5HNFPQ0Wp6G8WegAsEBZaZWY5O0
+-> ssh-ed25519 Ecp4NA 4sCVyiIkgsEJkZbTJIBYSAIR6Ya8YcfHAkDkadpP6ng
+ubYW2caWfDZg9KDasuVYZg+VlKPl1d7ajlb/XKMREb0
+-> ssh-ed25519 vHebMw 2WWQ6SmwdWIyDZVvPVQQVyRf1tI1Em46DbiTbwTCaTg
+8+aGXKlD27AVCDRBJVt1AaOKcKhfe5N61Zcx+43qEak
+-> ssh-ed25519 um7xWA 09ho4VI2L9LlPiOXP9U60fiWRWTJWOHN9bISD9KGZyk
+qB0wZoAfxSxd/2V+4TiyqF8qLaITntMV9L7Qdaz8JrQ
+-> ssh-ed25519 oRtTqQ M7/+Ny2J6DH+1Y2kEa/OuvkL51sclCg7IyBiezmOO18
+Scdi37jHccwVU7tyIv8i2GYrvqbbelGt6rwC70iZ3Jc
+--- RC4WIZOZChP56Jz+PQiQp1w4v7ylmB0HgUN+Rd/x/84
+Ä®¼_+þªt4Ü°J<	sËÅc¼Ò€-±¼Ñä\Ya:_¡àtRG7ï:À›¢ë¯;r*!W¯2ÛçÁj„§X—e Y¨	À ^î�˜
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 927f0b5..de9f8d6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -27,6 +27,11 @@ let
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZC+1P5nIJwsPA39OF4LYEqRYZVE0jDFQxu9nSr5nF0 root@auth-ren-lasuite-federez"
     ];
 
+    system-bastion = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqc0bjLqkfLXrt1eZNdZiEvUbOyWD6fluyx/nDGf9Rh root@bastion-mtz-lasuite-federez"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFg7cpJC6sUc8Gt8VnGZ/BpojEp/dbRdVjpOBf2NO5Rg root@bastion-ren-lasuite-federez"
+    ];
+
     asyncnomi = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENo/g3BZ1bJViYE6EY4VZO96a4q8U4nWKjTprQJtjEH asyncnomi" ];
     gamma = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhuKmuBPLAtQSjy4E4UaEmf8Qj56414r+adAJ6BgmO8 gamma" ];
     jeltz = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHabXDr/vrx361yaxKK58jHJB77TNVZvqhkIiaTB7ECI jeltz" ];
@@ -64,4 +69,9 @@ in
     "wireguard/wg-private-zone-2-id-10.age".publicKeys = system-wg ++ users;
     "wireguard/wg-private-zone-2-id-11.age".publicKeys = system-wg ++ users;
     "wireguard/wg-private-zone-2-id-12.age".publicKeys = system-wg ++ users;
+
+    # Bastion secrets
+
+    "bastion/wg-private-zone-1.age".publicKeys = system-bastion ++ users;
+    "bastion/wg-private-zone-2.age".publicKeys = system-bastion ++ users;
 }
\ No newline at end of file
diff --git a/shared/bastion/forward.nix b/shared/bastion/forward.nix
new file mode 100644
index 0000000..835dc84
--- /dev/null
+++ b/shared/bastion/forward.nix
@@ -0,0 +1,14 @@
+{ ... }:
+{
+    # Enable packet forwarding and pack logging
+    boot.kernel.sysctl = {
+        # Ipv4 
+        "net.ipv4.conf.all.forwarding" = true;
+        # Ipv6
+        "net.ipv6.conf.all.forwarding" = true;
+
+        # NF
+        "net.netfilter.nf_conntrack_acct" = 1;
+        "net.netfilter.nf_conntrack_log_invalid" = 255;
+    };
+}
\ No newline at end of file
diff --git a/shared/bastion/wireguard.nix b/shared/bastion/wireguard.nix
index eecb17f..609cc02 100644
--- a/shared/bastion/wireguard.nix
+++ b/shared/bastion/wireguard.nix
@@ -1,5 +1,55 @@
-{ ... }:
+{ config, lib, pkgs, ... }:
 
+let
+    # Import users wireguard sessions
+    users-wg = import ./../users-wg.nix;
+
+    # Import nodes
+    nodes = import ./../../nodes.nix;
+    myPeer = nodes."${config.hostName}";
+    myZone = myPeer.zone;
+
+    buildSecret = zone: {
+        "wg-private-zone-${toString zone}" = {
+            file = ./../../secrets/bastion + ( "/wg-private-zone-" + toString zone + ".age" );
+            owner = "root";
+            group = "root";
+        };
+    };
+
+    peers = map (peerConfig: {
+        name = "${peerConfig.name}";
+        publicKey = peerConfig.publicKey;
+        allowedIPs = [
+            "172.19..${toString (myZone + 128)}${toString peerConfig.id}/32"
+            "fc00:f::${toString (myZone + 128)}:${toString peerConfig.id}/128"
+        ];
+        persistentKeepalive = 25;
+    }) users-wg;
+
+    interface = {
+        "mgmt" = {
+            ips = [
+                "172.19.${toString (myZone + 128)}.254/24"
+                "fc00:f::${toString (myZone + 128)}:254/96"
+            ];
+            privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}".path;
+            listenPort = 51920;
+            peers = peers;
+        };
+    };
+in
 {
-    # TODO
+    age.secrets = buildSecret myZone;
+
+    # Networkd backend introduce in 25.05
+    # No independant target are generated 
+    # when using networkd as a backend
+    # If custom systemd ordering is needed 
+    # between wg interface and the rest of 
+    # networking: switch to false here
+    networking.wireguard.useNetworkd = true;
+
+    # Return all WireGuard interfaces for each node
+    networking.wireguard.interfaces = interface;
 }
\ No newline at end of file
diff --git a/shared/commons/mesh.nix b/shared/commons/mesh.nix
index 6bceef5..bea8c9f 100644
--- a/shared/commons/mesh.nix
+++ b/shared/commons/mesh.nix
@@ -35,7 +35,7 @@ let
         interface = {
             "mesh" = {
                 ips = [
-                    "172.19.${toString myZone}.${toString myId}/16"
+                    "172.19.${toString myZone}.${toString myId}/17"
                     "fc00::${toString myZone}:${toString myId}/96"
                 ];
                 privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
diff --git a/shared/users-wg.nix b/shared/users-wg.nix
new file mode 100644
index 0000000..64021c2
--- /dev/null
+++ b/shared/users-wg.nix
@@ -0,0 +1,12 @@
+[
+    {
+        id = 1;
+        name = "asyncnomi";
+        publicKey = "bj79Gbb4vIv4/fFFANtr8BwjADDQtrZfZg85sZpCuRM=";
+    }
+    {
+        id = 2;
+        name = "gamma";
+        publicKey = "hrYk9spPai3X2bxtZXvwE35MGKUr/G60ZZ4ahgPeZhs=";
+    }
+]
\ No newline at end of file