diff --git a/boot.nix b/boot.nix
index cfe4f72..a1247c0 100644
--- a/boot.nix
+++ b/boot.nix
@@ -32,7 +32,6 @@
   # extra enabled kernel modules
   boot.kernelModules = [
     "sg" # for generic SCSI devices such as /dev/sg0
-    "wireguard"
   ];
 
   # Kernel parameter on boot
@@ -47,4 +46,4 @@
   boot.initrd.secrets = {
     "/crypto_keyfile.bin" = null;
   };
-}
\ No newline at end of file
+}
diff --git a/configuration.nix b/configuration.nix
index 5cf523c..24c9817 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -38,8 +38,6 @@ in
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
-  networking.wireguard.enable = true;
-
   # Enable networking
   networking.networkmanager.enable = true;
 
@@ -235,12 +233,6 @@ in
   # Enable the OpenSSH daemon.
   # services.openssh.enable = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  networking.firewall.allowedUDPPorts = [
-    51820 # wireguard client
-  ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
diff --git a/extra/default.nix b/extra/default.nix
index c97b799..1da134f 100644
--- a/extra/default.nix
+++ b/extra/default.nix
@@ -4,6 +4,7 @@
         ./dvd.nix
         ./yubikey.nix
         ./platformio.nix
+        ./wireguard.nix
         ./language-server.nix
     ];
 }
diff --git a/extra/wireguard.nix b/extra/wireguard.nix
new file mode 100644
index 0000000..e28d9aa
--- /dev/null
+++ b/extra/wireguard.nix
@@ -0,0 +1,15 @@
+{ pkgs, config, ... }: {
+
+    networking.wireguard.enable = true;
+
+    # Open ports in the firewall.
+    # networking.firewall.allowedTCPPorts = [ ... ];
+    # networking.firewall.allowedUDPPorts = [ ... ];
+    networking.firewall.allowedUDPPorts = [
+        51820 # wireguard client
+    ];
+
+    boot.kernelModules = [
+        "wireguard"
+  ];
+}