diff --git a/README.md b/README.md
index a9b3cb9..97fbea9 100644
--- a/README.md
+++ b/README.md
@@ -116,3 +116,17 @@ systemctl enable --now tornode.service;
 # view nyx dashboard
 podman exec -it tornode nyx
 ```
+
+## Wireguard
+
+Simple container that will setup wireguard interface according to
+`/data/wg0.conf` and then replace process with pid 1 to `sleep infinity`.
+MASQUERADE required for accessing external networks is done by nftables, so
+it should work with nftables kernel modules, iptables-only modules can
+be missing.
+
+Example run (requires root and privileged for nftables setup)
+
+```bash
+podman run --privileged --name wireguard -d -v './:/data:ro' wireguard:latest
+```
diff --git a/wireguard/Dockerfile b/wireguard/Dockerfile
new file mode 100644
index 0000000..c3d6e89
--- /dev/null
+++ b/wireguard/Dockerfile
@@ -0,0 +1,21 @@
+FROM registry.fedoraproject.org/fedora:38
+
+
+ENV PKGS="\
+    wireguard-tools \
+    nftables \
+    bash-completion \
+    procps \
+    iproute"
+
+COPY entrypoint.sh /usr/bin/
+
+# install system dependencies
+RUN dnf install -y \
+    ${PKGS} \
+    && dnf clean all &&\
+    chmod +x /usr/bin/entrypoint.sh
+
+STOPSIGNAL SIGALRM
+
+ENTRYPOINT [ "/usr/bin/entrypoint.sh" ]
diff --git a/wireguard/entrypoint.sh b/wireguard/entrypoint.sh
new file mode 100644
index 0000000..9975e6b
--- /dev/null
+++ b/wireguard/entrypoint.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+wg-quick up /data/wg0.conf && exec sleep infinity