diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
new file mode 100644
index 0000000000000000000000000000000000000000..93c5c0d9133a3a3abb27e2a5472cf98ccee5ddbd
--- /dev/null
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -0,0 +1,63 @@
+# Server section of our Monitoring VPN config
+
+{ lib, config, ... }: let
+  cfg = config.services.private-storage.monitoring.vpn;
+
+in {
+  options.services.private-storage.monitoring.vpn.server = {
+    enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service";
+    privateKeyFile = lib.mkOption {
+      type = lib.types.path;
+      example = lib.literalExample /var/secrets/monitoringvpn/server.key;
+      default = /var/secrets/monitoringvpn/server.key;
+      description = ''
+        File with base64 private key generated by <command>wg genkey</command>.
+      '';
+    };
+    publicKeyFile = lib.mkOption {
+      type = lib.types.path;
+      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
+      default = /var/secrets/monitoringvpn/server.pub;
+      description = ''
+        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+      '';
+    };
+    ips = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "172.23.23.10/24" ];
+      description = ''
+        The IP addresses of the interface.
+        See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
+      '';
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      example = lib.literalExample 54321;
+      default = 54321;
+      description = ''
+        The UDP port to listen on.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.server.enable {
+    networking.firewall.allowedUDPPorts = [ cfg.server.port ];
+
+    networking.wireguard.interfaces.monitoringvpn = {
+      ips = cfg.server.ips;
+      listenPort = cfg.server.port;
+      privateKeyFile = toString cfg.server.privateKeyFile;
+      peers = [
+        { # node1
+          allowedIPs = [ "192.168.42.21/32" ];
+          publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
+        }
+        { # node2
+          allowedIPs = [ "192.168.42.22/32" ];
+          publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
+        }
+      ];
+    };
+  };
+}
+