diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 3df4e2719b775536121aef89535ecf2d8ed5efcc..8a25747ccdb61fa2071538f706bae4ab366dff14 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -18,6 +18,7 @@ import ../../lib/make-grid.nix {
 
     "storage1" = import ../../lib/make-testing.nix (rec {
       publicIPv4 = "192.168.67.22";
+      monitoringvpnIPv4 = "172.23.23.12";
       inherit sshUsers;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.09";
@@ -25,6 +26,7 @@ import ../../lib/make-grid.nix {
 
     "storage2" = import ../../lib/make-testing.nix (rec {
       publicIPv4 = "192.168.67.23";
+      monitoringvpnIPv4 = "172.23.23.13";
       inherit sshUsers;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.09";
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 789ff9d5e0f6af90ab6beb1e17f96bf114db76c9..30cc0eea374e41d8578f776ce16114cc37d4ef0f 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -31,7 +31,7 @@
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "monitoringvpn-secret-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key";
+        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
         destination = "/var/secrets/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index d25856a727e7a8b2085f287cc42ca0b24d7c44c7..24affc987ec9fe8e1d562002ebf6e9a1f66c9814 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -1,4 +1,4 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec {
+{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, ... }: rec {
 
   deployment = {
     targetHost = publicIPv4;
@@ -15,6 +15,22 @@
         # extract it from the tahoe-lafs nixos module somehow?
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
+      "monitoringvpn-secret-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
+        destination = "/var/secrets/monitoringvpn/client.key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
+      "monitoringvpn-preshared-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        destination = "/var/secrets/monitoringvpn/preshared.key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
     };
   };
 
@@ -34,4 +50,9 @@
   };
 
   system.stateVersion = stateVersion;
+
+  services.private-storage.monitoring.vpn.client = {
+    enable = true;
+    ip = monitoringvpnIPv4;
+  };
 }
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 40cc0516301cb80780a3fb8d35035124aa8fb6d4..93828a5ba03e44902339fcfa14a23784fa3de333 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -12,6 +12,8 @@ in {
       default = /var/secrets/monitoringvpn/client.key;
       description = ''
         File with base64 private key generated by <command>wg genkey</command>.
+        Shorthand for public and private key:
+        <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command>
       '';
     };
     publicKeyFile = lib.mkOption {
@@ -19,6 +21,8 @@ in {
       example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+        Shorthand for public and private key:
+        <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command>
       '';
     };
     presharedKeyFile = lib.mkOption {
@@ -78,9 +82,3 @@ in {
   };
 }
 
-
-# v just have all config static (no file systems etc)
-# move cfg into global config (like config.privatestorage.monitoring.*)
-# parametrize keys
-#   - (https://wiki.archlinux.org/index.php/WireGuard
-#   -  (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index 97bbfeee320fd8ec97dcede8a666d9945f41815e..56ecf197527482bdbae4df4a88ddf9696a277bb0 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -55,14 +55,19 @@ in {
       listenPort = cfg.server.port;
       privateKeyFile = toString cfg.server.privateKeyFile;
       peers = [
-        { # node1
+        {
           allowedIPs = [ "172.23.23.11/32" ];
-          publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
+          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.11.pub");
           presharedKeyFile = toString cfg.server.presharedKeyFile;
         }
-        { # node2
+        {
           allowedIPs = [ "172.23.23.12/32" ];
-          publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
+          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.12.pub");
+          presharedKeyFile = toString cfg.server.presharedKeyFile;
+        }
+        {
+          allowedIPs = [ "172.23.23.13/32" ];
+          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.13.pub");
           presharedKeyFile = toString cfg.server.presharedKeyFile;
         }
       ];