diff --git a/src/packages/fff/fff-wireguard/Makefile b/src/packages/fff/fff-wireguard/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..f14373cba435c195a9b327e3189ad2ce58871c94
--- /dev/null
+++ b/src/packages/fff/fff-wireguard/Makefile
@@ -0,0 +1,41 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-wireguard
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fff-wireguard
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-wireguard
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken wireguard
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:=+wireguard \
+			 +fff-network \
+			 +fff-babeld
+endef
+
+define Package/fff-wireguard/description
+	This is the Freifunk Franken Firmware wireguard package.
+	This package provides configuration scripts for wireguard tunnels.
+endef
+
+define Build/Prepare
+	echo "all: " > $(PKG_BUILD_DIR)/Makefile
+endef
+
+define Build/Configure
+	# nothing
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-wireguard/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-wireguard))
diff --git a/src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard b/src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard
new file mode 100644
index 0000000000000000000000000000000000000000..b2e876de6b28a14b7bf85088d67281daa3a82041
--- /dev/null
+++ b/src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard
@@ -0,0 +1,146 @@
+. /lib/functions.sh
+. /lib/functions/fff/network
+. /lib/functions/fff/babel
+
+#load board specific properties
+BOARD="$(uci get board.model.name)"
+. /etc/network.$BOARD
+
+configure() {
+	# remove peers missing in gateway config
+	remove_wgpeer() {
+		local name="$1"
+
+		# check prefix
+		if [ "$name" = "${name#wg_}" ]; then
+			return
+		fi
+
+		if ! uci -q get gateway.${name#wg_} > /dev/null; then
+			# remove interface
+			uci -q del network.$name
+			# remove wireguard config
+			uci -q del network.@wireguard_$name[0]
+
+			# remove iif-rules
+			babel_delete_iifrules "$name"
+			# remove babel interface
+			babel_delete_interface "$name"
+		fi
+	}
+
+	config_load babeld
+	config_foreach remove_wgpeer interface
+
+
+	# add new peers
+	add_wgpeer() {
+		local name="$1"
+		local prefixname="wg_$name"
+
+		# ensure name length
+		if [ ${#name} -gt 12 ]; then
+			echo "ERROR: name $name is too long!"
+			exit 1
+		fi
+
+		# get rxcost
+		if rxcost=$(uci -q get gateway.$name.rxcost); then
+			rxcost="$rxcost"
+		else
+			rxcost=16384
+		fi
+
+		# get wireguard properties
+		local privkey
+		local pubkey
+		local endpoint_host
+		local endpoint_port
+		local persistent_keepalive
+		local mtu
+
+		if ! privkey=$(uci -q get gateway.$name.private_key); then
+			privkey=$(wg genkey)
+			uci set gateway.$name.private_key="$privkey"
+		fi
+
+		if ! pubkey=$(uci get gateway.$name.public_key); then
+			echo "ERROR: publickey for ${name} missing!"
+			exit 1
+		fi
+
+		if ! endpoint_host=$(uci get gateway.$name.endpoint_host); then
+			echo "ERROR: endpoint_host for ${name} missing!"
+			exit 1
+		fi
+
+		if ! endpoint_port=$(uci get gateway.$name.endpoint_port); then
+			echo "ERROR: endpoint_port for ${name} missing!"
+			exit 1
+		fi
+
+		persistent_keepalive=$(uci -q get gateway.$name.persistent_keepalive)
+		mtu=$(uci -q get gateway.$name.mtu)
+
+
+		# add interface
+		uci set network.$prefixname=interface
+		uci set network.$prefixname.proto=wireguard
+		uci set network.$prefixname.nohostroute='1'
+		uci set network.$prefixname.fwmark='0xc8'
+		uci set network.$prefixname.mtu="${mtu:-1420}"
+
+		uci set network.$prefixname.private_key="$privkey"
+		echo "INFO: publickey for wireguardpeer ${name}: $(uci get gateway.$name.private_key | wg pubkey)"
+
+
+		# add wireguard properties
+		if uci -q get network.@wireguard_$prefixname[0] > /dev/null; then
+			#config already exists
+			cfg="@wireguard_$prefixname[0]"
+		else
+			#create new config
+			cfg=$(uci add network wireguard_$prefixname)
+		fi
+
+		uci set network.$cfg.public_key="$pubkey"
+		uci set network.$cfg.endpoint_host="$endpoint_host"
+		uci set network.$cfg.endpoint_port="$endpoint_port"
+		uci set network.$cfg.persistent_keepalive="$persistent_keepalive"
+		uci -q delete network.$cfg.allowed_ips
+		uci add_list network.$cfg.allowed_ips='::/0'
+		uci add_list network.$cfg.allowed_ips='0.0.0.0/0'
+
+
+		# remove old addresses
+		uci -q del network.$prefixname.addresses
+
+		# add link local address
+		uci add_list network.$prefixname.addresses="$(ipEUIAssemble "fe80::/64" "$ROUTERMAC")"
+
+		# add peer_ip
+		babel_add_peeraddr "network.$prefixname.addresses"
+		babel_add_peer6addr "network.$prefixname.addresses"
+
+		# add iif-rules
+		babel_add_iifrules "$prefixname" || { echo "ERROR: Could not add iif-rules for wgpeer $name"; exit 1; }
+
+		# add babel interface
+		babel_add_interface "$prefixname" "$prefixname" 'tunnel' "$rxcost" || { echo "ERROR: Could not add babeld interface for wgpeer $name"; exit 1; }
+	}
+
+	config_load gateway
+	config_foreach add_wgpeer wireguardpeer
+}
+
+commit() {
+	uci commit network
+	uci commit babeld
+	uci commit gateway
+}
+
+revert() {
+	uci revert network
+	uci revert babeld
+	uci revert gateway
+}
diff --git a/src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules b/src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules
new file mode 100644
index 0000000000000000000000000000000000000000..4ffce0988e82a815abbf05e6e42780132e55a2a6
--- /dev/null
+++ b/src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+uci batch <<EOF
+	set network.wireguard_main=rule6
+	set network.wireguard_main.mark='0xc8'
+	set network.wireguard_main.lookup='main'
+	set network.wireguard_main.priority='5000'
+	set network.wireguard_main4=rule
+	set network.wireguard_main4.mark='0xc8'
+	set network.wireguard_main4.lookup='main'
+	set network.wireguard_main4.priority='5000'
+	set network.wireguard_blackhole=rule6
+	set network.wireguard_blackhole.mark='0xc8'
+	set network.wireguard_blackhole.action='blackhole'
+	set network.wireguard_blackhole.priority='5001'
+	set network.wireguard_blackhole4=rule
+	set network.wireguard_blackhole4.mark='0xc8'
+	set network.wireguard_blackhole4.action='blackhole'
+	set network.wireguard_blackhole4.priority='5001'
+EOF
+
+uci commit network
+
+exit 0
diff --git a/src/packages/fff/fff/Makefile b/src/packages/fff/fff/Makefile
index 8f5ffca8aaa7d60705ac8dd40d91a540b90aad26..9ed71730498ba43579dff25e87644c31cd2a79b1 100644
--- a/src/packages/fff/fff/Makefile
+++ b/src/packages/fff/fff/Makefile
@@ -53,6 +53,7 @@ define Package/fff-layer3
 			 +fff-dhcp \
 			 +fff-babeld \
 			 +fff-ra \
+			 +fff-wireguard \
 			 +iperf3 \
 			 +tcpdump \
 			 +arptables \