diff --git a/.gitignore b/.gitignore
index 1944fd6..c5445da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 *.tmp
+tmp
diff --git a/wireguard-bastion/cali-bastion.yaml b/wireguard-bastion/cali-bastion.yaml
new file mode 100644
index 0000000..ae601cb
--- /dev/null
+++ b/wireguard-bastion/cali-bastion.yaml
@@ -0,0 +1,10 @@
+hostname: cali-bastion
+hours: 5
+price: 20000
+location:
+  region: "California"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/cali-protected.yaml b/wireguard-bastion/cali-protected.yaml
new file mode 100644
index 0000000..998be32
--- /dev/null
+++ b/wireguard-bastion/cali-protected.yaml
@@ -0,0 +1,10 @@
+hostname: cali-protected
+hours: 5
+price: 20000
+location:
+  region: "California"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/create_vms.sh b/wireguard-bastion/create_vms.sh
new file mode 100644
index 0000000..ae76937
--- /dev/null
+++ b/wireguard-bastion/create_vms.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+export FORMAT=YAML
+
+detee-cli vm deploy --from-yaml cali-bastion.yaml > tmp/cali-bastion-install.yaml
+detee-cli vm deploy --from-yaml vanc-bastion.yaml > tmp/vanc-bastion-install.yaml
+detee-cli vm deploy --from-yaml cali-protected.yaml > tmp/cali-protected-install.yaml
+detee-cli vm deploy --from-yaml vanc-protected.yaml > tmp/vanc-protected-install.yaml
diff --git a/wireguard-bastion/deploy.sh b/wireguard-bastion/deploy.sh
new file mode 100755
index 0000000..fe6781d
--- /dev/null
+++ b/wireguard-bastion/deploy.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+export FORMAT=YAML
+
+cali_bastion_uuid=$(grep uuid tmp/cali-bastion-install.yaml)
+cali_bastion_uuid=${cali_bastion_uuid#uuid: }
+vanc_bastion_uuid=$(grep uuid tmp/vanc-bastion-install.yaml)
+vanc_bastion_uuid=${vanc_bastion_uuid#uuid: }
+cali_protected_uuid=$(grep uuid tmp/cali-protected-install.yaml)
+cali_protected_uuid=${cali_protected_uuid#uuid: }
+vanc_protected_uuid=$(grep uuid tmp/vanc-protected-install.yaml)
+vanc_protected_uuid=${vanc_protected_uuid#uuid: }
+
+detee-cli vm inspect $cali_bastion_uuid > tmp/cali-bastion-inspect.yaml
+detee-cli vm inspect $vanc_bastion_uuid > tmp/vanc-bastion-inspect.yaml
+detee-cli vm inspect $cali_protected_uuid > tmp/cali-protected-inspect.yaml
+detee-cli vm inspect $vanc_protected_uuid > tmp/vanc-protected-inspect.yaml
+
+cali_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail 1)
+cali_wg_port=${cali_wg_port#- }
+vanc_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail 1)
+vanc_wg_port=${cali_wg_port#- }
diff --git a/wireguard-bastion/vanc-bastion.yaml b/wireguard-bastion/vanc-bastion.yaml
new file mode 100644
index 0000000..f603bf0
--- /dev/null
+++ b/wireguard-bastion/vanc-bastion.yaml
@@ -0,0 +1,10 @@
+hostname: vanc-bastion
+hours: 5
+price: 20000
+location:
+  city: "Vancouver"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/vanc-protected.yaml b/wireguard-bastion/vanc-protected.yaml
new file mode 100644
index 0000000..39b426c
--- /dev/null
+++ b/wireguard-bastion/vanc-protected.yaml
@@ -0,0 +1,10 @@
+hostname: vanc-bastion
+hours: 5
+price: 20000
+location:
+  city: "Vancouver"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/wg_configs/cali-bastion-client.conf b/wireguard-bastion/wg_configs/cali-bastion-client.conf
new file mode 100644
index 0000000..a5341aa
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-bastion-client.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.20.21/24
+PrivateKey = CALI_BASTION_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/cali-bastion-server.conf b/wireguard-bastion/wg_configs/cali-bastion-server.conf
new file mode 100644
index 0000000..14bfbfe
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-bastion-server.conf
@@ -0,0 +1,16 @@
+[Interface]
+Address = 10.100.10.1/24
+PrivateKey = CALI_BASTION_PRIVATE
+ListenPort = 1337
+
+[Peer]
+PublicKey = CALI_PROTECTED_PUBLIC
+AllowedIPs = 10.100.10.101/24
+
+[Peer]
+PublicKey = VANC_PROTECTED_PUBLIC
+AllowedIPs = 10.100.10.201/24
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.100.10.21
diff --git a/wireguard-bastion/wg_configs/cali-protected-cali.conf b/wireguard-bastion/wg_configs/cali-protected-cali.conf
new file mode 100644
index 0000000..579883d
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-protected-cali.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.100.10.101/24
+PrivateKey = CALI_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/cali-protected-vanc.conf b/wireguard-bastion/wg_configs/cali-protected-vanc.conf
new file mode 100644
index 0000000..8d88bdc
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-protected-vanc.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.20.101/24
+PrivateKey = CALI_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/vanc-bastion-client.conf b/wireguard-bastion/wg_configs/vanc-bastion-client.conf
new file mode 100644
index 0000000..20161a6
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-bastion-client.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.100.10.21/24
+PrivateKey = VANC_BASTION_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/vanc-bastion-server.conf b/wireguard-bastion/wg_configs/vanc-bastion-server.conf
new file mode 100644
index 0000000..8a735c1
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-bastion-server.conf
@@ -0,0 +1,16 @@
+[Interface]
+Address = 10.200.20.1/24
+PrivateKey = VANC_BASTION_PRIVATE
+ListenPort = 1337
+
+[Peer]
+PublicKey = CALI_PROTECTED_PUBLIC
+AllowedIPs = 10.200.20.101/24
+
+[Peer]
+PublicKey = VANC_PROTECTED_PUBLIC
+AllowedIPs = 10.200.20.201/24
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.200.20.21
diff --git a/wireguard-bastion/wg_configs/vanc-protected-cali.conf b/wireguard-bastion/wg_configs/vanc-protected-cali.conf
new file mode 100644
index 0000000..67010ec
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-protected-cali.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.100.10.201/24
+PrivateKey = VANC_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/vanc-protected-vanc.conf b/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
new file mode 100644
index 0000000..320d720
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.20.201/24
+PrivateKey = VANC_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT