diff --git a/common/wireguard/tasks/main.yml b/common/wireguard/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5ab5d4e8bc91c351928bca908acdf0d8a0f6eb9d
--- /dev/null
+++ b/common/wireguard/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+
+# Die Wireguard Keys müssen vorher erstellt werden 
+# wg genkey | tee privatekey | wg pubkey > publickey
+
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+    - { path: /etc/wireguard/privatekey,  length: -1 }
+
+
+- name: "Install Wireguard Packages"
+  apt: 
+    state: present
+    name:
+      - iptables
+      - wireguard 
+      - wireguard-tools
+
+
+- name: "Create folders"
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+  with_items:
+    - "/etc/wireguard/"
+
+
+- name: "Enable IPv4 forwarding"
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+
+
+- name: "Create config files for wg0"
+  template:
+    src: "{{ inventory_hostname }}.conf"
+    dest: "/etc/wireguard/wg0.conf"
+
+
+# more info: https://www.ivpn.net/knowledgebase/linux/linux-autostart-wireguard-in-systemd/
+- name: "Enable systemd service for wg0"
+  ansible.builtin.systemd:
+    name: "wg-quick@wg0"
+    enabled: true
+    masked: no
+
+- name: "Reload systemd service"
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: "Start systemd service for wg0"
+  ansible.builtin.systemd:
+    name: "wg-quick@wg0"
+    state: started
diff --git a/common/wireguard/templates/carrot.conf b/common/wireguard/templates/carrot.conf
new file mode 100644
index 0000000000000000000000000000000000000000..c6b1745923f2bac898d13fa7bcaedc44be08c413
--- /dev/null
+++ b/common/wireguard/templates/carrot.conf
@@ -0,0 +1,14 @@
+[Interface]
+PrivateKey = {{ privatekey }}
+Address = 10.43.1.2
+ListenPort = 51821
+
+PostUp = iptables -t nat -I POSTROUTING -s 10.43.1.1 -o eth0 -j MASQUERADE
+# PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+PreDown = iptables -t nat -D POSTROUTING -s 10.43.1.1 -o eth0 -j MASQUERADE
+# PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = Ir90KFkQqGIedB7ST7zIRGQyd7Ip11fn2rnuIHdF3m0=
+Endpoint =  {{ hostvars['webserver'].ext_ip4 }}:51821
+AllowedIPs = 10.43.1.1, 10.42.1.1, 10.44.0.0/24
diff --git a/functions b/functions
index 900377e4f72486f6699ecf736f96adfbc04e92da..e8a049414bca2b14b158444dac1b94c2ca90d9be 160000
--- a/functions
+++ b/functions
@@ -1 +1 @@
-Subproject commit 900377e4f72486f6699ecf736f96adfbc04e92da
+Subproject commit e8a049414bca2b14b158444dac1b94c2ca90d9be
diff --git a/host_vars/carrot b/host_vars/carrot
new file mode 100644
index 0000000000000000000000000000000000000000..04f184723a9552487c7518d0e766806e9c3682b3
--- /dev/null
+++ b/host_vars/carrot
@@ -0,0 +1,42 @@
+
+# Host spezifische Variablen
+
+motd_lines:
+  - "Carrot - Interner VPN Endpunkt @ warpzone"
+  - "Haupt-IP @ eth0: {{ansible_eth0.ipv4.address}}"
+
+debian_sources:
+  - "deb http://ftp2.de.debian.org/debian/ bullseye main contrib non-free"
+  - "deb http://ftp.debian.org/debian bullseye-updates main contrib non-free"
+  - "deb http://security.debian.org/ bullseye-security main contrib non-free"
+
+debian_keys_id:
+
+debian_keys_url:
+
+
+# Primäre IP Adressen des Hosts
+#ext_ip4: <keine>
+#ext_ip6: <keine>
+int_ip4: 192.168.0.202
+
+
+# Art des Hosts: physical, vm, lxc
+host_type: "lxc"
+
+
+administratorenteam:
+  - "void"
+  - "sandhome"
+  - "3d"
+  - "jabertwo"
+
+
+# Monitoring aktivieren
+alert:
+  load:
+    warn: 2
+    crit: 4
+  disks:
+    - { mountpoint: "/", warn: "5 GB", crit: "1 GB" }
+
diff --git a/hosts b/hosts
index 856150182f621b4a72332a9131a2079a49efdb6b..4915b1655557f6a93dc51daee545603d816587dd 100644
--- a/hosts
+++ b/hosts
@@ -1,6 +1,6 @@
 
 # Nameskonvention für Server: Pratchett Name/Charaktere
-# Nächste freie Namen: carrot, vimes 
+# Nächste freie Namen: vimes 
 
 [prod]
 
@@ -18,6 +18,11 @@ weatherwax   ansible_ssh_host=192.168.0.200
 # Wichtige Optionen: Nesting = Yes, keyctl = enabled
 ogg          ansible_ssh_host=192.168.0.201
 
+# Server für VPN Verbindung zum Webserver 
+# Container auf dem internen Proxmox Server 
+# Wichtige Optionen: Nesting = Yes, keyctl = enabled
+carrot       ansible_ssh_host=192.168.0.202
+
 # Externe Server Warpzone
 # Öffentlicher Root Server Warpzone bei Hetzner 
 tiffany     ansible_ssh_host=159.69.57.15
diff --git a/site.yml b/site.yml
index 766764d31b0205d387069c9dda87443ecde2b00d..44b2b3072ccd3ff49897b879da6f0dc9eb41c0d9 100644
--- a/site.yml
+++ b/site.yml
@@ -29,6 +29,13 @@
     - { role: common/cronapt, tags: cronapt }
 
 
+- hosts: carrot
+  remote_user: root
+  roles:
+    - { role: common/cronapt, tags: cronapt }
+    - { role: common/wireguard, tags: wireguard }
+
+
 - hosts: ogg
   remote_user: root
   roles: