diff --git a/modules/networking/wireguard/client.nix b/modules/networking/wireguard/client.nix
index 36c989d..b9f6373 100644
--- a/modules/networking/wireguard/client.nix
+++ b/modules/networking/wireguard/client.nix
@@ -8,6 +8,11 @@
 in {
   options.networking.wg.client = {
     enable = lib.mkEnableOption "Enable WireGuard client";
+    autoConnect = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Automatically connect to the WireGuard server with systemd";
+    };
     privateKeyFile = lib.mkOption {
       type = lib.types.path;
       description = "Path to the private key file for the WireGuard client";
@@ -23,5 +28,9 @@ in {
         peers.harbor
       ];
     };
+    systemd.services."wg-quick@wg0".wantedBy =
+      if cfg.autoConnect
+      then lib.mkDefault []
+      else lib.mkForce [];
   };
 }
diff --git a/modules/networking/wireguard/server.nix b/modules/networking/wireguard/server.nix
index 3366033..6d54a74 100644
--- a/modules/networking/wireguard/server.nix
+++ b/modules/networking/wireguard/server.nix
@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   lib,
   ...
 }: let
@@ -27,16 +26,10 @@ in {
     networking.nat.externalInterface = "eth0";
     networking.nat.internalInterfaces = ["wg0"];
 
-    # Interface with NAT for internet routing
+    # Interface without internet routing
     networking.wireguard.interfaces."wg0" = {
       ips = ["10.10.10.1/24"];
       listenPort = cfg.port;
-      postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
-      '';
-      postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
-      '';
 
       inherit (cfg) privateKeyFile;