Add WireGuard VPN with random /31 subnet isolation (v0.40.0)

- Add embedded WireGuard VPN server using wireguard-go + netstack - Implement deterministic /31 subnet allocation from seed + sequence - Use Badger's built-in Sequence for atomic counter allocation - Add NIP-46 bunker server for remote signing over VPN - Add revoked key tracking and access audit logging for users - Add Bunker tab to web UI with WireGuard/bunker QR codes - Support key regeneration with old keypair archiving New environment variables: - ORLY_WG_ENABLED: Enable WireGuard VPN server - ORLY_WG_PORT: UDP port for WireGuard (default 51820) - ORLY_WG_ENDPOINT: Public endpoint for WireGuard - ORLY_WG_NETWORK: Base network for subnet pool (default 10.0.0.0/8) - ORLY_BUNKER_ENABLED: Enable NIP-46 bunker - ORLY_BUNKER_PORT: WebSocket port for bunker (default 3335) Files added: - pkg/wireguard/: WireGuard server, keygen, subnet pool, errors - pkg/bunker/: NIP-46 bunker server and session handling - pkg/database/wireguard.go: Peer storage with audit logging - app/handle-wireguard.go: API endpoints for config/regenerate/audit - app/wireguard-helpers.go: Key derivation helpers - app/web/src/BunkerView.svelte: Bunker UI with QR codes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2 weeks ago · e84949140b
23 changed files with 3498 additions and 25 deletions
--- a/app/config/config.go
+++ b/app/config/config.go
@ -133,6 +133,16 @@ type C struct {
				@@ -133,6 +133,16 @@ type C struct {
 	TLSDomains []string `env:"ORLY_TLS_DOMAINS" usage:"comma-separated list of domains to respond to for TLS"`
 	Certs      []string `env:"ORLY_CERTS" usage:"comma-separated list of paths to certificate root names (e.g., /path/to/cert will load /path/to/cert.pem and /path/to/cert.key)"`

+	// WireGuard VPN configuration (for secure bunker access)
+	WGEnabled  bool   `env:"ORLY_WG_ENABLED" default:"false" usage:"enable embedded WireGuard VPN server for private bunker access"`
+	WGPort     int    `env:"ORLY_WG_PORT" default:"51820" usage:"UDP port for WireGuard VPN server"`
+	WGEndpoint string `env:"ORLY_WG_ENDPOINT" usage:"public IP/domain for WireGuard endpoint (required if WG enabled)"`
+	WGNetwork  string `env:"ORLY_WG_NETWORK" default:"10.73.0.0/16" usage:"WireGuard internal network CIDR"`
+
+	// NIP-46 Bunker configuration (remote signing service)
+	BunkerEnabled bool `env:"ORLY_BUNKER_ENABLED" default:"false" usage:"enable NIP-46 bunker signing service (requires WireGuard)"`
+	BunkerPort    int  `env:"ORLY_BUNKER_PORT" default:"3335" usage:"internal port for bunker WebSocket (only accessible via WireGuard)"`
+
 	// Cluster replication configuration
 	ClusterPropagatePrivilegedEvents bool `env:"ORLY_CLUSTER_PROPAGATE_PRIVILEGED_EVENTS" default:"true" usage:"propagate privileged events (DMs, gift wraps, etc.) to relay peers for replication"`

@ -494,3 +504,22 @@ func (cfg *C) GetRateLimitConfigValues() (
				@@ -494,3 +504,22 @@ func (cfg *C) GetRateLimitConfigValues() (
 		cfg.RateLimitEmergencyThreshold, cfg.RateLimitRecoveryThreshold,
 		cfg.RateLimitEmergencyMaxMs
 }
+
+// GetWireGuardConfigValues returns the WireGuard VPN configuration values.
+// This avoids circular imports with pkg/wireguard while allowing main.go to construct
+// the WireGuard server configuration.
+func (cfg *C) GetWireGuardConfigValues() (
+	enabled bool,
+	port int,
+	endpoint string,
+	network string,
+	bunkerEnabled bool,
+	bunkerPort int,
+) {
+	return cfg.WGEnabled,
+		cfg.WGPort,
+		cfg.WGEndpoint,
+		cfg.WGNetwork,
+		cfg.BunkerEnabled,
+		cfg.BunkerPort
+}
--- a/app/handle-wireguard.go
+++ b/app/handle-wireguard.go
@ -0,0 +1,514 @@
				@@ -0,0 +1,514 @@
+package app
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"git.mleku.dev/mleku/nostr/encoders/bech32encoding"
+	"git.mleku.dev/mleku/nostr/encoders/hex"
+	"git.mleku.dev/mleku/nostr/httpauth"
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/log"
+
+	"next.orly.dev/pkg/acl"
+	"next.orly.dev/pkg/database"
+)
+
+// WireGuardConfigResponse is returned by the /api/wireguard/config endpoint.
+type WireGuardConfigResponse struct {
+	ConfigText string      `json:"config_text"`
+	Interface  WGInterface `json:"interface"`
+	Peer       WGPeer      `json:"peer"`
+}
+
+// WGInterface represents the [Interface] section of a WireGuard config.
+type WGInterface struct {
+	Address    string `json:"address"`
+	PrivateKey string `json:"private_key"`
+}
+
+// WGPeer represents the [Peer] section of a WireGuard config.
+type WGPeer struct {
+	PublicKey  string `json:"public_key"`
+	Endpoint   string `json:"endpoint"`
+	AllowedIPs string `json:"allowed_ips"`
+}
+
+// BunkerURLResponse is returned by the /api/bunker/url endpoint.
+type BunkerURLResponse struct {
+	URL         string `json:"url"`
+	RelayNpub   string `json:"relay_npub"`
+	RelayPubkey string `json:"relay_pubkey"`
+	InternalIP  string `json:"internal_ip"`
+}
+
+// handleWireGuardConfig returns the user's WireGuard configuration.
+// Requires NIP-98 authentication and write+ access.
+func (s *Server) handleWireGuardConfig(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Check if WireGuard is enabled
+	if !s.Config.WGEnabled {
+		http.Error(w, "WireGuard is not enabled on this relay", http.StatusNotFound)
+		return
+	}
+
+	// Check if ACL mode supports WireGuard
+	if s.Config.ACLMode == "none" {
+		http.Error(w, "WireGuard requires ACL mode 'follows' or 'managed'", http.StatusForbidden)
+		return
+	}
+
+	// Validate NIP-98 authentication
+	valid, pubkey, err := httpauth.CheckAuth(r)
+	if chk.E(err) || !valid {
+		http.Error(w, "NIP-98 authentication required", http.StatusUnauthorized)
+		return
+	}
+
+	// Check user has write+ access
+	accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
+	if accessLevel != "write" && accessLevel != "admin" && accessLevel != "owner" {
+		http.Error(w, "Write access required for WireGuard", http.StatusForbidden)
+		return
+	}
+
+	// Type assert to Badger database for WireGuard methods
+	badgerDB, ok := s.DB.(*database.D)
+	if !ok {
+		http.Error(w, "WireGuard requires Badger database backend", http.StatusInternalServerError)
+		return
+	}
+
+	// Check subnet pool is available
+	if s.subnetPool == nil {
+		http.Error(w, "WireGuard subnet pool not initialized", http.StatusInternalServerError)
+		return
+	}
+
+	// Get or create WireGuard peer for this user
+	peer, err := badgerDB.GetOrCreateWireGuardPeer(pubkey, s.subnetPool)
+	if chk.E(err) {
+		log.E.F("failed to get/create WireGuard peer: %v", err)
+		http.Error(w, "Failed to create WireGuard configuration", http.StatusInternalServerError)
+		return
+	}
+
+	// Derive subnet IPs from sequence
+	subnet := s.subnetPool.SubnetForSequence(peer.Sequence)
+	clientIP := subnet.ClientIP.String()
+	serverIP := subnet.ServerIP.String()
+
+	// Get server public key
+	serverKey, err := badgerDB.GetOrCreateWireGuardServerKey()
+	if chk.E(err) {
+		log.E.F("failed to get WireGuard server key: %v", err)
+		http.Error(w, "WireGuard server not configured", http.StatusInternalServerError)
+		return
+	}
+
+	serverPubKey, err := deriveWGPublicKey(serverKey)
+	if chk.E(err) {
+		log.E.F("failed to derive server public key: %v", err)
+		http.Error(w, "WireGuard server error", http.StatusInternalServerError)
+		return
+	}
+
+	// Build endpoint
+	endpoint := fmt.Sprintf("%s:%d", s.Config.WGEndpoint, s.Config.WGPort)
+
+	// Build response
+	resp := WireGuardConfigResponse{
+		Interface: WGInterface{
+			Address:    clientIP + "/32",
+			PrivateKey: base64.StdEncoding.EncodeToString(peer.WGPrivateKey),
+		},
+		Peer: WGPeer{
+			PublicKey:  base64.StdEncoding.EncodeToString(serverPubKey),
+			Endpoint:   endpoint,
+			AllowedIPs: serverIP + "/32", // Only route bunker traffic to this peer's server IP
+		},
+	}
+
+	// Generate config text
+	resp.ConfigText = fmt.Sprintf(`[Interface]
+Address = %s
+PrivateKey = %s
+
+[Peer]
+PublicKey = %s
+Endpoint = %s
+AllowedIPs = %s
+PersistentKeepalive = 25
+`, resp.Interface.Address, resp.Interface.PrivateKey,
+		resp.Peer.PublicKey, resp.Peer.Endpoint, resp.Peer.AllowedIPs)
+
+	// If WireGuard server is running, add the peer
+	if s.wireguardServer != nil && s.wireguardServer.IsRunning() {
+		if err := s.wireguardServer.AddPeer(pubkey, peer.WGPublicKey, clientIP); chk.E(err) {
+			log.W.F("failed to add peer to running WireGuard server: %v", err)
+		}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(resp)
+}
+
+// handleWireGuardRegenerate generates a new WireGuard keypair for the user.
+// Requires NIP-98 authentication and write+ access.
+func (s *Server) handleWireGuardRegenerate(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Check if WireGuard is enabled
+	if !s.Config.WGEnabled {
+		http.Error(w, "WireGuard is not enabled on this relay", http.StatusNotFound)
+		return
+	}
+
+	// Check if ACL mode supports WireGuard
+	if s.Config.ACLMode == "none" {
+		http.Error(w, "WireGuard requires ACL mode 'follows' or 'managed'", http.StatusForbidden)
+		return
+	}
+
+	// Validate NIP-98 authentication
+	valid, pubkey, err := httpauth.CheckAuth(r)
+	if chk.E(err) || !valid {
+		http.Error(w, "NIP-98 authentication required", http.StatusUnauthorized)
+		return
+	}
+
+	// Check user has write+ access
+	accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
+	if accessLevel != "write" && accessLevel != "admin" && accessLevel != "owner" {
+		http.Error(w, "Write access required for WireGuard", http.StatusForbidden)
+		return
+	}
+
+	// Type assert to Badger database for WireGuard methods
+	badgerDB, ok := s.DB.(*database.D)
+	if !ok {
+		http.Error(w, "WireGuard requires Badger database backend", http.StatusInternalServerError)
+		return
+	}
+
+	// Check subnet pool is available
+	if s.subnetPool == nil {
+		http.Error(w, "WireGuard subnet pool not initialized", http.StatusInternalServerError)
+		return
+	}
+
+	// Remove old peer from running server if exists
+	oldPeer, err := badgerDB.GetWireGuardPeer(pubkey)
+	if err == nil && oldPeer != nil && s.wireguardServer != nil && s.wireguardServer.IsRunning() {
+		s.wireguardServer.RemovePeer(oldPeer.WGPublicKey)
+	}
+
+	// Regenerate keypair
+	peer, err := badgerDB.RegenerateWireGuardPeer(pubkey, s.subnetPool)
+	if chk.E(err) {
+		log.E.F("failed to regenerate WireGuard peer: %v", err)
+		http.Error(w, "Failed to regenerate WireGuard configuration", http.StatusInternalServerError)
+		return
+	}
+
+	// Derive subnet IPs from sequence (same sequence as before)
+	subnet := s.subnetPool.SubnetForSequence(peer.Sequence)
+	clientIP := subnet.ClientIP.String()
+
+	log.I.F("regenerated WireGuard keypair for user: %s", hex.Enc(pubkey[:8]))
+
+	// Return success with IP (same subnet as before)
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{
+		"status":      "regenerated",
+		"assigned_ip": clientIP,
+	})
+}
+
+// handleBunkerURL returns the bunker connection URL.
+// Requires NIP-98 authentication and write+ access.
+func (s *Server) handleBunkerURL(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Check if bunker is enabled
+	if !s.Config.BunkerEnabled {
+		http.Error(w, "Bunker is not enabled on this relay", http.StatusNotFound)
+		return
+	}
+
+	// Check if WireGuard is enabled (required for bunker)
+	if !s.Config.WGEnabled {
+		http.Error(w, "WireGuard is required for bunker access", http.StatusNotFound)
+		return
+	}
+
+	// Check if ACL mode supports WireGuard
+	if s.Config.ACLMode == "none" {
+		http.Error(w, "Bunker requires ACL mode 'follows' or 'managed'", http.StatusForbidden)
+		return
+	}
+
+	// Validate NIP-98 authentication
+	valid, pubkey, err := httpauth.CheckAuth(r)
+	if chk.E(err) || !valid {
+		http.Error(w, "NIP-98 authentication required", http.StatusUnauthorized)
+		return
+	}
+
+	// Check user has write+ access
+	accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
+	if accessLevel != "write" && accessLevel != "admin" && accessLevel != "owner" {
+		http.Error(w, "Write access required for bunker", http.StatusForbidden)
+		return
+	}
+
+	// Type assert to Badger database for WireGuard methods
+	badgerDB, ok := s.DB.(*database.D)
+	if !ok {
+		http.Error(w, "Bunker requires Badger database backend", http.StatusInternalServerError)
+		return
+	}
+
+	// Check subnet pool is available
+	if s.subnetPool == nil {
+		http.Error(w, "WireGuard subnet pool not initialized", http.StatusInternalServerError)
+		return
+	}
+
+	// Get or create WireGuard peer to get their subnet
+	peer, err := badgerDB.GetOrCreateWireGuardPeer(pubkey, s.subnetPool)
+	if chk.E(err) {
+		log.E.F("failed to get/create WireGuard peer for bunker: %v", err)
+		http.Error(w, "Failed to get WireGuard configuration", http.StatusInternalServerError)
+		return
+	}
+
+	// Derive server IP for this peer's subnet
+	subnet := s.subnetPool.SubnetForSequence(peer.Sequence)
+	serverIP := subnet.ServerIP.String()
+
+	// Get relay identity
+	relaySecret, err := s.DB.GetOrCreateRelayIdentitySecret()
+	if chk.E(err) {
+		log.E.F("failed to get relay identity: %v", err)
+		http.Error(w, "Failed to get relay identity", http.StatusInternalServerError)
+		return
+	}
+
+	relayPubkey, err := deriveNostrPublicKey(relaySecret)
+	if chk.E(err) {
+		log.E.F("failed to derive relay public key: %v", err)
+		http.Error(w, "Failed to derive relay public key", http.StatusInternalServerError)
+		return
+	}
+
+	// Encode as npub
+	relayNpubBytes, err := bech32encoding.BinToNpub(relayPubkey)
+	relayNpub := string(relayNpubBytes)
+	if chk.E(err) {
+		relayNpub = hex.Enc(relayPubkey) // Fallback to hex
+	}
+
+	// Build bunker URL using this peer's server IP
+	// Format: bunker://<relay-pubkey-hex>?relay=ws://<server-ip>:3335
+	relayPubkeyHex := hex.Enc(relayPubkey)
+	bunkerURL := fmt.Sprintf("bunker://%s?relay=ws://%s:%d",
+		relayPubkeyHex,
+		serverIP,
+		s.Config.BunkerPort,
+	)
+
+	resp := BunkerURLResponse{
+		URL:         bunkerURL,
+		RelayNpub:   relayNpub,
+		RelayPubkey: relayPubkeyHex,
+		InternalIP:  serverIP,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(resp)
+}
+
+// handleWireGuardStatus returns whether WireGuard/Bunker are available.
+func (s *Server) handleWireGuardStatus(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	resp := map[string]interface{}{
+		"wireguard_enabled": s.Config.WGEnabled,
+		"bunker_enabled":    s.Config.BunkerEnabled,
+		"acl_mode":          s.Config.ACLMode,
+		"available":         s.Config.WGEnabled && s.Config.ACLMode != "none",
+	}
+
+	if s.wireguardServer != nil {
+		resp["wireguard_running"] = s.wireguardServer.IsRunning()
+		resp["peer_count"] = s.wireguardServer.PeerCount()
+	}
+
+	if s.bunkerServer != nil {
+		resp["bunker_sessions"] = s.bunkerServer.SessionCount()
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(resp)
+}
+
+// RevokedKeyResponse is the JSON response for revoked keys.
+type RevokedKeyResponse struct {
+	NostrPubkey  string `json:"nostr_pubkey"`
+	WGPublicKey  string `json:"wg_public_key"`
+	Sequence     uint32 `json:"sequence"`
+	ClientIP     string `json:"client_ip"`
+	ServerIP     string `json:"server_ip"`
+	CreatedAt    int64  `json:"created_at"`
+	RevokedAt    int64  `json:"revoked_at"`
+	AccessCount  int    `json:"access_count"`
+	LastAccessAt int64  `json:"last_access_at"`
+}
+
+// AccessLogResponse is the JSON response for access logs.
+type AccessLogResponse struct {
+	NostrPubkey string `json:"nostr_pubkey"`
+	WGPublicKey string `json:"wg_public_key"`
+	Sequence    uint32 `json:"sequence"`
+	ClientIP    string `json:"client_ip"`
+	Timestamp   int64  `json:"timestamp"`
+	RemoteAddr  string `json:"remote_addr"`
+}
+
+// handleWireGuardAudit returns the user's own revoked keys and access logs.
+// This lets users see if their old WireGuard keys are still being used,
+// which could indicate they left something on or someone copied their credentials.
+// Requires NIP-98 authentication and write+ access.
+func (s *Server) handleWireGuardAudit(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Check if WireGuard is enabled
+	if !s.Config.WGEnabled {
+		http.Error(w, "WireGuard is not enabled on this relay", http.StatusNotFound)
+		return
+	}
+
+	// Validate NIP-98 authentication
+	valid, pubkey, err := httpauth.CheckAuth(r)
+	if chk.E(err) || !valid {
+		http.Error(w, "NIP-98 authentication required", http.StatusUnauthorized)
+		return
+	}
+
+	// Check user has write+ access (same as other WireGuard endpoints)
+	accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
+	if accessLevel != "write" && accessLevel != "admin" && accessLevel != "owner" {
+		http.Error(w, "Write access required", http.StatusForbidden)
+		return
+	}
+
+	// Type assert to Badger database for WireGuard methods
+	badgerDB, ok := s.DB.(*database.D)
+	if !ok {
+		http.Error(w, "WireGuard requires Badger database backend", http.StatusInternalServerError)
+		return
+	}
+
+	// Check subnet pool is available
+	if s.subnetPool == nil {
+		http.Error(w, "WireGuard subnet pool not initialized", http.StatusInternalServerError)
+		return
+	}
+
+	// Get this user's revoked keys only
+	revokedKeys, err := badgerDB.GetRevokedKeys(pubkey)
+	if chk.E(err) {
+		log.E.F("failed to get revoked keys: %v", err)
+		http.Error(w, "Failed to get revoked keys", http.StatusInternalServerError)
+		return
+	}
+
+	// Get this user's access logs only
+	accessLogs, err := badgerDB.GetAccessLogs(pubkey)
+	if chk.E(err) {
+		log.E.F("failed to get access logs: %v", err)
+		http.Error(w, "Failed to get access logs", http.StatusInternalServerError)
+		return
+	}
+
+	// Convert to response format
+	var revokedResp []RevokedKeyResponse
+	for _, key := range revokedKeys {
+		subnet := s.subnetPool.SubnetForSequence(key.Sequence)
+		revokedResp = append(revokedResp, RevokedKeyResponse{
+			NostrPubkey:  hex.Enc(key.NostrPubkey),
+			WGPublicKey:  hex.Enc(key.WGPublicKey),
+			Sequence:     key.Sequence,
+			ClientIP:     subnet.ClientIP.String(),
+			ServerIP:     subnet.ServerIP.String(),
+			CreatedAt:    key.CreatedAt,
+			RevokedAt:    key.RevokedAt,
+			AccessCount:  key.AccessCount,
+			LastAccessAt: key.LastAccessAt,
+		})
+	}
+
+	var accessResp []AccessLogResponse
+	for _, logEntry := range accessLogs {
+		subnet := s.subnetPool.SubnetForSequence(logEntry.Sequence)
+		accessResp = append(accessResp, AccessLogResponse{
+			NostrPubkey: hex.Enc(logEntry.NostrPubkey),
+			WGPublicKey: hex.Enc(logEntry.WGPublicKey),
+			Sequence:    logEntry.Sequence,
+			ClientIP:    subnet.ClientIP.String(),
+			Timestamp:   logEntry.Timestamp,
+			RemoteAddr:  logEntry.RemoteAddr,
+		})
+	}
+
+	resp := map[string]interface{}{
+		"revoked_keys": revokedResp,
+		"access_logs":  accessResp,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(resp)
+}
+
+// deriveWGPublicKey derives a Curve25519 public key from a private key.
+func deriveWGPublicKey(privateKey []byte) ([]byte, error) {
+	if len(privateKey) != 32 {
+		return nil, fmt.Errorf("invalid private key length: %d", len(privateKey))
+	}
+
+	// Use wireguard package
+	return derivePublicKey(privateKey)
+}
+
+// deriveNostrPublicKey derives a secp256k1 public key from a secret key.
+func deriveNostrPublicKey(secretKey []byte) ([]byte, error) {
+	if len(secretKey) != 32 {
+		return nil, fmt.Errorf("invalid secret key length: %d", len(secretKey))
+	}
+
+	// Use nostr library's key derivation
+	pk, err := deriveSecp256k1PublicKey(secretKey)
+	if err != nil {
+		return nil, err
+	}
+	return pk, nil
+}
--- a/app/main.go
+++ b/app/main.go
@ -22,9 +22,13 @@ import (
				@@ -22,9 +22,13 @@ import (
 	"next.orly.dev/pkg/protocol/graph"
 	"next.orly.dev/pkg/protocol/nip43"
 	"next.orly.dev/pkg/protocol/publish"
+	"next.orly.dev/pkg/bunker"
 	"next.orly.dev/pkg/ratelimit"
 	"next.orly.dev/pkg/spider"
 	dsync "next.orly.dev/pkg/sync"
+	"next.orly.dev/pkg/wireguard"
+
+	"git.mleku.dev/mleku/nostr/interfaces/signer/p8k"
 )

 func Run(
@ -330,6 +334,101 @@ func Run(
				@@ -330,6 +334,101 @@ func Run(
 		log.I.F("Non-Badger backend detected (type: %T), Blossom server not available", db)
 	}

+	// Initialize WireGuard VPN and NIP-46 Bunker (only for Badger backend)
+	// Requires ACL mode 'follows' or 'managed' - no point for open relays
+	if badgerDB, ok := db.(*database.D); ok && cfg.WGEnabled && cfg.ACLMode != "none" {
+		if cfg.WGEndpoint == "" {
+			log.E.F("WireGuard enabled but ORLY_WG_ENDPOINT not set - skipping")
+		} else {
+			// Get or create the subnet pool (restores seed and allocations from DB)
+			subnetPool, err := badgerDB.GetOrCreateSubnetPool(cfg.WGNetwork)
+			if err != nil {
+				log.E.F("failed to create subnet pool: %v", err)
+			} else {
+				l.subnetPool = subnetPool
+
+				// Get or create WireGuard server key
+				wgServerKey, err := badgerDB.GetOrCreateWireGuardServerKey()
+				if err != nil {
+					log.E.F("failed to get WireGuard server key: %v", err)
+				} else {
+					// Create WireGuard server
+					wgConfig := &wireguard.Config{
+						Port:       cfg.WGPort,
+						Endpoint:   cfg.WGEndpoint,
+						PrivateKey: wgServerKey,
+						Network:    cfg.WGNetwork,
+						ServerIP:   "10.73.0.1",
+					}
+
+					l.wireguardServer, err = wireguard.New(wgConfig)
+					if err != nil {
+						log.E.F("failed to create WireGuard server: %v", err)
+					} else {
+						if err = l.wireguardServer.Start(); err != nil {
+							log.E.F("failed to start WireGuard server: %v", err)
+						} else {
+							log.I.F("WireGuard VPN server started on UDP port %d", cfg.WGPort)
+
+							// Load existing peers from database and add to server
+							peers, err := badgerDB.GetAllWireGuardPeers()
+							if err != nil {
+								log.W.F("failed to load existing WireGuard peers: %v", err)
+							} else {
+								for _, peer := range peers {
+									// Derive client IP from sequence
+									subnet := subnetPool.SubnetForSequence(peer.Sequence)
+									clientIP := subnet.ClientIP.String()
+									if err := l.wireguardServer.AddPeer(peer.NostrPubkey, peer.WGPublicKey, clientIP); err != nil {
+										log.W.F("failed to add existing peer: %v", err)
+									}
+								}
+								if len(peers) > 0 {
+									log.I.F("loaded %d existing WireGuard peers", len(peers))
+								}
+							}
+
+						// Initialize bunker if enabled
+						if cfg.BunkerEnabled {
+							// Get relay identity for signing
+							relaySecretKey, err := badgerDB.GetOrCreateRelayIdentitySecret()
+							if err != nil {
+								log.E.F("failed to get relay identity for bunker: %v", err)
+							} else {
+								// Create signer from secret key
+								relaySigner, sigErr := p8k.New()
+								if sigErr != nil {
+									log.E.F("failed to create signer for bunker: %v", sigErr)
+								} else if sigErr = relaySigner.InitSec(relaySecretKey); sigErr != nil {
+									log.E.F("failed to init signer for bunker: %v", sigErr)
+								} else {
+								relayPubkey := relaySigner.Pub()
+
+								bunkerConfig := &bunker.Config{
+									RelaySigner: relaySigner,
+									RelayPubkey: relayPubkey[:],
+									Netstack:    l.wireguardServer.GetNetstack(),
+									ListenAddr:  fmt.Sprintf("10.73.0.1:%d", cfg.BunkerPort),
+								}
+
+								l.bunkerServer = bunker.New(bunkerConfig)
+								if err = l.bunkerServer.Start(); err != nil {
+									log.E.F("failed to start bunker server: %v", err)
+								} else {
+									log.I.F("NIP-46 bunker server started on 10.73.0.1:%d (WireGuard only)", cfg.BunkerPort)
+								}
+								}
+							}
+						}
+						}
+					}
+				}
+			}
+		}
+	} else if cfg.WGEnabled && cfg.ACLMode == "none" {
+		log.I.F("WireGuard disabled: requires ACL mode 'follows' or 'managed' (currently: 'none')")
+	}
+
 	// Initialize event domain services (validation, routing, processing)
 	l.InitEventServices()

@ -492,6 +591,18 @@ func Run(
				@@ -492,6 +591,18 @@ func Run(
 			log.I.F("rate limiter stopped")
 		}

+		// Stop bunker server if running
+		if l.bunkerServer != nil {
+			l.bunkerServer.Stop()
+			log.I.F("bunker server stopped")
+		}
+
+		// Stop WireGuard server if running
+		if l.wireguardServer != nil {
+			l.wireguardServer.Stop()
+			log.I.F("WireGuard server stopped")
+		}
+
 		// Create shutdown context with timeout
 		shutdownCtx, cancelShutdown := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancelShutdown()
--- a/app/server.go
+++ b/app/server.go
@ -33,9 +33,11 @@ import (
				@@ -33,9 +33,11 @@ import (
 	"next.orly.dev/pkg/protocol/graph"
 	"next.orly.dev/pkg/protocol/nip43"
 	"next.orly.dev/pkg/protocol/publish"
+	"next.orly.dev/pkg/bunker"
 	"next.orly.dev/pkg/ratelimit"
 	"next.orly.dev/pkg/spider"
 	dsync "next.orly.dev/pkg/sync"
+	"next.orly.dev/pkg/wireguard"
 )

 type Server struct {
@ -78,6 +80,11 @@ type Server struct {
				@@ -78,6 +80,11 @@ type Server struct {
 	eventAuthorizer  *authorization.Service
 	eventRouter      *routing.DefaultRouter
 	eventProcessor   *processing.Service
+
+	// WireGuard VPN and NIP-46 Bunker
+	wireguardServer *wireguard.Server
+	bunkerServer    *bunker.Server
+	subnetPool      *wireguard.SubnetPool
 }

 // isIPBlacklisted checks if an IP address is blacklisted using the managed ACL system
@ -335,6 +342,14 @@ func (s *Server) UserInterface() {
				@@ -335,6 +342,14 @@ func (s *Server) UserInterface() {
 		s.mux.HandleFunc("/cluster/events", s.clusterManager.HandleEventsRange)
 		log.Printf("Cluster replication API enabled at /cluster")
 	}
+
+	// WireGuard VPN and Bunker API endpoints
+	// These are always registered but will return errors if not enabled
+	s.mux.HandleFunc("/api/wireguard/config", s.handleWireGuardConfig)
+	s.mux.HandleFunc("/api/wireguard/regenerate", s.handleWireGuardRegenerate)
+	s.mux.HandleFunc("/api/wireguard/status", s.handleWireGuardStatus)
+	s.mux.HandleFunc("/api/wireguard/audit", s.handleWireGuardAudit)
+	s.mux.HandleFunc("/api/bunker/url", s.handleBunkerURL)
 }

 // handleFavicon serves orly-favicon.png as favicon.ico
--- a/app/web/dist/bundle.css
+++ b/app/web/dist/bundle.css
--- a/app/web/dist/bundle.js
+++ b/app/web/dist/bundle.js
--- a/app/web/dist/bundle.js.map
+++ b/app/web/dist/bundle.js.map
--- a/app/web/package-lock.json
+++ b/app/web/package-lock.json
@ -8,9 +8,11 @@
				@@ -8,9 +8,11 @@
      "name": "svelte-app",
      "version": "1.0.0",
      "dependencies": {
-        "applesauce-core": "^4.1.0",
-        "applesauce-signers": "^4.1.0",
+        "applesauce-core": "^4.4.2",
+        "applesauce-signers": "^4.2.0",
+        "hash-wasm": "^4.12.0",
        "nostr-tools": "^2.17.0",
+        "qrcode": "^1.5.3",
        "sirv-cli": "^2.0.0"
      },
      "devDependencies": {
@ -365,6 +367,30 @@
				@@ -365,6 +367,30 @@
        "node": ">=0.4.0"
      }
    },
+    "node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "license": "MIT",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
    "node_modules/anymatch": {
      "version": "3.1.3",
      "dev": true,
@ -389,9 +415,9 @@
				@@ -389,9 +415,9 @@
      }
    },
    "node_modules/applesauce-core": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/applesauce-core/-/applesauce-core-4.1.0.tgz",
-      "integrity": "sha512-vFOHfqWW4DJfvPkMYLYNiy2ozO2IF+ZNwetGqaLuPjgE1Iwu4trZmG3GJUH+lO1Oq1N4e/OQ/EcotJoEBEiW7Q==",
+      "version": "4.4.2",
+      "resolved": "https://registry.npmjs.org/applesauce-core/-/applesauce-core-4.4.2.tgz",
+      "integrity": "sha512-zuZB74Pp28UGM4e8DWbN1atR95xL7ODENvjkaGGnvAjIKvfdgMznU7m9gLxr/Hu+IHOmVbbd4YxwNmKBzCWhHQ==",
      "license": "MIT",
      "dependencies": {
        "@noble/hashes": "^1.7.1",
@ -431,15 +457,15 @@
				@@ -431,15 +457,15 @@
      }
    },
    "node_modules/applesauce-signers": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/applesauce-signers/-/applesauce-signers-4.1.0.tgz",
-      "integrity": "sha512-S+nTkAt1CAGhalwI7warLTINsxxjBpS3NqbViz6LVy1ZrzEqaNirlalX+rbCjxjRrvIGhYV+rszkxDFhCYbPkg==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/applesauce-signers/-/applesauce-signers-4.2.0.tgz",
+      "integrity": "sha512-celexNd+aLt6/vhf72XXw2oAk8ohjna+aWEg/Z2liqPwP+kbVjnqq4Z1RXvt79QQbTIQbXYGWqervXWLE8HmHg==",
      "license": "MIT",
      "dependencies": {
        "@noble/hashes": "^1.7.1",
        "@noble/secp256k1": "^1.7.1",
        "@scure/base": "^1.2.4",
-        "applesauce-core": "^4.1.0",
+        "applesauce-core": "^4.2.0",
        "debug": "^4.4.0",
        "nanoid": "^5.0.9",
        "nostr-tools": "~2.17",
@ -533,6 +559,15 @@
				@@ -533,6 +559,15 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/camelcase": {
+      "version": "5.3.1",
+      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz",
+      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
    "node_modules/chokidar": {
      "version": "3.6.0",
      "dev": true,
@ -556,6 +591,35 @@
				@@ -556,6 +591,35 @@
        "fsevents": "~2.3.2"
      }
    },
+    "node_modules/cliui": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-6.0.0.tgz",
+      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
+      "license": "ISC",
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "wrap-ansi": "^6.2.0"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "license": "MIT",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "license": "MIT"
+    },
    "node_modules/colorette": {
      "version": "1.4.0",
      "resolved": "https://registry.npmjs.org/colorette/-/colorette-1.4.0.tgz",
@ -604,6 +668,15 @@
				@@ -604,6 +668,15 @@
        }
      }
    },
+    "node_modules/decamelize": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
+      "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/deepmerge": {
      "version": "4.3.1",
      "dev": true,
@ -612,6 +685,12 @@
				@@ -612,6 +685,12 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/dijkstrajs": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/dijkstrajs/-/dijkstrajs-1.0.3.tgz",
+      "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==",
+      "license": "MIT"
+    },
    "node_modules/dir-glob": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz",
@ -625,6 +704,12 @@
				@@ -625,6 +704,12 @@
        "node": ">=8"
      }
    },
+    "node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "license": "MIT"
+    },
    "node_modules/estree-walker": {
      "version": "2.0.2",
      "dev": true,
@ -674,6 +759,19 @@
				@@ -674,6 +759,19 @@
        "node": ">=8"
      }
    },
+    "node_modules/find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "license": "MIT",
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/fs-extra": {
      "version": "8.1.0",
      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-8.1.0.tgz",
@ -702,6 +800,15 @@
				@@ -702,6 +800,15 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "license": "ISC",
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
    "node_modules/get-port": {
      "version": "3.2.0",
      "license": "MIT",
@ -817,6 +924,12 @@
				@@ -817,6 +924,12 @@
      "integrity": "sha512-WdZTbAByD+pHfl/g9QSsBIIwy8IT+EsPiKDs0KNX+zSHhdDLFKdZu0BQHljvO+0QI/BasbMSUa8wYNCZTvhslg==",
      "license": "MIT"
    },
+    "node_modules/hash-wasm": {
+      "version": "4.12.0",
+      "resolved": "https://registry.npmjs.org/hash-wasm/-/hash-wasm-4.12.0.tgz",
+      "integrity": "sha512-+/2B2rYLb48I/evdOIhP+K/DD2ca2fgBjp6O+GBEnCDk2e4rpeXIK8GvIyRPjTezgmWn9gmKwkQjjx6BtqDHVQ==",
+      "license": "MIT"
+    },
    "node_modules/hasown": {
      "version": "2.0.2",
      "dev": true,
@ -885,6 +998,15 @@
				@@ -885,6 +998,15 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/is-glob": {
      "version": "4.0.3",
      "dev": true,
@ -982,6 +1104,18 @@
				@@ -982,6 +1104,18 @@
        "node": ">=6"
      }
    },
+    "node_modules/locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "license": "MIT",
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/magic-string": {
      "version": "0.27.0",
      "dev": true,
@ -1127,6 +1261,51 @@
				@@ -1127,6 +1261,51 @@
      "dev": true,
      "license": "BSD-2-Clause"
    },
+    "node_modules/p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "license": "MIT",
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "license": "MIT",
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/p-try": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/path-is-absolute": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@ -1163,6 +1342,32 @@
				@@ -1163,6 +1342,32 @@
        "url": "https://github.com/sponsors/jonschlinkert"
      }
    },
+    "node_modules/pngjs": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz",
+      "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/qrcode": {
+      "version": "1.5.4",
+      "resolved": "https://registry.npmjs.org/qrcode/-/qrcode-1.5.4.tgz",
+      "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==",
+      "license": "MIT",
+      "dependencies": {
+        "dijkstrajs": "^1.0.1",
+        "pngjs": "^5.0.0",
+        "yargs": "^15.3.1"
+      },
+      "bin": {
+        "qrcode": "bin/qrcode"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
    "node_modules/queue-microtask": {
      "version": "1.2.3",
      "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
@ -1214,6 +1419,21 @@
				@@ -1214,6 +1419,21 @@
        "url": "https://github.com/sponsors/jonschlinkert"
      }
    },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/require-main-filename": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
+      "license": "ISC"
+    },
    "node_modules/resolve": {
      "version": "1.22.10",
      "dev": true,
@ -1425,6 +1645,12 @@
				@@ -1425,6 +1645,12 @@
        "randombytes": "^2.1.0"
      }
    },
+    "node_modules/set-blocking": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
+      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==",
+      "license": "ISC"
+    },
    "node_modules/sirv": {
      "version": "2.0.4",
      "license": "MIT",
@ -1489,6 +1715,32 @@
				@@ -1489,6 +1715,32 @@
        "source-map": "^0.6.0"
      }
    },
+    "node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/supports-preserve-symlinks-flag": {
      "version": "1.0.0",
      "dev": true,
@ -1573,6 +1825,26 @@
				@@ -1573,6 +1825,26 @@
        "node": ">= 4.0.0"
      }
    },
+    "node_modules/which-module": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz",
+      "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==",
+      "license": "ISC"
+    },
+    "node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/wrappy": {
      "version": "1.0.2",
      "dev": true,
@ -1597,6 +1869,47 @@
				@@ -1597,6 +1869,47 @@
          "optional": true
        }
      }
+    },
+    "node_modules/y18n": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz",
+      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==",
+      "license": "ISC"
+    },
+    "node_modules/yargs": {
+      "version": "15.4.1",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-15.4.1.tgz",
+      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
+      "license": "MIT",
+      "dependencies": {
+        "cliui": "^6.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^4.1.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^4.2.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^18.1.2"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "18.1.3",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-18.1.3.tgz",
+      "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
+      "license": "ISC",
+      "dependencies": {
+        "camelcase": "^5.0.0",
+        "decamelize": "^1.2.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
    }
  }
 }
--- a/app/web/package.json
+++ b/app/web/package.json
@ -26,6 +26,7 @@
				@@ -26,6 +26,7 @@
    "applesauce-signers": "^4.2.0",
    "hash-wasm": "^4.12.0",
    "nostr-tools": "^2.17.0",
+    "qrcode": "^1.5.3",
    "sirv-cli": "^2.0.0"
  }
 }
--- a/app/web/src/App.svelte
+++ b/app/web/src/App.svelte
@ -12,6 +12,7 @@
				@@ -12,6 +12,7 @@
    import SprocketView from "./SprocketView.svelte";
    import PolicyView from "./PolicyView.svelte";
    import BlossomView from "./BlossomView.svelte";
+    import BunkerView from "./BunkerView.svelte";
    import LogView from "./LogView.svelte";
    import SearchResultsView from "./SearchResultsView.svelte";
    import FilterDisplay from "./FilterDisplay.svelte";
@ -1649,6 +1650,7 @@
				@@ -1649,6 +1650,7 @@
        { id: "import", icon: "💾", label: "Import", requiresAdmin: true },
        { id: "events", icon: "📡", label: "Events" },
        { id: "blossom", icon: "🌸", label: "Blossom" },
+        { id: "bunker", icon: "🔐", label: "Bunker", requiresWrite: true },
        { id: "compose", icon: "✏️", label: "Compose", requiresWrite: true },
        { id: "recovery", icon: "🔄", label: "Recovery" },
        {
@ -2813,6 +2815,14 @@
				@@ -2813,6 +2815,14 @@
                {currentEffectiveRole}
                on:openLoginModal={openLoginModal}
            />
+        {:else if selectedTab === "bunker"}
+            <BunkerView
+                {isLoggedIn}
+                {userPubkey}
+                {userSigner}
+                {currentEffectiveRole}
+                on:openLoginModal={openLoginModal}
+            />
        {:else if selectedTab === "compose"}
            <ComposeView
                bind:composeEventJson
--- a/app/web/src/BunkerView.svelte
+++ b/app/web/src/BunkerView.svelte
@ -0,0 +1,804 @@
				@@ -0,0 +1,804 @@
+<script>
+    import { createEventDispatcher, onMount } from "svelte";
+    import QRCode from "qrcode";
+    import { getWireGuardConfig, regenerateWireGuard, getBunkerURL, fetchWireGuardStatus, getWireGuardAudit } from "./api.js";
+
+    export let isLoggedIn = false;
+    export let userPubkey = "";
+    export let userSigner = null;
+    export let currentEffectiveRole = "";
+
+    const dispatch = createEventDispatcher();
+
+    // State
+    let wgConfig = null;
+    let bunkerInfo = null;
+    let wgStatus = null;
+    let auditData = null;
+    let isLoading = false;
+    let error = "";
+    let wgQrDataUrl = "";
+    let bunkerQrDataUrl = "";
+
+    $: canAccess = isLoggedIn && userPubkey && (
+        currentEffectiveRole === "write" ||
+        currentEffectiveRole === "admin" ||
+        currentEffectiveRole === "owner"
+    );
+
+    let hasLoadedOnce = false;
+
+    onMount(async () => {
+        // Always check status first
+        await checkStatus();
+        if (canAccess && wgStatus?.available && !hasLoadedOnce) {
+            hasLoadedOnce = true;
+            await loadConfig();
+        }
+    });
+
+    $: if (canAccess && wgStatus?.available && !hasLoadedOnce && !isLoading) {
+        hasLoadedOnce = true;
+        loadConfig();
+    }
+
+    async function checkStatus() {
+        try {
+            wgStatus = await fetchWireGuardStatus();
+        } catch (err) {
+            console.error("Error checking WireGuard status:", err);
+            wgStatus = { available: false };
+        }
+    }
+
+    async function loadConfig() {
+        if (!userSigner || !userPubkey) return;
+
+        isLoading = true;
+        error = "";
+
+        try {
+            // Load WireGuard config, bunker URL, and audit data in parallel
+            const [wgResult, bunkerResult, auditResult] = await Promise.all([
+                getWireGuardConfig(userSigner, userPubkey),
+                getBunkerURL(userSigner, userPubkey),
+                getWireGuardAudit(userSigner, userPubkey).catch(() => null)
+            ]);
+
+            wgConfig = wgResult;
+            bunkerInfo = bunkerResult;
+            auditData = auditResult;
+
+            // Generate QR codes
+            if (wgConfig?.config_text) {
+                wgQrDataUrl = await QRCode.toDataURL(wgConfig.config_text, {
+                    width: 256,
+                    margin: 2,
+                    color: { dark: "#000000", light: "#ffffff" }
+                });
+            }
+
+            if (bunkerInfo?.url) {
+                bunkerQrDataUrl = await QRCode.toDataURL(bunkerInfo.url, {
+                    width: 256,
+                    margin: 2,
+                    color: { dark: "#000000", light: "#ffffff" }
+                });
+            }
+        } catch (err) {
+            console.error("Error loading bunker config:", err);
+            error = err.message || "Failed to load configuration";
+        } finally {
+            isLoading = false;
+        }
+    }
+
+    function formatDate(timestamp) {
+        if (!timestamp) return "Never";
+        return new Date(timestamp * 1000).toLocaleString();
+    }
+
+    async function handleRegenerate() {
+        if (!confirm("Regenerate your WireGuard keys? Your current keys will stop working.")) {
+            return;
+        }
+
+        isLoading = true;
+        error = "";
+
+        try {
+            await regenerateWireGuard(userSigner, userPubkey);
+            // Reload config after regeneration
+            hasLoadedOnce = false;
+            await loadConfig();
+        } catch (err) {
+            console.error("Error regenerating keys:", err);
+            error = err.message || "Failed to regenerate keys";
+        } finally {
+            isLoading = false;
+        }
+    }
+
+    function copyToClipboard(text, label) {
+        navigator.clipboard.writeText(text);
+        alert(`${label} copied to clipboard!`);
+    }
+
+    function downloadConfig() {
+        if (!wgConfig?.config_text) return;
+
+        const blob = new Blob([wgConfig.config_text], { type: "text/plain" });
+        const url = URL.createObjectURL(blob);
+        const a = document.createElement("a");
+        a.href = url;
+        a.download = "wg-orly.conf";
+        document.body.appendChild(a);
+        a.click();
+        document.body.removeChild(a);
+        URL.revokeObjectURL(url);
+    }
+
+    function openLoginModal() {
+        dispatch("openLoginModal");
+    }
+</script>
+
+{#if !wgStatus?.available}
+    <div class="bunker-view">
+        <div class="unavailable-message">
+            <h3>Remote Signing Not Available</h3>
+            <p>This relay does not have WireGuard/Bunker enabled, or ACL mode is set to "none".</p>
+            <p class="hint">Remote signing requires the relay operator to enable WireGuard VPN and use ACL mode "follows" or "managed".</p>
+        </div>
+    </div>
+{:else if canAccess}
+    <div class="bunker-view">
+        <div class="header-section">
+            <h3>Remote Signing (Bunker)</h3>
+            <button class="refresh-btn" on:click={loadConfig} disabled={isLoading}>
+                {isLoading ? "Loading..." : "Refresh"}
+            </button>
+        </div>
+
+        {#if error}
+            <div class="error-message">{error}</div>
+        {/if}
+
+        {#if isLoading && !wgConfig}
+            <div class="loading">Loading configuration...</div>
+        {:else if wgConfig}
+            <div class="instructions">
+                <p><strong>How it works:</strong> Connect to the relay's private VPN, then use Amber to sign events remotely.</p>
+            </div>
+
+            <div class="config-sections">
+                <!-- Step 1: WireGuard -->
+                <section class="config-section">
+                    <h4>Step 1: Install WireGuard</h4>
+                    <p class="section-desc">Download the WireGuard app for your device:</p>
+
+                    <div class="client-links">
+                        <a href="https://play.google.com/store/apps/details?id=com.wireguard.android" target="_blank" rel="noopener noreferrer" class="client-link">
+                            <span class="client-icon">Android</span>
+                            <span class="client-store">Google Play</span>
+                        </a>
+                        <a href="https://f-droid.org/packages/com.wireguard.android/" target="_blank" rel="noopener noreferrer" class="client-link">
+                            <span class="client-icon">Android</span>
+                            <span class="client-store">F-Droid</span>
+                        </a>
+                        <a href="https://apps.apple.com/app/wireguard/id1441195209" target="_blank" rel="noopener noreferrer" class="client-link">
+                            <span class="client-icon">iOS</span>
+                            <span class="client-store">App Store</span>
+                        </a>
+                        <a href="https://www.wireguard.com/install/" target="_blank" rel="noopener noreferrer" class="client-link">
+                            <span class="client-icon">Desktop</span>
+                            <span class="client-store">Windows/Mac/Linux</span>
+                        </a>
+                    </div>
+                </section>
+
+                <!-- Step 2: WireGuard Config -->
+                <section class="config-section">
+                    <h4>Step 2: Add VPN Configuration</h4>
+                    <p class="section-desc">Scan this QR code with the WireGuard app:</p>
+
+                    <div class="qr-container">
+                        {#if wgQrDataUrl}
+                            <img src={wgQrDataUrl} alt="WireGuard Configuration QR Code" class="qr-code" />
+                        {:else}
+                            <div class="qr-placeholder">Generating QR...</div>
+                        {/if}
+                    </div>
+
+                    <div class="config-actions">
+                        <button on:click={() => copyToClipboard(wgConfig.config_text, "Config")}>Copy Config</button>
+                        <button on:click={downloadConfig}>Download .conf</button>
+                    </div>
+
+                    <details class="config-text-details">
+                        <summary>Show raw config</summary>
+                        <pre class="config-text">{wgConfig.config_text}</pre>
+                    </details>
+                </section>
+
+                <!-- Step 3: Connect VPN -->
+                <section class="config-section">
+                    <h4>Step 3: Connect to VPN</h4>
+                    <p class="section-desc">After importing the config, toggle the VPN connection ON in the WireGuard app.</p>
+                    <div class="ip-info">
+                        <span class="label">Your VPN IP:</span>
+                        <code>{wgConfig.interface.address}</code>
+                    </div>
+                </section>
+
+                <!-- Step 4: Bunker URL -->
+                {#if bunkerInfo}
+                    <section class="config-section">
+                        <h4>Step 4: Add Bunker to Amber</h4>
+                        <p class="section-desc">With VPN connected, scan this QR code in <a href="https://github.com/greenart7c3/Amber" target="_blank" rel="noopener noreferrer">Amber</a>:</p>
+
+                        <div class="qr-container">
+                            {#if bunkerQrDataUrl}
+                                <img src={bunkerQrDataUrl} alt="Bunker URL QR Code" class="qr-code" />
+                            {:else}
+                                <div class="qr-placeholder">Generating QR...</div>
+                            {/if}
+                        </div>
+
+                        <div class="bunker-url-container">
+                            <code class="bunker-url">{bunkerInfo.url}</code>
+                            <button on:click={() => copyToClipboard(bunkerInfo.url, "Bunker URL")}>Copy</button>
+                        </div>
+
+                        <div class="relay-info">
+                            <span class="label">Relay npub:</span>
+                            <code class="npub">{bunkerInfo.relay_npub}</code>
+                        </div>
+                    </section>
+                {/if}
+
+                <!-- Amber links -->
+                <section class="config-section">
+                    <h4>Get Amber (NIP-46 Signer)</h4>
+                    <p class="section-desc">Amber is an Android app for secure remote signing:</p>
+
+                    <div class="client-links">
+                        <a href="https://play.google.com/store/apps/details?id=com.greenart7c3.nostrsigner" target="_blank" rel="noopener noreferrer" class="client-link">
+                            <span class="client-icon">Amber</span>
+                            <span class="client-store">Google Play</span>
+                        </a>
+                        <a href="https://github.com/greenart7c3/Amber/releases" target="_blank" rel="noopener noreferrer" class="client-link">
+                            <span class="client-icon">Amber</span>
+                            <span class="client-store">GitHub APK</span>
+                        </a>
+                    </div>
+                </section>
+            </div>
+
+            <!-- Danger zone -->
+            <div class="danger-zone">
+                <h4>Danger Zone</h4>
+                <p>Regenerate your WireGuard keys if you believe they've been compromised.</p>
+                <button class="danger-btn" on:click={handleRegenerate} disabled={isLoading}>
+                    Regenerate Keys
+                </button>
+            </div>
+
+            <!-- Audit Log Section -->
+            {#if auditData && (auditData.revoked_keys?.length > 0 || auditData.access_logs?.length > 0)}
+                <div class="audit-section">
+                    <h4>Key History & Access Log</h4>
+                    <p class="audit-desc">Monitor activity on your old WireGuard keys. High access counts might indicate you left something connected or someone copied your credentials.</p>
+
+                    {#if auditData.revoked_keys?.length > 0}
+                        <div class="audit-subsection">
+                            <h5>Revoked Keys</h5>
+                            <div class="audit-table-container">
+                                <table class="audit-table">
+                                    <thead>
+                                        <tr>
+                                            <th>Client IP</th>
+                                            <th>Created</th>
+                                            <th>Revoked</th>
+                                            <th>Access Count</th>
+                                            <th>Last Access</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody>
+                                        {#each auditData.revoked_keys as key}
+                                            <tr class:warning={key.access_count > 0}>
+                                                <td><code>{key.client_ip}</code></td>
+                                                <td>{formatDate(key.created_at)}</td>
+                                                <td>{formatDate(key.revoked_at)}</td>
+                                                <td class:highlight={key.access_count > 0}>{key.access_count}</td>
+                                                <td>{formatDate(key.last_access_at)}</td>
+                                            </tr>
+                                        {/each}
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
+                    {/if}
+
+                    {#if auditData.access_logs?.length > 0}
+                        <div class="audit-subsection">
+                            <h5>Recent Access Attempts (Obsolete Addresses)</h5>
+                            <div class="audit-table-container">
+                                <table class="audit-table">
+                                    <thead>
+                                        <tr>
+                                            <th>Client IP</th>
+                                            <th>Time</th>
+                                            <th>Remote Address</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody>
+                                        {#each auditData.access_logs as log}
+                                            <tr>
+                                                <td><code>{log.client_ip}</code></td>
+                                                <td>{formatDate(log.timestamp)}</td>
+                                                <td><code>{log.remote_addr}</code></td>
+                                            </tr>
+                                        {/each}
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
+                    {/if}
+                </div>
+            {/if}
+        {/if}
+    </div>
+{:else if isLoggedIn}
+    <div class="bunker-view">
+        <div class="access-denied">
+            <h3>Access Denied</h3>
+            <p>You need write access to use remote signing. Your current access level: <strong>{currentEffectiveRole || "read-only"}</strong></p>
+        </div>
+    </div>
+{:else}
+    <div class="login-prompt">
+        <p>Please log in to access remote signing.</p>
+        <button class="login-btn" on:click={openLoginModal}>Log In</button>
+    </div>
+{/if}
+
+<style>
+    .bunker-view {
+        padding: 1em;
+        box-sizing: border-box;
+    }
+
+    .header-section {
+        display: flex;
+        justify-content: space-between;
+        align-items: center;
+        margin-bottom: 1em;
+    }
+
+    .header-section h3 {
+        margin: 0;
+        color: var(--text-color);
+    }
+
+    .refresh-btn {
+        background-color: var(--primary);
+        color: var(--text-color);
+        border: none;
+        padding: 0.5em 1em;
+        border-radius: 4px;
+        cursor: pointer;
+        font-size: 0.9em;
+    }
+
+    .refresh-btn:hover:not(:disabled) {
+        background-color: var(--accent-hover-color);
+    }
+
+    .refresh-btn:disabled {
+        opacity: 0.6;
+        cursor: not-allowed;
+    }
+
+    .error-message {
+        background-color: var(--warning);
+        color: var(--text-color);
+        padding: 0.75em 1em;
+        border-radius: 4px;
+        margin-bottom: 1em;
+    }
+
+    .loading {
+        text-align: center;
+        padding: 2em;
+        color: var(--text-color);
+        opacity: 0.7;
+    }
+
+    .instructions {
+        background-color: var(--card-bg);
+        padding: 1em;
+        border-radius: 6px;
+        margin-bottom: 1.5em;
+    }
+
+    .instructions p {
+        margin: 0;
+        color: var(--text-color);
+    }
+
+    .config-sections {
+        display: flex;
+        flex-direction: column;
+        gap: 1.5em;
+    }
+
+    .config-section {
+        background-color: var(--card-bg);
+        padding: 1.25em;
+        border-radius: 8px;
+    }
+
+    .config-section h4 {
+        margin: 0 0 0.5em 0;
+        color: var(--text-color);
+    }
+
+    .section-desc {
+        margin: 0 0 1em 0;
+        color: var(--text-color);
+        opacity: 0.8;
+        font-size: 0.95em;
+    }
+
+    .section-desc a {
+        color: var(--primary);
+    }
+
+    .client-links {
+        display: flex;
+        flex-wrap: wrap;
+        gap: 0.75em;
+    }
+
+    .client-link {
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        padding: 0.75em 1em;
+        background-color: var(--bg-color);
+        border: 1px solid var(--border-color);
+        border-radius: 6px;
+        text-decoration: none;
+        color: var(--text-color);
+        transition: border-color 0.2s, background-color 0.2s;
+        min-width: 100px;
+    }
+
+    .client-link:hover {
+        border-color: var(--primary);
+        background-color: var(--sidebar-bg);
+    }
+
+    .client-icon {
+        font-weight: 500;
+        margin-bottom: 0.25em;
+    }
+
+    .client-store {
+        font-size: 0.8em;
+        opacity: 0.7;
+    }
+
+    .qr-container {
+        display: flex;
+        justify-content: center;
+        margin: 1em 0;
+    }
+
+    .qr-code {
+        border-radius: 8px;
+        background: white;
+        padding: 8px;
+    }
+
+    .qr-placeholder {
+        width: 256px;
+        height: 256px;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        background-color: var(--bg-color);
+        border-radius: 8px;
+        color: var(--text-color);
+        opacity: 0.5;
+    }
+
+    .config-actions {
+        display: flex;
+        justify-content: center;
+        gap: 0.75em;
+        margin-top: 1em;
+    }
+
+    .config-actions button {
+        padding: 0.5em 1em;
+        background-color: var(--primary);
+        color: var(--text-color);
+        border: none;
+        border-radius: 4px;
+        cursor: pointer;
+        font-size: 0.9em;
+    }
+
+    .config-actions button:hover {
+        background-color: var(--accent-hover-color);
+    }
+
+    .config-text-details {
+        margin-top: 1em;
+    }
+
+    .config-text-details summary {
+        cursor: pointer;
+        color: var(--text-color);
+        opacity: 0.8;
+        font-size: 0.9em;
+    }
+
+    .config-text {
+        margin-top: 0.5em;
+        padding: 1em;
+        background-color: var(--bg-color);
+        border-radius: 4px;
+        font-size: 0.85em;
+        overflow-x: auto;
+        white-space: pre;
+        color: var(--text-color);
+    }
+
+    .ip-info, .relay-info {
+        display: flex;
+        align-items: center;
+        gap: 0.5em;
+        margin-top: 0.5em;
+    }
+
+    .label {
+        color: var(--text-color);
+        opacity: 0.7;
+    }
+
+    code {
+        font-family: monospace;
+        padding: 0.25em 0.5em;
+        background-color: var(--bg-color);
+        border-radius: 4px;
+        color: var(--text-color);
+    }
+
+    .bunker-url-container {
+        display: flex;
+        align-items: center;
+        gap: 0.5em;
+        justify-content: center;
+        flex-wrap: wrap;
+    }
+
+    .bunker-url {
+        word-break: break-all;
+        max-width: 400px;
+    }
+
+    .bunker-url-container button {
+        padding: 0.4em 0.8em;
+        background-color: var(--primary);
+        color: var(--text-color);
+        border: none;
+        border-radius: 4px;
+        cursor: pointer;
+        font-size: 0.85em;
+    }
+
+    .bunker-url-container button:hover {
+        background-color: var(--accent-hover-color);
+    }
+
+    .npub {
+        word-break: break-all;
+        font-size: 0.85em;
+    }
+
+    .danger-zone {
+        margin-top: 2em;
+        padding: 1.25em;
+        border: 1px solid var(--warning);
+        border-radius: 8px;
+        background-color: rgba(255, 100, 100, 0.05);
+    }
+
+    .danger-zone h4 {
+        margin: 0 0 0.5em 0;
+        color: var(--warning);
+    }
+
+    .danger-zone p {
+        margin: 0 0 1em 0;
+        color: var(--text-color);
+        opacity: 0.8;
+        font-size: 0.95em;
+    }
+
+    .danger-btn {
+        background-color: transparent;
+        border: 1px solid var(--warning);
+        color: var(--warning);
+        padding: 0.5em 1em;
+        border-radius: 4px;
+        cursor: pointer;
+        font-size: 0.9em;
+    }
+
+    .danger-btn:hover:not(:disabled) {
+        background-color: var(--warning);
+        color: var(--text-color);
+    }
+
+    .danger-btn:disabled {
+        opacity: 0.5;
+        cursor: not-allowed;
+    }
+
+    .unavailable-message, .access-denied {
+        text-align: center;
+        padding: 2em;
+        background-color: var(--card-bg);
+        border-radius: 8px;
+    }
+
+    .unavailable-message h3, .access-denied h3 {
+        margin: 0 0 0.5em 0;
+        color: var(--text-color);
+    }
+
+    .unavailable-message p, .access-denied p {
+        margin: 0.5em 0;
+        color: var(--text-color);
+        opacity: 0.8;
+    }
+
+    .hint {
+        font-size: 0.9em;
+        opacity: 0.6 !important;
+    }
+
+    .login-prompt {
+        text-align: center;
+        padding: 2em;
+        background-color: var(--card-bg);
+        border-radius: 8px;
+        border: 1px solid var(--border-color);
+        max-width: 32em;
+        margin: 1em;
+    }
+
+    .login-prompt p {
+        margin: 0 0 1.5rem 0;
+        color: var(--text-color);
+        font-size: 1.1rem;
+    }
+
+    .login-btn {
+        background-color: var(--primary);
+        color: var(--text-color);
+        border: none;
+        padding: 0.75em 1.5em;
+        border-radius: 4px;
+        cursor: pointer;
+        font-weight: bold;
+        font-size: 0.9em;
+    }
+
+    .login-btn:hover {
+        background-color: var(--accent-hover-color);
+    }
+
+    /* Audit section styles */
+    .audit-section {
+        margin-top: 2em;
+        padding: 1.25em;
+        border: 1px solid var(--border-color);
+        border-radius: 8px;
+        background-color: var(--card-bg);
+    }
+
+    .audit-section h4 {
+        margin: 0 0 0.5em 0;
+        color: var(--text-color);
+    }
+
+    .audit-desc {
+        margin: 0 0 1em 0;
+        color: var(--text-color);
+        opacity: 0.8;
+        font-size: 0.9em;
+    }
+
+    .audit-subsection {
+        margin-bottom: 1.5em;
+    }
+
+    .audit-subsection:last-child {
+        margin-bottom: 0;
+    }
+
+    .audit-subsection h5 {
+        margin: 0 0 0.5em 0;
+        color: var(--text-color);
+        font-size: 0.95em;
+    }
+
+    .audit-table-container {
+        overflow-x: auto;
+    }
+
+    .audit-table {
+        width: 100%;
+        border-collapse: collapse;
+        font-size: 0.85em;
+    }
+
+    .audit-table th,
+    .audit-table td {
+        padding: 0.5em 0.75em;
+        text-align: left;
+        border-bottom: 1px solid var(--border-color);
+    }
+
+    .audit-table th {
+        background-color: var(--bg-color);
+        color: var(--text-color);
+        font-weight: 500;
+    }
+
+    .audit-table td {
+        color: var(--text-color);
+    }
+
+    .audit-table td code {
+        font-size: 0.9em;
+        padding: 0.15em 0.3em;
+    }
+
+    .audit-table tr.warning {
+        background-color: rgba(255, 100, 100, 0.1);
+    }
+
+    .audit-table td.highlight {
+        color: var(--warning);
+        font-weight: 600;
+    }
+
+    @media (max-width: 600px) {
+        .client-links {
+            flex-direction: column;
+        }
+
+        .client-link {
+            width: 100%;
+        }
+
+        .bunker-url {
+            font-size: 0.75em;
+        }
+
+        .audit-table {
+            font-size: 0.75em;
+        }
+
+        .audit-table th,
+        .audit-table td {
+            padding: 0.4em 0.5em;
+        }
+    }
+</style>
--- a/app/web/src/api.js
+++ b/app/web/src/api.js
@ -391,3 +391,98 @@ export async function importEvents(signer, pubkey, file) {
				@@ -391,3 +391,98 @@ export async function importEvents(signer, pubkey, file) {
    if (!response.ok) throw new Error(`Import failed: ${response.statusText}`);
    return await response.json();
 }
+
+// ==================== WireGuard/Bunker API ====================
+
+/**
+ * Fetch WireGuard status
+ * @returns {Promise<object>} WireGuard status
+ */
+export async function fetchWireGuardStatus() {
+    try {
+        const response = await fetch(`${window.location.origin}/api/wireguard/status`);
+        if (response.ok) {
+            return await response.json();
+        }
+    } catch (error) {
+        console.error("Error fetching WireGuard status:", error);
+    }
+    return { wireguard_enabled: false, bunker_enabled: false, available: false };
+}
+
+/**
+ * Get WireGuard configuration for the authenticated user
+ * @param {object} signer - The signer instance
+ * @param {string} pubkey - User's pubkey
+ * @returns {Promise<object>} WireGuard config
+ */
+export async function getWireGuardConfig(signer, pubkey) {
+    const url = `${window.location.origin}/api/wireguard/config`;
+    const authHeader = await createNIP98Auth(signer, pubkey, "GET", url);
+    const response = await fetch(url, {
+        headers: authHeader ? { Authorization: `Nostr ${authHeader}` } : {},
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(error || `Failed to get WireGuard config: ${response.statusText}`);
+    }
+    return await response.json();
+}
+
+/**
+ * Regenerate WireGuard keypair for the authenticated user
+ * @param {object} signer - The signer instance
+ * @param {string} pubkey - User's pubkey
+ * @returns {Promise<object>} Regeneration result
+ */
+export async function regenerateWireGuard(signer, pubkey) {
+    const url = `${window.location.origin}/api/wireguard/regenerate`;
+    const authHeader = await createNIP98Auth(signer, pubkey, "POST", url);
+    const response = await fetch(url, {
+        method: "POST",
+        headers: authHeader ? { Authorization: `Nostr ${authHeader}` } : {},
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(error || `Failed to regenerate WireGuard: ${response.statusText}`);
+    }
+    return await response.json();
+}
+
+/**
+ * Get Bunker URL for the authenticated user
+ * @param {object} signer - The signer instance
+ * @param {string} pubkey - User's pubkey
+ * @returns {Promise<object>} Bunker URL info
+ */
+export async function getBunkerURL(signer, pubkey) {
+    const url = `${window.location.origin}/api/bunker/url`;
+    const authHeader = await createNIP98Auth(signer, pubkey, "GET", url);
+    const response = await fetch(url, {
+        headers: authHeader ? { Authorization: `Nostr ${authHeader}` } : {},
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(error || `Failed to get bunker URL: ${response.statusText}`);
+    }
+    return await response.json();
+}
+
+/**
+ * Get WireGuard audit log (revoked keys and access attempts)
+ * @param {object} signer - The signer instance
+ * @param {string} pubkey - User's pubkey
+ * @returns {Promise<object>} Audit data with revoked_keys and access_logs
+ */
+export async function getWireGuardAudit(signer, pubkey) {
+    const url = `${window.location.origin}/api/wireguard/audit`;
+    const authHeader = await createNIP98Auth(signer, pubkey, "GET", url);
+    const response = await fetch(url, {
+        headers: authHeader ? { Authorization: `Nostr ${authHeader}` } : {},
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(error || `Failed to get audit log: ${response.statusText}`);
+    }
+    return await response.json();
+}
--- a/app/wireguard-helpers.go
+++ b/app/wireguard-helpers.go
@ -0,0 +1,19 @@
				@@ -0,0 +1,19 @@
+package app
+
+import (
+	"golang.org/x/crypto/curve25519"
+
+	"git.mleku.dev/mleku/nostr/crypto/keys"
+)
+
+// derivePublicKey derives a Curve25519 public key from a private key.
+func derivePublicKey(privateKey []byte) ([]byte, error) {
+	publicKey := make([]byte, 32)
+	curve25519.ScalarBaseMult((*[32]byte)(publicKey), (*[32]byte)(privateKey))
+	return publicKey, nil
+}
+
+// deriveSecp256k1PublicKey derives a secp256k1 public key from a secret key.
+func deriveSecp256k1PublicKey(secretKey []byte) ([]byte, error) {
+	return keys.SecretBytesToPubKeyBytes(secretKey)
+}
--- a/go.mod
+++ b/go.mod
@ -49,6 +49,7 @@ require (
				@@ -49,6 +49,7 @@ require (
 	github.com/felixge/fgprof v0.9.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/flatbuffers v25.9.23+incompatible // indirect
 	github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@ -78,9 +79,13 @@ require (
				@@ -78,9 +79,13 @@ require (
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.40.0 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c // indirect
 	p256k1.mleku.dev v1.0.3 // indirect
 )

--- a/go.sum
+++ b/go.sum
@ -66,6 +66,8 @@ github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre
				@@ -66,6 +66,8 @@ github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/flatbuffers v25.9.23+incompatible h1:rGZKv+wOb6QPzIdkM2KxhBZCDrA0DeN6DNmRDrqIsQU=
 github.com/google/flatbuffers v25.9.23+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@ -199,12 +201,18 @@ golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
				@@ -199,12 +201,18 @@ golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
 golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
 golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
 google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -213,6 +221,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
				@@ -213,6 +221,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
 honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
 honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
 lol.mleku.dev v1.0.5 h1:irwfwz+Scv74G/2OXmv05YFKOzUNOVZ735EAkYgjgM8=
--- a/pkg/bunker/server.go
+++ b/pkg/bunker/server.go
@ -0,0 +1,182 @@
				@@ -0,0 +1,182 @@
+// Package bunker provides a NIP-46 remote signing service that listens
+// only on the WireGuard VPN network for secure access.
+package bunker
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/gorilla/websocket"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/log"
+
+	"git.mleku.dev/mleku/nostr/interfaces/signer"
+)
+
+var upgrader = websocket.Upgrader{
+	ReadBufferSize:  4096,
+	WriteBufferSize: 4096,
+	CheckOrigin:     func(r *http.Request) bool { return true },
+}
+
+// Server is the NIP-46 bunker server.
+type Server struct {
+	relaySigner signer.I      // Relay's signer for signing events
+	relayPubkey []byte        // Relay's public key
+	netstack    *netstack.Net // WireGuard netstack for listening
+	listenAddr  string        // e.g., "10.73.0.1:3335"
+
+	sessions   map[string]*Session // Connection ID -> Session
+	sessionsMu sync.RWMutex
+
+	server *http.Server
+	ctx    context.Context
+	cancel context.CancelFunc
+	wg     sync.WaitGroup
+}
+
+// Config holds bunker server configuration.
+type Config struct {
+	RelaySigner signer.I
+	RelayPubkey []byte
+	Netstack    *netstack.Net
+	ListenAddr  string // IP:port on WireGuard network
+}
+
+// New creates a new bunker server.
+func New(cfg *Config) *Server {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	return &Server{
+		relaySigner: cfg.RelaySigner,
+		relayPubkey: cfg.RelayPubkey,
+		netstack:    cfg.Netstack,
+		listenAddr:  cfg.ListenAddr,
+		sessions:    make(map[string]*Session),
+		ctx:         ctx,
+		cancel:      cancel,
+	}
+}
+
+// Start begins listening for bunker connections on the WireGuard network.
+func (s *Server) Start() error {
+	// Parse listen address
+	host, port, err := net.SplitHostPort(s.listenAddr)
+	if err != nil {
+		return fmt.Errorf("invalid listen address: %w", err)
+	}
+
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return fmt.Errorf("invalid IP address: %s", host)
+	}
+
+	portNum := 0
+	if _, err := fmt.Sscanf(port, "%d", &portNum); err != nil {
+		return fmt.Errorf("invalid port: %s", port)
+	}
+
+	// Create TCP listener on netstack (WireGuard network only)
+	listener, err := s.netstack.ListenTCP(&net.TCPAddr{
+		IP:   ip,
+		Port: portNum,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to listen on netstack: %w", err)
+	}
+
+	// Create HTTP server with WebSocket handler
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", s.handleWebSocket)
+
+	s.server = &http.Server{
+		Handler:      mux,
+		ReadTimeout:  30 * time.Second,
+		WriteTimeout: 30 * time.Second,
+		IdleTimeout:  120 * time.Second,
+	}
+
+	s.wg.Add(1)
+	go func() {
+		defer s.wg.Done()
+		if err := s.server.Serve(listener); err != nil && err != http.ErrServerClosed {
+			log.E.F("bunker server error: %v", err)
+		}
+	}()
+
+	log.I.F("NIP-46 bunker server started on %s (WireGuard only)", s.listenAddr)
+	return nil
+}
+
+// Stop shuts down the bunker server.
+func (s *Server) Stop() error {
+	s.cancel()
+
+	if s.server != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		if err := s.server.Shutdown(ctx); chk.E(err) {
+			return err
+		}
+	}
+
+	s.wg.Wait()
+	log.I.F("NIP-46 bunker server stopped")
+	return nil
+}
+
+// handleWebSocket handles WebSocket connections for NIP-46.
+func (s *Server) handleWebSocket(w http.ResponseWriter, r *http.Request) {
+	conn, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		log.E.F("bunker websocket upgrade failed: %v", err)
+		return
+	}
+
+	session := NewSession(s.ctx, conn, s.relaySigner, s.relayPubkey)
+
+	// Register session
+	s.sessionsMu.Lock()
+	s.sessions[session.ID] = session
+	s.sessionsMu.Unlock()
+
+	// Handle session
+	session.Handle()
+
+	// Unregister session
+	s.sessionsMu.Lock()
+	delete(s.sessions, session.ID)
+	s.sessionsMu.Unlock()
+}
+
+// SessionCount returns the number of active sessions.
+func (s *Server) SessionCount() int {
+	s.sessionsMu.RLock()
+	defer s.sessionsMu.RUnlock()
+	return len(s.sessions)
+}
+
+// RelayPubkeyHex returns the relay's public key as hex.
+func (s *Server) RelayPubkeyHex() string {
+	return fmt.Sprintf("%x", s.relayPubkey)
+}
+
+// NIP46Request represents a NIP-46 request from a client.
+type NIP46Request struct {
+	ID     string          `json:"id"`
+	Method string          `json:"method"`
+	Params json.RawMessage `json:"params"`
+}
+
+// NIP46Response represents a NIP-46 response to a client.
+type NIP46Response struct {
+	ID     string `json:"id"`
+	Result any    `json:"result,omitempty"`
+	Error  string `json:"error,omitempty"`
+}
--- a/pkg/bunker/session.go
+++ b/pkg/bunker/session.go
@ -0,0 +1,240 @@
				@@ -0,0 +1,240 @@
+package bunker
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/gorilla/websocket"
+	"lukechampine.com/frand"
+	"lol.mleku.dev/log"
+
+	"git.mleku.dev/mleku/nostr/encoders/event"
+	"git.mleku.dev/mleku/nostr/encoders/hex"
+	"git.mleku.dev/mleku/nostr/encoders/timestamp"
+	"git.mleku.dev/mleku/nostr/interfaces/signer"
+)
+
+// NIP-46 method names
+const (
+	MethodConnect      = "connect"
+	MethodGetPublicKey = "get_public_key"
+	MethodSignEvent    = "sign_event"
+	MethodNIP04Encrypt = "nip04_encrypt"
+	MethodNIP04Decrypt = "nip04_decrypt"
+	MethodNIP44Encrypt = "nip44_encrypt"
+	MethodNIP44Decrypt = "nip44_decrypt"
+	MethodPing         = "ping"
+)
+
+// Session represents a NIP-46 client session.
+type Session struct {
+	ID            string
+	conn          *websocket.Conn
+	ctx           context.Context
+	cancel        context.CancelFunc
+	relaySigner   signer.I
+	relayPubkey   []byte
+	authenticated bool
+	clientPubkey  []byte // Client's pubkey after connect
+}
+
+// NewSession creates a new bunker session.
+func NewSession(parentCtx context.Context, conn *websocket.Conn, relaySigner signer.I, relayPubkey []byte) *Session {
+	ctx, cancel := context.WithCancel(parentCtx)
+
+	// Generate random session ID
+	idBytes := make([]byte, 16)
+	frand.Read(idBytes)
+
+	return &Session{
+		ID:          hex.Enc(idBytes),
+		conn:        conn,
+		ctx:         ctx,
+		cancel:      cancel,
+		relaySigner: relaySigner,
+		relayPubkey: relayPubkey,
+	}
+}
+
+// Handle processes messages from the client.
+func (s *Session) Handle() {
+	defer s.conn.Close()
+	defer s.cancel()
+
+	log.D.F("bunker session started: %s", s.ID[:8])
+
+	for {
+		select {
+		case <-s.ctx.Done():
+			return
+		default:
+		}
+
+		// Set read deadline
+		s.conn.SetReadDeadline(time.Now().Add(60 * time.Second))
+
+		// Read message
+		_, msg, err := s.conn.ReadMessage()
+		if err != nil {
+			if websocket.IsCloseError(err, websocket.CloseNormalClosure, websocket.CloseGoingAway) {
+				log.D.F("bunker session closed normally: %s", s.ID[:8])
+			} else {
+				log.D.F("bunker session read error: %v", err)
+			}
+			return
+		}
+
+		// Parse request
+		var req NIP46Request
+		if err := json.Unmarshal(msg, &req); err != nil {
+			s.sendError("", "invalid request format")
+			continue
+		}
+
+		// Handle request
+		resp := s.handleRequest(&req)
+		s.sendResponse(resp)
+	}
+}
+
+// handleRequest processes a NIP-46 request.
+func (s *Session) handleRequest(req *NIP46Request) *NIP46Response {
+	switch req.Method {
+	case MethodConnect:
+		return s.handleConnect(req)
+	case MethodGetPublicKey:
+		return s.handleGetPublicKey(req)
+	case MethodSignEvent:
+		return s.handleSignEvent(req)
+	case MethodPing:
+		return s.handlePing(req)
+	case MethodNIP44Encrypt, MethodNIP44Decrypt, MethodNIP04Encrypt, MethodNIP04Decrypt:
+		// Encryption/decryption not supported in this bunker implementation
+		return &NIP46Response{
+			ID:    req.ID,
+			Error: "encryption methods not supported",
+		}
+	default:
+		return &NIP46Response{
+			ID:    req.ID,
+			Error: fmt.Sprintf("unsupported method: %s", req.Method),
+		}
+	}
+}
+
+// handleConnect handles the connect method.
+func (s *Session) handleConnect(req *NIP46Request) *NIP46Response {
+	// Parse params: [pubkey, secret?]
+	var params []string
+	if err := json.Unmarshal(req.Params, &params); err != nil {
+		return &NIP46Response{ID: req.ID, Error: "invalid params"}
+	}
+
+	if len(params) < 1 {
+		return &NIP46Response{ID: req.ID, Error: "missing pubkey"}
+	}
+
+	pubkeyHex := params[0]
+	clientPubkey, err := hex.Dec(pubkeyHex)
+	if err != nil || len(clientPubkey) != 32 {
+		return &NIP46Response{ID: req.ID, Error: "invalid pubkey"}
+	}
+
+	s.clientPubkey = clientPubkey
+	s.authenticated = true
+
+	log.I.F("bunker session authenticated: %s (client=%s...)",
+		s.ID[:8], pubkeyHex[:16])
+
+	return &NIP46Response{
+		ID:     req.ID,
+		Result: "ack",
+	}
+}
+
+// handleGetPublicKey returns the relay's public key.
+func (s *Session) handleGetPublicKey(req *NIP46Request) *NIP46Response {
+	return &NIP46Response{
+		ID:     req.ID,
+		Result: hex.Enc(s.relayPubkey),
+	}
+}
+
+// handleSignEvent signs an event with the relay's key.
+func (s *Session) handleSignEvent(req *NIP46Request) *NIP46Response {
+	if !s.authenticated {
+		return &NIP46Response{ID: req.ID, Error: "not authenticated"}
+	}
+
+	// Parse event from params
+	var params []json.RawMessage
+	if err := json.Unmarshal(req.Params, &params); err != nil {
+		return &NIP46Response{ID: req.ID, Error: "invalid params"}
+	}
+
+	if len(params) < 1 {
+		return &NIP46Response{ID: req.ID, Error: "missing event"}
+	}
+
+	// Parse the event
+	ev := &event.E{}
+	if err := json.Unmarshal(params[0], ev); err != nil {
+		return &NIP46Response{ID: req.ID, Error: "invalid event"}
+	}
+
+	// Set pubkey to relay's pubkey
+	copy(ev.Pubkey[:], s.relayPubkey)
+
+	// Set created_at if not set
+	if ev.CreatedAt == 0 {
+		ev.CreatedAt = timestamp.Now().V
+	}
+
+	// Sign the event
+	if err := ev.Sign(s.relaySigner); err != nil {
+		return &NIP46Response{ID: req.ID, Error: fmt.Sprintf("signing failed: %v", err)}
+	}
+
+	// Return signed event as JSON
+	signedJSON, err := json.Marshal(ev)
+	if err != nil {
+		return &NIP46Response{ID: req.ID, Error: "marshal failed"}
+	}
+
+	return &NIP46Response{
+		ID:     req.ID,
+		Result: string(signedJSON),
+	}
+}
+
+// handlePing responds to ping requests.
+func (s *Session) handlePing(req *NIP46Request) *NIP46Response {
+	return &NIP46Response{
+		ID:     req.ID,
+		Result: "pong",
+	}
+}
+
+// sendResponse sends a response to the client.
+func (s *Session) sendResponse(resp *NIP46Response) {
+	data, err := json.Marshal(resp)
+	if err != nil {
+		log.E.F("bunker marshal error: %v", err)
+		return
+	}
+
+	s.conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
+	if err := s.conn.WriteMessage(websocket.TextMessage, data); err != nil {
+		log.E.F("bunker write error: %v", err)
+	}
+}
+
+// sendError sends an error response.
+func (s *Session) sendError(id, msg string) {
+	s.sendResponse(&NIP46Response{
+		ID:    id,
+		Error: msg,
+	})
+}
--- a/pkg/database/wireguard.go
+++ b/pkg/database/wireguard.go
@ -0,0 +1,591 @@
				@@ -0,0 +1,591 @@
+//go:build !(js && wasm)
+
+package database
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/dgraph-io/badger/v4"
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/log"
+
+	"git.mleku.dev/mleku/nostr/encoders/hex"
+	"next.orly.dev/pkg/wireguard"
+)
+
+// Key prefixes for WireGuard data
+const (
+	wgServerKeyPrefix  = "wg:server:key"  // Server's WireGuard private key
+	wgSubnetSeedPrefix = "wg:subnet:seed" // Seed for deterministic subnet generation
+	wgPeerPrefix       = "wg:peer:"       // Peer data by Nostr pubkey hex
+	wgSequenceKey      = "wg:seq"         // Badger sequence key for subnet allocation
+	wgRevokedPrefix    = "wg:revoked:"    // Revoked keypairs by Nostr pubkey hex
+	wgAccessLogPrefix  = "wg:accesslog:"  // Access log for obsolete addresses
+)
+
+// WireGuardPeer stores WireGuard peer information in the database.
+type WireGuardPeer struct {
+	NostrPubkey  []byte `json:"nostr_pubkey"`   // User's Nostr pubkey (32 bytes)
+	WGPrivateKey []byte `json:"wg_private_key"` // WireGuard private key (32 bytes)
+	WGPublicKey  []byte `json:"wg_public_key"`  // WireGuard public key (32 bytes)
+	Sequence     uint32 `json:"sequence"`       // Sequence number for subnet derivation
+	CreatedAt    int64  `json:"created_at"`     // Unix timestamp
+}
+
+// WireGuardRevokedKey stores a revoked/old WireGuard keypair for audit purposes.
+type WireGuardRevokedKey struct {
+	NostrPubkey  []byte `json:"nostr_pubkey"`   // User's Nostr pubkey (32 bytes)
+	WGPublicKey  []byte `json:"wg_public_key"`  // Revoked WireGuard public key (32 bytes)
+	Sequence     uint32 `json:"sequence"`       // Sequence number (subnet)
+	CreatedAt    int64  `json:"created_at"`     // When the key was originally created
+	RevokedAt    int64  `json:"revoked_at"`     // When the key was revoked
+	AccessCount  int    `json:"access_count"`   // Number of access attempts since revocation
+	LastAccessAt int64  `json:"last_access_at"` // Last access attempt timestamp (0 if never)
+}
+
+// WireGuardAccessLog records an access attempt to an obsolete address.
+type WireGuardAccessLog struct {
+	NostrPubkey []byte `json:"nostr_pubkey"`  // User's Nostr pubkey
+	WGPublicKey []byte `json:"wg_public_key"` // The obsolete public key used
+	Sequence    uint32 `json:"sequence"`      // Subnet sequence
+	Timestamp   int64  `json:"timestamp"`     // When the access occurred
+	RemoteAddr  string `json:"remote_addr"`   // Remote IP address
+}
+
+// ServerIP returns the derived server IP for this peer's subnet.
+func (p *WireGuardPeer) ServerIP(pool *wireguard.SubnetPool) string {
+	subnet := pool.SubnetForSequence(p.Sequence)
+	return subnet.ServerIP.String()
+}
+
+// ClientIP returns the derived client IP for this peer's subnet.
+func (p *WireGuardPeer) ClientIP(pool *wireguard.SubnetPool) string {
+	subnet := pool.SubnetForSequence(p.Sequence)
+	return subnet.ClientIP.String()
+}
+
+// GetWireGuardServerKey retrieves the WireGuard server private key.
+func (d *D) GetWireGuardServerKey() (key []byte, err error) {
+	err = d.DB.View(func(txn *badger.Txn) error {
+		item, err := txn.Get([]byte(wgServerKeyPrefix))
+		if errors.Is(err, badger.ErrKeyNotFound) {
+			return err
+		}
+		if err != nil {
+			return err
+		}
+		return item.Value(func(val []byte) error {
+			key = make([]byte, len(val))
+			copy(key, val)
+			return nil
+		})
+	})
+	return
+}
+
+// SetWireGuardServerKey stores the WireGuard server private key.
+func (d *D) SetWireGuardServerKey(key []byte) error {
+	if len(key) != 32 {
+		return fmt.Errorf("invalid key length: %d (expected 32)", len(key))
+	}
+	return d.DB.Update(func(txn *badger.Txn) error {
+		return txn.Set([]byte(wgServerKeyPrefix), key)
+	})
+}
+
+// GetOrCreateWireGuardServerKey retrieves or creates the WireGuard server key.
+func (d *D) GetOrCreateWireGuardServerKey() (key []byte, err error) {
+	// Try to get existing key
+	if key, err = d.GetWireGuardServerKey(); err == nil && len(key) == 32 {
+		return key, nil
+	}
+	if err != nil && !errors.Is(err, badger.ErrKeyNotFound) {
+		return nil, err
+	}
+
+	// Generate new keypair
+	privateKey, publicKey, err := wireguard.GenerateKeyPair()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate WireGuard keypair: %w", err)
+	}
+
+	// Store the private key
+	if err = d.SetWireGuardServerKey(privateKey); chk.E(err) {
+		return nil, err
+	}
+
+	log.I.F("generated new WireGuard server key (pubkey=%s...)", hex.Enc(publicKey[:8]))
+	return privateKey, nil
+}
+
+// GetSubnetSeed retrieves the subnet pool seed.
+func (d *D) GetSubnetSeed() (seed []byte, err error) {
+	err = d.DB.View(func(txn *badger.Txn) error {
+		item, err := txn.Get([]byte(wgSubnetSeedPrefix))
+		if errors.Is(err, badger.ErrKeyNotFound) {
+			return err
+		}
+		if err != nil {
+			return err
+		}
+		return item.Value(func(val []byte) error {
+			seed = make([]byte, len(val))
+			copy(seed, val)
+			return nil
+		})
+	})
+	return
+}
+
+// SetSubnetSeed stores the subnet pool seed.
+func (d *D) SetSubnetSeed(seed []byte) error {
+	if len(seed) != 32 {
+		return fmt.Errorf("invalid seed length: %d (expected 32)", len(seed))
+	}
+	return d.DB.Update(func(txn *badger.Txn) error {
+		return txn.Set([]byte(wgSubnetSeedPrefix), seed)
+	})
+}
+
+// GetOrCreateSubnetPool creates or restores a subnet pool from the database.
+func (d *D) GetOrCreateSubnetPool(baseNetwork string) (*wireguard.SubnetPool, error) {
+	// Try to get existing seed
+	seed, err := d.GetSubnetSeed()
+	if err != nil && !errors.Is(err, badger.ErrKeyNotFound) {
+		return nil, err
+	}
+
+	var pool *wireguard.SubnetPool
+
+	if len(seed) == 32 {
+		// Restore pool with existing seed
+		pool, err = wireguard.NewSubnetPoolWithSeed(baseNetwork, seed)
+		if err != nil {
+			return nil, err
+		}
+		log.D.F("restored subnet pool with existing seed")
+	} else {
+		// Create new pool with random seed
+		pool, err = wireguard.NewSubnetPool(baseNetwork)
+		if err != nil {
+			return nil, err
+		}
+
+		// Store the new seed
+		if err = d.SetSubnetSeed(pool.Seed()); err != nil {
+			return nil, fmt.Errorf("failed to store subnet seed: %w", err)
+		}
+		log.I.F("generated new subnet pool seed")
+	}
+
+	// Restore existing allocations from database
+	peers, err := d.GetAllWireGuardPeers()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load existing peers: %w", err)
+	}
+
+	for _, peer := range peers {
+		pool.RestoreAllocation(hex.Enc(peer.NostrPubkey), peer.Sequence)
+	}
+
+	if len(peers) > 0 {
+		log.D.F("restored %d subnet allocations", len(peers))
+	}
+
+	return pool, nil
+}
+
+// GetWireGuardPeer retrieves a WireGuard peer by Nostr pubkey.
+func (d *D) GetWireGuardPeer(nostrPubkey []byte) (peer *WireGuardPeer, err error) {
+	key := append([]byte(wgPeerPrefix), []byte(hex.Enc(nostrPubkey))...)
+
+	err = d.DB.View(func(txn *badger.Txn) error {
+		item, err := txn.Get(key)
+		if errors.Is(err, badger.ErrKeyNotFound) {
+			return err
+		}
+		if err != nil {
+			return err
+		}
+		return item.Value(func(val []byte) error {
+			peer = &WireGuardPeer{}
+			return json.Unmarshal(val, peer)
+		})
+	})
+	return
+}
+
+// GetOrCreateWireGuardPeer retrieves or creates a WireGuard peer.
+// The pool is used for subnet derivation from the sequence number.
+func (d *D) GetOrCreateWireGuardPeer(nostrPubkey []byte, pool *wireguard.SubnetPool) (peer *WireGuardPeer, err error) {
+	// Try to get existing peer
+	if peer, err = d.GetWireGuardPeer(nostrPubkey); err == nil {
+		return peer, nil
+	}
+	if err != nil && !errors.Is(err, badger.ErrKeyNotFound) {
+		return nil, err
+	}
+
+	// Generate new WireGuard keypair
+	privateKey, publicKey, err := wireguard.GenerateKeyPair()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate WireGuard keypair: %w", err)
+	}
+
+	// Get next sequence number from Badger's sequence
+	seq64, err := d.GetNextWGSequence()
+	if err != nil {
+		return nil, fmt.Errorf("failed to allocate sequence: %w", err)
+	}
+	seq := uint32(seq64)
+
+	// Register allocation with pool for in-memory tracking
+	pubkeyHex := hex.Enc(nostrPubkey)
+	pool.RestoreAllocation(pubkeyHex, seq)
+
+	peer = &WireGuardPeer{
+		NostrPubkey:  nostrPubkey,
+		WGPrivateKey: privateKey,
+		WGPublicKey:  publicKey,
+		Sequence:     seq,
+		CreatedAt:    time.Now().Unix(),
+	}
+
+	// Store peer data
+	if err = d.setWireGuardPeer(peer); err != nil {
+		return nil, err
+	}
+
+	subnet := pool.SubnetForSequence(seq)
+	log.I.F("created WireGuard peer: nostr=%s... -> subnet %s/%s (seq=%d)",
+		hex.Enc(nostrPubkey[:8]), subnet.ServerIP, subnet.ClientIP, seq)
+
+	return peer, nil
+}
+
+// RegenerateWireGuardPeer generates a new keypair for an existing peer.
+// The sequence number (and thus subnet) is preserved.
+// The old keypair is archived for audit purposes.
+func (d *D) RegenerateWireGuardPeer(nostrPubkey []byte, pool *wireguard.SubnetPool) (peer *WireGuardPeer, err error) {
+	// Get existing peer to preserve sequence
+	existing, err := d.GetWireGuardPeer(nostrPubkey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Archive the old keypair for audit purposes
+	if err = d.ArchiveRevokedKey(existing); err != nil {
+		log.W.F("failed to archive revoked key: %v", err)
+		// Continue anyway - this is audit logging, not critical
+	}
+
+	// Generate new WireGuard keypair
+	privateKey, publicKey, err := wireguard.GenerateKeyPair()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate WireGuard keypair: %w", err)
+	}
+
+	peer = &WireGuardPeer{
+		NostrPubkey:  nostrPubkey,
+		WGPrivateKey: privateKey,
+		WGPublicKey:  publicKey,
+		Sequence:     existing.Sequence, // Keep same sequence (same subnet)
+		CreatedAt:    time.Now().Unix(),
+	}
+
+	// Store updated peer data
+	if err = d.setWireGuardPeer(peer); err != nil {
+		return nil, err
+	}
+
+	subnet := pool.SubnetForSequence(peer.Sequence)
+	log.I.F("regenerated WireGuard peer: nostr=%s... -> subnet %s/%s (old key archived)",
+		hex.Enc(nostrPubkey[:8]), subnet.ServerIP, subnet.ClientIP)
+
+	return peer, nil
+}
+
+// DeleteWireGuardPeer removes a WireGuard peer from the database.
+// Note: The sequence number is not recycled to prevent subnet reuse.
+func (d *D) DeleteWireGuardPeer(nostrPubkey []byte) error {
+	peerKey := append([]byte(wgPeerPrefix), []byte(hex.Enc(nostrPubkey))...)
+
+	return d.DB.Update(func(txn *badger.Txn) error {
+		if err := txn.Delete(peerKey); err != nil && !errors.Is(err, badger.ErrKeyNotFound) {
+			return err
+		}
+		return nil
+	})
+}
+
+// GetAllWireGuardPeers returns all WireGuard peers.
+func (d *D) GetAllWireGuardPeers() (peers []*WireGuardPeer, err error) {
+	prefix := []byte(wgPeerPrefix)
+
+	err = d.DB.View(func(txn *badger.Txn) error {
+		opts := badger.DefaultIteratorOptions
+		opts.Prefix = prefix
+		it := txn.NewIterator(opts)
+		defer it.Close()
+
+		for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+			item := it.Item()
+			err := item.Value(func(val []byte) error {
+				peer := &WireGuardPeer{}
+				if err := json.Unmarshal(val, peer); err != nil {
+					return err
+				}
+				peers = append(peers, peer)
+				return nil
+			})
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	return
+}
+
+// setWireGuardPeer stores a WireGuard peer in the database.
+func (d *D) setWireGuardPeer(peer *WireGuardPeer) error {
+	data, err := json.Marshal(peer)
+	if err != nil {
+		return fmt.Errorf("failed to marshal peer: %w", err)
+	}
+
+	peerKey := append([]byte(wgPeerPrefix), []byte(hex.Enc(peer.NostrPubkey))...)
+
+	return d.DB.Update(func(txn *badger.Txn) error {
+		return txn.Set(peerKey, data)
+	})
+}
+
+// GetNextWGSequence retrieves and increments the sequence counter using Badger's Sequence.
+func (d *D) GetNextWGSequence() (seq uint64, err error) {
+	// Get a sequence with bandwidth 1 (allocate 1 number at a time)
+	badgerSeq, err := d.DB.GetSequence([]byte(wgSequenceKey), 1)
+	if err != nil {
+		return 0, fmt.Errorf("failed to get sequence: %w", err)
+	}
+	defer badgerSeq.Release()
+
+	seq, err = badgerSeq.Next()
+	if err != nil {
+		return 0, fmt.Errorf("failed to get next sequence number: %w", err)
+	}
+	return seq, nil
+}
+
+// ArchiveRevokedKey stores a revoked keypair for audit purposes.
+func (d *D) ArchiveRevokedKey(peer *WireGuardPeer) error {
+	revoked := &WireGuardRevokedKey{
+		NostrPubkey: peer.NostrPubkey,
+		WGPublicKey: peer.WGPublicKey,
+		Sequence:    peer.Sequence,
+		CreatedAt:   peer.CreatedAt,
+		RevokedAt:   time.Now().Unix(),
+		AccessCount: 0,
+		LastAccessAt: 0,
+	}
+
+	data, err := json.Marshal(revoked)
+	if err != nil {
+		return fmt.Errorf("failed to marshal revoked key: %w", err)
+	}
+
+	// Key: wg:revoked:<pubkey-hex>:<revoked-timestamp>
+	keyStr := fmt.Sprintf("%s%s:%d", wgRevokedPrefix, hex.Enc(peer.NostrPubkey), revoked.RevokedAt)
+
+	return d.DB.Update(func(txn *badger.Txn) error {
+		return txn.Set([]byte(keyStr), data)
+	})
+}
+
+// GetRevokedKeys returns all revoked keys for a user.
+func (d *D) GetRevokedKeys(nostrPubkey []byte) (keys []*WireGuardRevokedKey, err error) {
+	prefix := []byte(wgRevokedPrefix + hex.Enc(nostrPubkey) + ":")
+
+	err = d.DB.View(func(txn *badger.Txn) error {
+		opts := badger.DefaultIteratorOptions
+		opts.Prefix = prefix
+		it := txn.NewIterator(opts)
+		defer it.Close()
+
+		for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+			item := it.Item()
+			err := item.Value(func(val []byte) error {
+				key := &WireGuardRevokedKey{}
+				if err := json.Unmarshal(val, key); err != nil {
+					return err
+				}
+				keys = append(keys, key)
+				return nil
+			})
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	return
+}
+
+// GetAllRevokedKeys returns all revoked keys across all users (admin view).
+func (d *D) GetAllRevokedKeys() (keys []*WireGuardRevokedKey, err error) {
+	prefix := []byte(wgRevokedPrefix)
+
+	err = d.DB.View(func(txn *badger.Txn) error {
+		opts := badger.DefaultIteratorOptions
+		opts.Prefix = prefix
+		it := txn.NewIterator(opts)
+		defer it.Close()
+
+		for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+			item := it.Item()
+			err := item.Value(func(val []byte) error {
+				key := &WireGuardRevokedKey{}
+				if err := json.Unmarshal(val, key); err != nil {
+					return err
+				}
+				keys = append(keys, key)
+				return nil
+			})
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	return
+}
+
+// LogObsoleteAccess records an access attempt to an obsolete WireGuard address.
+func (d *D) LogObsoleteAccess(nostrPubkey, wgPubkey []byte, sequence uint32, remoteAddr string) error {
+	now := time.Now().Unix()
+
+	logEntry := &WireGuardAccessLog{
+		NostrPubkey: nostrPubkey,
+		WGPublicKey: wgPubkey,
+		Sequence:    sequence,
+		Timestamp:   now,
+		RemoteAddr:  remoteAddr,
+	}
+
+	data, err := json.Marshal(logEntry)
+	if err != nil {
+		return fmt.Errorf("failed to marshal access log: %w", err)
+	}
+
+	// Key: wg:accesslog:<pubkey-hex>:<timestamp>
+	keyStr := fmt.Sprintf("%s%s:%d", wgAccessLogPrefix, hex.Enc(nostrPubkey), now)
+
+	return d.DB.Update(func(txn *badger.Txn) error {
+		return txn.Set([]byte(keyStr), data)
+	})
+}
+
+// GetAccessLogs returns access logs for a user.
+func (d *D) GetAccessLogs(nostrPubkey []byte) (logs []*WireGuardAccessLog, err error) {
+	prefix := []byte(wgAccessLogPrefix + hex.Enc(nostrPubkey) + ":")
+
+	err = d.DB.View(func(txn *badger.Txn) error {
+		opts := badger.DefaultIteratorOptions
+		opts.Prefix = prefix
+		it := txn.NewIterator(opts)
+		defer it.Close()
+
+		for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+			item := it.Item()
+			err := item.Value(func(val []byte) error {
+				logEntry := &WireGuardAccessLog{}
+				if err := json.Unmarshal(val, logEntry); err != nil {
+					return err
+				}
+				logs = append(logs, logEntry)
+				return nil
+			})
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	return
+}
+
+// GetAllAccessLogs returns all access logs (admin view).
+func (d *D) GetAllAccessLogs() (logs []*WireGuardAccessLog, err error) {
+	prefix := []byte(wgAccessLogPrefix)
+
+	err = d.DB.View(func(txn *badger.Txn) error {
+		opts := badger.DefaultIteratorOptions
+		opts.Prefix = prefix
+		it := txn.NewIterator(opts)
+		defer it.Close()
+
+		for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+			item := it.Item()
+			err := item.Value(func(val []byte) error {
+				logEntry := &WireGuardAccessLog{}
+				if err := json.Unmarshal(val, logEntry); err != nil {
+					return err
+				}
+				logs = append(logs, logEntry)
+				return nil
+			})
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	return
+}
+
+// IncrementRevokedKeyAccess updates the access count for a revoked key.
+func (d *D) IncrementRevokedKeyAccess(nostrPubkey, wgPubkey []byte) error {
+	// Find and update the matching revoked key
+	prefix := []byte(wgRevokedPrefix + hex.Enc(nostrPubkey) + ":")
+	wgPubkeyHex := hex.Enc(wgPubkey)
+	now := time.Now().Unix()
+
+	return d.DB.Update(func(txn *badger.Txn) error {
+		opts := badger.DefaultIteratorOptions
+		opts.Prefix = prefix
+		it := txn.NewIterator(opts)
+		defer it.Close()
+
+		for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+			item := it.Item()
+			key := item.KeyCopy(nil)
+
+			err := item.Value(func(val []byte) error {
+				revoked := &WireGuardRevokedKey{}
+				if err := json.Unmarshal(val, revoked); err != nil {
+					return err
+				}
+
+				// Check if this is the matching revoked key
+				if hex.Enc(revoked.WGPublicKey) == wgPubkeyHex {
+					revoked.AccessCount++
+					revoked.LastAccessAt = now
+
+					data, err := json.Marshal(revoked)
+					if err != nil {
+						return err
+					}
+					return txn.Set(key, data)
+				}
+				return nil
+			})
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
--- a/pkg/version/version
+++ b/pkg/version/version
@ -1 +1 @@
				@@ -1 +1 @@
-v0.39.3
+v0.40.0
--- a/pkg/wireguard/errors.go
+++ b/pkg/wireguard/errors.go
@ -0,0 +1,23 @@
				@@ -0,0 +1,23 @@
+package wireguard
+
+import "errors"
+
+var (
+	// ErrInvalidKeyLength is returned when a key is not exactly 32 bytes.
+	ErrInvalidKeyLength = errors.New("invalid key length: must be 32 bytes")
+
+	// ErrServerNotRunning is returned when an operation requires a running server.
+	ErrServerNotRunning = errors.New("wireguard server not running")
+
+	// ErrEndpointRequired is returned when WireGuard is enabled but no endpoint is set.
+	ErrEndpointRequired = errors.New("ORLY_WG_ENDPOINT is required when WireGuard is enabled")
+
+	// ErrInvalidNetwork is returned when the network CIDR is invalid.
+	ErrInvalidNetwork = errors.New("invalid network CIDR")
+
+	// ErrPeerNotFound is returned when a peer lookup fails.
+	ErrPeerNotFound = errors.New("peer not found")
+
+	// ErrIPExhausted is returned when no more IPs are available in the network.
+	ErrIPExhausted = errors.New("no more IP addresses available in network")
+)
--- a/pkg/wireguard/keygen.go
+++ b/pkg/wireguard/keygen.go
@ -0,0 +1,42 @@
				@@ -0,0 +1,42 @@
+// Package wireguard provides an embedded WireGuard VPN server for secure
+// NIP-46 bunker access. It uses wireguard-go with gVisor netstack for
+// userspace networking (no root required).
+package wireguard
+
+import (
+	"crypto/rand"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+// GenerateKeyPair generates a new Curve25519 keypair for WireGuard.
+// Returns the private key and public key as 32-byte slices.
+func GenerateKeyPair() (privateKey, publicKey []byte, err error) {
+	privateKey = make([]byte, 32)
+	if _, err = rand.Read(privateKey); err != nil {
+		return nil, nil, err
+	}
+
+	// Curve25519 clamping (required by WireGuard spec)
+	privateKey[0] &= 248
+	privateKey[31] &= 127
+	privateKey[31] |= 64
+
+	// Derive public key from private key
+	publicKey = make([]byte, 32)
+	curve25519.ScalarBaseMult((*[32]byte)(publicKey), (*[32]byte)(privateKey))
+
+	return privateKey, publicKey, nil
+}
+
+// DerivePublicKey derives the public key from a private key.
+func DerivePublicKey(privateKey []byte) (publicKey []byte, err error) {
+	if len(privateKey) != 32 {
+		return nil, ErrInvalidKeyLength
+	}
+
+	publicKey = make([]byte, 32)
+	curve25519.ScalarBaseMult((*[32]byte)(publicKey), (*[32]byte)(privateKey))
+
+	return publicKey, nil
+}
--- a/pkg/wireguard/server.go
+++ b/pkg/wireguard/server.go
@ -0,0 +1,281 @@
				@@ -0,0 +1,281 @@
+package wireguard
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"lol.mleku.dev/log"
+)
+
+// Config holds the WireGuard server configuration.
+type Config struct {
+	Port       int    // UDP port for WireGuard (default 51820)
+	Endpoint   string // Public IP/domain for clients to connect to
+	PrivateKey []byte // Server's 32-byte Curve25519 private key
+	Network    string // CIDR for internal network (e.g., "10.73.0.0/16")
+	ServerIP   string // Server's internal IP (e.g., "10.73.0.1")
+}
+
+// Peer represents a WireGuard peer (client).
+type Peer struct {
+	NostrPubkey []byte // User's Nostr pubkey (32 bytes)
+	WGPublicKey []byte // WireGuard public key (32 bytes)
+	AssignedIP  string // Assigned internal IP
+}
+
+// Server manages the embedded WireGuard VPN server.
+type Server struct {
+	cfg       *Config
+	device    *device.Device
+	tun       *netstack.Net
+	tunDev    tun.Device
+	publicKey []byte
+
+	peers   map[string]*Peer // WG pubkey (base64) -> Peer
+	peersMu sync.RWMutex
+
+	ctx     context.Context
+	cancel  context.CancelFunc
+	running bool
+	mu      sync.RWMutex
+}
+
+// New creates a new WireGuard server with the given configuration.
+func New(cfg *Config) (*Server, error) {
+	if cfg.Endpoint == "" {
+		return nil, ErrEndpointRequired
+	}
+
+	// Parse network CIDR to validate it
+	_, _, err := net.ParseCIDR(cfg.Network)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", ErrInvalidNetwork, err)
+	}
+
+	// Default server IP if not set
+	if cfg.ServerIP == "" {
+		cfg.ServerIP = "10.73.0.1"
+	}
+
+	// Derive public key from private key
+	publicKey, err := DerivePublicKey(cfg.PrivateKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to derive public key: %w", err)
+	}
+
+	return &Server{
+		cfg:       cfg,
+		publicKey: publicKey,
+		peers:     make(map[string]*Peer),
+	}, nil
+}
+
+// Start initializes and starts the WireGuard server.
+func (s *Server) Start() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.running {
+		return nil
+	}
+
+	s.ctx, s.cancel = context.WithCancel(context.Background())
+
+	// Parse server IP
+	serverAddr, err := netip.ParseAddr(s.cfg.ServerIP)
+	if err != nil {
+		return fmt.Errorf("invalid server IP: %w", err)
+	}
+
+	// Create netstack TUN device (userspace, no root required)
+	s.tunDev, s.tun, err = netstack.CreateNetTUN(
+		[]netip.Addr{serverAddr},
+		[]netip.Addr{}, // No DNS servers
+		1420,           // MTU
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create netstack TUN: %w", err)
+	}
+
+	// Create WireGuard device
+	s.device = device.NewDevice(
+		s.tunDev,
+		conn.NewDefaultBind(),
+		device.NewLogger(device.LogLevelSilent, "wg"),
+	)
+
+	// Configure device with server private key and listen port
+	privateKeyHex := hex.EncodeToString(s.cfg.PrivateKey)
+	ipcConfig := fmt.Sprintf("private_key=%s\nlisten_port=%d\n",
+		privateKeyHex,
+		s.cfg.Port,
+	)
+
+	if err = s.device.IpcSet(ipcConfig); err != nil {
+		s.device.Close()
+		return fmt.Errorf("failed to configure WireGuard device: %w", err)
+	}
+
+	// Bring up the device
+	if err = s.device.Up(); err != nil {
+		s.device.Close()
+		return fmt.Errorf("failed to bring up WireGuard device: %w", err)
+	}
+
+	s.running = true
+	log.I.F("WireGuard server started on UDP port %d", s.cfg.Port)
+	log.I.F("WireGuard server public key: %s", base64.StdEncoding.EncodeToString(s.publicKey))
+	log.I.F("WireGuard internal network: %s (server: %s)", s.cfg.Network, s.cfg.ServerIP)
+
+	return nil
+}
+
+// Stop shuts down the WireGuard server.
+func (s *Server) Stop() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if !s.running {
+		return nil
+	}
+
+	if s.cancel != nil {
+		s.cancel()
+	}
+
+	if s.device != nil {
+		s.device.Close()
+	}
+
+	s.running = false
+	log.I.F("WireGuard server stopped")
+
+	return nil
+}
+
+// IsRunning returns whether the server is currently running.
+func (s *Server) IsRunning() bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.running
+}
+
+// ServerPublicKey returns the server's WireGuard public key.
+func (s *Server) ServerPublicKey() []byte {
+	return s.publicKey
+}
+
+// Endpoint returns the configured endpoint address.
+func (s *Server) Endpoint() string {
+	return fmt.Sprintf("%s:%d", s.cfg.Endpoint, s.cfg.Port)
+}
+
+// GetNetstack returns the netstack networking interface.
+// This is used by the bunker to listen on the WireGuard network.
+func (s *Server) GetNetstack() *netstack.Net {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.tun
+}
+
+// ServerIP returns the server's internal IP address.
+func (s *Server) ServerIP() string {
+	return s.cfg.ServerIP
+}
+
+// AddPeer adds a new peer to the WireGuard server.
+func (s *Server) AddPeer(nostrPubkey, wgPublicKey []byte, assignedIP string) error {
+	s.mu.RLock()
+	if !s.running {
+		s.mu.RUnlock()
+		return ErrServerNotRunning
+	}
+	s.mu.RUnlock()
+
+	// Encode WG public key as hex for IPC
+	wgPubkeyHex := hex.EncodeToString(wgPublicKey)
+	wgPubkeyBase64 := base64.StdEncoding.EncodeToString(wgPublicKey)
+
+	// Configure peer in WireGuard device
+	ipcConfig := fmt.Sprintf(
+		"public_key=%s\nallowed_ip=%s/32\n",
+		wgPubkeyHex,
+		assignedIP,
+	)
+
+	if err := s.device.IpcSet(ipcConfig); err != nil {
+		return fmt.Errorf("failed to add peer: %w", err)
+	}
+
+	// Track peer
+	s.peersMu.Lock()
+	s.peers[wgPubkeyBase64] = &Peer{
+		NostrPubkey: nostrPubkey,
+		WGPublicKey: wgPublicKey,
+		AssignedIP:  assignedIP,
+	}
+	s.peersMu.Unlock()
+
+	log.I.F("WireGuard peer added: %s -> %s", wgPubkeyBase64[:16]+"...", assignedIP)
+
+	return nil
+}
+
+// RemovePeer removes a peer from the WireGuard server.
+func (s *Server) RemovePeer(wgPublicKey []byte) error {
+	s.mu.RLock()
+	if !s.running {
+		s.mu.RUnlock()
+		return ErrServerNotRunning
+	}
+	s.mu.RUnlock()
+
+	wgPubkeyHex := hex.EncodeToString(wgPublicKey)
+	wgPubkeyBase64 := base64.StdEncoding.EncodeToString(wgPublicKey)
+
+	// Remove peer from WireGuard device
+	ipcConfig := fmt.Sprintf(
+		"public_key=%s\nremove=true\n",
+		wgPubkeyHex,
+	)
+
+	if err := s.device.IpcSet(ipcConfig); err != nil {
+		return fmt.Errorf("failed to remove peer: %w", err)
+	}
+
+	// Remove from tracking
+	s.peersMu.Lock()
+	delete(s.peers, wgPubkeyBase64)
+	s.peersMu.Unlock()
+
+	log.I.F("WireGuard peer removed: %s", wgPubkeyBase64[:16]+"...")
+
+	return nil
+}
+
+// GetPeer returns a peer by their WireGuard public key.
+func (s *Server) GetPeer(wgPublicKey []byte) (*Peer, bool) {
+	wgPubkeyBase64 := base64.StdEncoding.EncodeToString(wgPublicKey)
+
+	s.peersMu.RLock()
+	defer s.peersMu.RUnlock()
+
+	peer, ok := s.peers[wgPubkeyBase64]
+	return peer, ok
+}
+
+// PeerCount returns the number of active peers.
+func (s *Server) PeerCount() int {
+	s.peersMu.RLock()
+	defer s.peersMu.RUnlock()
+	return len(s.peers)
+}
--- a/pkg/wireguard/subnet_pool.go
+++ b/pkg/wireguard/subnet_pool.go
@ -0,0 +1,184 @@
				@@ -0,0 +1,184 @@
+package wireguard
+
+import (
+	"crypto/sha256"
+	"encoding/binary"
+	"fmt"
+	"net/netip"
+	"sync"
+
+	"lukechampine.com/frand"
+)
+
+// Subnet represents a /31 point-to-point subnet.
+type Subnet struct {
+	ServerIP netip.Addr // Even address (server side)
+	ClientIP netip.Addr // Odd address (client side)
+}
+
+// SubnetPool manages deterministic /31 subnet generation from a seed.
+// Given the same seed and sequence number, the same subnet is always generated.
+type SubnetPool struct {
+	seed       [32]byte       // Random seed for deterministic generation
+	basePrefix netip.Prefix   // e.g., 10.0.0.0/8
+	maxSeq     uint32         // Current highest sequence number
+	assigned   map[string]uint32 // Client pubkey hex -> sequence number
+	mu         sync.RWMutex
+}
+
+// NewSubnetPool creates a subnet pool with a new random seed.
+func NewSubnetPool(baseNetwork string) (*SubnetPool, error) {
+	prefix, err := netip.ParsePrefix(baseNetwork)
+	if err != nil {
+		return nil, fmt.Errorf("invalid base network: %w", err)
+	}
+
+	var seed [32]byte
+	frand.Read(seed[:])
+
+	return &SubnetPool{
+		seed:       seed,
+		basePrefix: prefix,
+		maxSeq:     0,
+		assigned:   make(map[string]uint32),
+	}, nil
+}
+
+// NewSubnetPoolWithSeed creates a subnet pool with an existing seed.
+func NewSubnetPoolWithSeed(baseNetwork string, seed []byte) (*SubnetPool, error) {
+	prefix, err := netip.ParsePrefix(baseNetwork)
+	if err != nil {
+		return nil, fmt.Errorf("invalid base network: %w", err)
+	}
+
+	if len(seed) != 32 {
+		return nil, fmt.Errorf("seed must be 32 bytes, got %d", len(seed))
+	}
+
+	pool := &SubnetPool{
+		basePrefix: prefix,
+		maxSeq:     0,
+		assigned:   make(map[string]uint32),
+	}
+	copy(pool.seed[:], seed)
+
+	return pool, nil
+}
+
+// Seed returns the pool's seed for persistence.
+func (p *SubnetPool) Seed() []byte {
+	return p.seed[:]
+}
+
+// deriveSubnet deterministically generates a /31 subnet from seed + sequence.
+func (p *SubnetPool) deriveSubnet(seq uint32) Subnet {
+	// Hash seed + sequence to get deterministic randomness
+	h := sha256.New()
+	h.Write(p.seed[:])
+	binary.Write(h, binary.BigEndian, seq)
+	hash := h.Sum(nil)
+
+	// Use first 4 bytes as offset within the prefix
+	offset := binary.BigEndian.Uint32(hash[:4])
+
+	// Calculate available address space
+	bits := p.basePrefix.Bits()
+	availableBits := uint32(32 - bits)
+	maxOffset := uint32(1) << availableBits
+
+	// Make offset even (for /31 alignment) and within range
+	offset = (offset % (maxOffset / 2)) * 2
+
+	// Calculate server IP (even) and client IP (odd)
+	baseAddr := p.basePrefix.Addr()
+	baseBytes := baseAddr.As4()
+	baseVal := uint32(baseBytes[0])<<24 | uint32(baseBytes[1])<<16 |
+		uint32(baseBytes[2])<<8 | uint32(baseBytes[3])
+
+	serverVal := baseVal + offset
+	clientVal := serverVal + 1
+
+	serverBytes := [4]byte{
+		byte(serverVal >> 24), byte(serverVal >> 16),
+		byte(serverVal >> 8), byte(serverVal),
+	}
+	clientBytes := [4]byte{
+		byte(clientVal >> 24), byte(clientVal >> 16),
+		byte(clientVal >> 8), byte(clientVal),
+	}
+
+	return Subnet{
+		ServerIP: netip.AddrFrom4(serverBytes),
+		ClientIP: netip.AddrFrom4(clientBytes),
+	}
+}
+
+// ServerIPs returns server-side IPs for sequences 0 to maxSeq (for netstack).
+func (p *SubnetPool) ServerIPs() []netip.Addr {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	if p.maxSeq == 0 {
+		return nil
+	}
+
+	ips := make([]netip.Addr, p.maxSeq)
+	for seq := uint32(0); seq < p.maxSeq; seq++ {
+		subnet := p.deriveSubnet(seq)
+		ips[seq] = subnet.ServerIP
+	}
+	return ips
+}
+
+// GetSubnet returns the subnet for a client, or nil if not assigned.
+func (p *SubnetPool) GetSubnet(clientPubkeyHex string) *Subnet {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	if seq, ok := p.assigned[clientPubkeyHex]; ok {
+		subnet := p.deriveSubnet(seq)
+		return &subnet
+	}
+	return nil
+}
+
+// GetSequence returns the sequence number for a client, or -1 if not assigned.
+func (p *SubnetPool) GetSequence(clientPubkeyHex string) int {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	if seq, ok := p.assigned[clientPubkeyHex]; ok {
+		return int(seq)
+	}
+	return -1
+}
+
+// RestoreAllocation restores a previously saved allocation.
+func (p *SubnetPool) RestoreAllocation(clientPubkeyHex string, seq uint32) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	p.assigned[clientPubkeyHex] = seq
+	if seq >= p.maxSeq {
+		p.maxSeq = seq + 1
+	}
+}
+
+// MaxSequence returns the current max sequence number.
+func (p *SubnetPool) MaxSequence() uint32 {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return p.maxSeq
+}
+
+// AllocatedCount returns the number of allocated subnets.
+func (p *SubnetPool) AllocatedCount() int {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return len(p.assigned)
+}
+
+// SubnetForSequence returns the subnet for a given sequence number.
+func (p *SubnetPool) SubnetForSequence(seq uint32) Subnet {
+	return p.deriveSubnet(seq)
+}