diff --git a/Makefile b/Makefile
index 96f9c368f0e63841dda41d87e792afb6f6fe088c..c98c19d0a1233f708b954594ba2b38ad64e971b3 100644
--- a/Makefile
+++ b/Makefile
@@ -58,7 +58,9 @@ CONF_FILES	:= mkinitfs.conf \
 		features.d/zfcp.modules \
 		features.d/dhcp.files \
 		features.d/dhcp.modules \
-		features.d/https.files
+		features.d/https.files \
+		features.d/wireguard.files \
+		features.d/wireguard.modules
 MAN_FILES       := mkinitfs.1 mkinitfs-bootparam.7 nlplug-findfs.1
 
 SCRIPTS		:= mkinitfs bootchartd initramfs-init
diff --git a/features.d/wireguard.files b/features.d/wireguard.files
new file mode 100644
index 0000000000000000000000000000000000000000..0a77737e2c1015def104136899bf6e21e84af467
--- /dev/null
+++ b/features.d/wireguard.files
@@ -0,0 +1,2 @@
+/usr/bin/wg
+/etc/wireguard/initrd.conf
diff --git a/features.d/wireguard.modules b/features.d/wireguard.modules
new file mode 100644
index 0000000000000000000000000000000000000000..4d88db0a6b0afdbbcfcd8c763f48d32872b1ac95
--- /dev/null
+++ b/features.d/wireguard.modules
@@ -0,0 +1 @@
+kernel/drivers/net/wireguard/wireguard.ko*
diff --git a/initramfs-init.in b/initramfs-init.in
index 3450e5eac12866e87e6ec25459d8663d7c853902..a232d6d574ea8676e1473ae0817e20d2ada020a6 100755
--- a/initramfs-init.in
+++ b/initramfs-init.in
@@ -265,6 +265,29 @@ setup_nbd() {
 	[ "$n" != 0 ] || return 1
 }
 
+setup_wireguard() {
+	modprobe -q wireguard || return 1
+	local IFS=';'
+	set -- $KOPT_wireguard
+	unset IFS
+
+	local device="$1"
+	local ips="$2"
+	local config="${3:-/etc/wireguard/initrd.conf}"
+
+	local IFS=','
+	set -- $ips
+	unset IFS
+
+	ip link add "$device" type wireguard
+	wg setconf "$device" "$config"
+	ip link set dev "$device" up
+
+	for addr in $@; do
+		ip addr add dev "$device" "$addr"
+	done
+}
+
 rtc_exists() {
 	local rtc=
 	for rtc in /dev/rtc /dev/rtc[0-9]*; do
@@ -347,7 +370,7 @@ myopts="alpine_dev autodetect autoraid chart cryptroot cryptdm cryptheader crypt
 	cryptdiscards cryptkey debug_init dma init init_args keep_apk_new modules ovl_dev
 	pkgs quiet root_size root usbdelay ip alpine_repo apkovl alpine_start splash
 	blacklist overlaytmpfs overlaytmpfsflags rootfstype rootflags nbd resume s390x_net
-	dasd ssh_key BOOTIF zfcp"
+	dasd ssh_key wireguard BOOTIF zfcp"
 
 for opt; do
 	case "$opt" in
@@ -493,6 +516,11 @@ if [ -n "$KOPT_cryptroot" ]; then
 	fi
 fi
 
+if [ -n "$KOPT_wireguard" ]; then
+	configure_ip
+	setup_wireguard || echo "Failed to setup wireguard tunnel."
+fi
+
 if [ -n "$KOPT_nbd" ]; then
 	# TODO: Might fail because nlplug-findfs hasn't plugged eth0 yet
 	configure_ip