diff --git a/docker/router-dash/app/action_apply_general.py b/docker/router-dash/app/action_apply_general.py
index 5a1a7e1..10b2bbc 100644
--- a/docker/router-dash/app/action_apply_general.py
+++ b/docker/router-dash/app/action_apply_general.py
@@ -6,19 +6,13 @@ import sanitize
 bp = Blueprint('action_apply_general', __name__)
 
 
-
 @bp.route('/action/apply_general', methods=['POST'])
 @require_level('administrator')
 def apply_general():
-    wan_interface              = sanitize.interface_name(request.form.get('wan_interface', ''))
-    log_max_kb_raw             = request.form.get('log_max_kb', '').strip()
-    log_errors_only            = 'log_errors_only' in request.form
-    dnsmasq_log_queries        = 'dnsmasq_log_queries' in request.form
-    daily_execute_time         = sanitize.time_24h(request.form.get('daily_execute_time_24hr_local', ''))
-
-    if not wan_interface:
-        flash('WAN Interface is required.', 'error')
-        return redirect('/view/view_general')
+    log_max_kb_raw      = request.form.get('log_max_kb', '').strip()
+    log_errors_only     = 'log_errors_only' in request.form
+    dnsmasq_log_queries = 'dnsmasq_log_queries' in request.form
+    daily_execute_time  = sanitize.time_24h(request.form.get('daily_execute_time_24hr_local', ''))
 
     try:
         log_max_kb = int(log_max_kb_raw)
@@ -34,10 +28,9 @@ def apply_general():
 
     core = load_core()
     core.setdefault('general', {}).update({
-        'wan_interface':                wan_interface,
-        'log_max_kb':                   log_max_kb,
-        'log_errors_only':              log_errors_only,
-        'dnsmasq_log_queries':          dnsmasq_log_queries,
+        'log_max_kb':                    log_max_kb,
+        'log_errors_only':               log_errors_only,
+        'dnsmasq_log_queries':           dnsmasq_log_queries,
         'daily_execute_time_24hr_local': daily_execute_time,
     })
     save_core(core)
diff --git a/docker/router-dash/app/action_apply_host_overrides.py b/docker/router-dash/app/action_apply_host_overrides.py
index 71718ab..ca51eab 100644
--- a/docker/router-dash/app/action_apply_host_overrides.py
+++ b/docker/router-dash/app/action_apply_host_overrides.py
@@ -1,3 +1,5 @@
+import ipaddress
+
 from flask import Blueprint, request, redirect, flash
 from auth import require_level
 from config_utils import load_core, save_core, verify_core_hash, apply_msg
@@ -8,6 +10,29 @@ bp = Blueprint('action_apply_host_overrides', __name__)
 VIEW   = '/view/view_host_overrides'
 
 
+def _vlan_networks(core):
+    nets = []
+    for v in core.get('vlans', []):
+        subnet = v.get('subnet', '')
+        mask   = v.get('subnet_mask', '')
+        if subnet and mask:
+            try:
+                nets.append(ipaddress.IPv4Network(f"{subnet}/{mask}", strict=False))
+            except ValueError:
+                pass
+    return nets
+
+
+def _ip_in_vlan(ip_str, core):
+    """Return True if ip_str falls within at least one configured VLAN subnet."""
+    try:
+        addr = ipaddress.IPv4Address(ip_str)
+    except ValueError:
+        return False
+    nets = _vlan_networks(core)
+    return not nets or any(addr in net for net in nets)
+
+
 def _row_index():
     try:
         return int(request.form.get('row_index', ''))
@@ -37,6 +62,10 @@ def add_host_override():
         return redirect(VIEW)
 
     core = load_core()
+    if not _ip_in_vlan(ip, core):
+        flash('IP address does not fall within any configured VLAN subnet.', 'error')
+        return redirect(VIEW)
+
     core.setdefault('host_overrides', []).append({
         'description': description,
         'host':        host,
@@ -94,6 +123,10 @@ def edit_host_override():
         return redirect(VIEW)
 
     core  = load_core()
+    if not _ip_in_vlan(ip, core):
+        flash('IP address does not fall within any configured VLAN subnet.', 'error')
+        return redirect(VIEW)
+
     items = core.get('host_overrides', [])
     if idx < 0 or idx >= len(items):
         flash('Entry not found.', 'error')
diff --git a/docker/router-dash/app/action_apply_interface.py b/docker/router-dash/app/action_apply_interface.py
new file mode 100644
index 0000000..86560d5
--- /dev/null
+++ b/docker/router-dash/app/action_apply_interface.py
@@ -0,0 +1,63 @@
+import re
+import subprocess
+
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+
+bp = Blueprint('action_apply_interface', __name__)
+
+_VIEW = '/view/view_general'
+
+
+def _get_system_interfaces():
+    try:
+        r = subprocess.run(['ip', 'link', 'show'], capture_output=True, text=True, timeout=5)
+        names = re.findall(r'^\d+:\s+(\S+):', r.stdout, re.MULTILINE)
+        return {n.split('@')[0] for n in names} - {'lo'}
+    except Exception:
+        return set()
+
+
+@bp.route('/action/apply_interface', methods=['POST'])
+@require_level('administrator')
+def apply_interface():
+    idx_raw   = request.form.get('row_index', '').strip()
+    interface = sanitize.interface_name(request.form.get('interface', ''))
+
+    try:
+        idx = int(idx_raw)
+        if idx not in (0, 1):
+            raise ValueError
+    except (ValueError, TypeError):
+        flash('Invalid request.', 'error')
+        return redirect(_VIEW)
+
+    if not interface:
+        flash('Interface name is required.', 'error')
+        return redirect(_VIEW)
+
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return redirect(_VIEW)
+
+    core = load_core()
+    gen  = core.setdefault('general', {})
+
+    other_key = 'lan_interface' if idx == 0 else 'wan_interface'
+    if interface == gen.get(other_key, ''):
+        flash('WAN and LAN interfaces must be different.', 'error')
+        return redirect(_VIEW)
+
+    available = _get_system_interfaces()
+    if available and interface not in available:
+        flash(f"Interface '{interface}' does not exist on this system.", 'error')
+        return redirect(_VIEW)
+
+    key = 'wan_interface' if idx == 0 else 'lan_interface'
+    gen[key] = interface
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(_VIEW)
diff --git a/docker/router-dash/app/action_apply_vlans.py b/docker/router-dash/app/action_apply_vlans.py
index c1b4e86..c6d698f 100644
--- a/docker/router-dash/app/action_apply_vlans.py
+++ b/docker/router-dash/app/action_apply_vlans.py
@@ -2,6 +2,7 @@ from flask import Blueprint, request, redirect, flash
 from auth import require_level
 from config_utils import load_core, save_core, verify_core_hash, apply_msg
 import sanitize
+import ipaddress as _ipaddress
 
 bp = Blueprint('action_apply_vlans', __name__)
 
@@ -22,26 +23,46 @@ def _hash_ok():
     return True
 
 
+def _derive_vlan_id(subnet, prefix):
+    """Return VLAN ID (1–4094) derived from the active octet of the network address,
+    or None if not derivable. byte_index = (prefix-1) // 8."""
+    try:
+        network  = _ipaddress.ip_network(f'{subnet}/{prefix}', strict=False)
+        octets   = list(network.network_address.packed)
+        byte_idx = (prefix - 1) // 8
+        vlan_id  = octets[byte_idx]
+        if 1 <= vlan_id <= 4094:
+            return vlan_id
+        return None
+    except Exception:
+        return None
+
+
 @bp.route('/action/add_vlan', methods=['POST'])
 @require_level('administrator')
 def add_vlan():
-    vlan_id_raw    = request.form.get('vlan_id', '').strip()
-    name           = sanitize.name(request.form.get('name', ''))
-    interface      = sanitize.interface_name(request.form.get('interface', ''))
-    subnet         = sanitize.ip_or_cidr(request.form.get('subnet', ''))
+    name            = sanitize.name(request.form.get('name', '')).lower()
+    is_vpn          = 'is_vpn' in request.form
+    subnet          = sanitize.ip(request.form.get('subnet', ''))
+    subnet_mask     = sanitize.subnet_mask(request.form.get('subnet_mask', ''))
     radius_default  = 'radius_default' in request.form
     mdns_reflection = 'mdns_reflection' in request.form
 
-    if not vlan_id_raw or not name or not interface:
-        flash('VLAN ID, name, and interface are required.', 'error')
+    if not name:
+        flash('Name is required.', 'error')
         return redirect(VIEW)
 
-    try:
-        vlan_id = int(vlan_id_raw)
-        if not (1 <= vlan_id <= 4094):
-            raise ValueError
-    except (ValueError, TypeError):
-        flash('VLAN ID must be between 1 and 4094.', 'error')
+    if not subnet:
+        flash('Subnet IP is required.', 'error')
+        return redirect(VIEW)
+
+    if subnet_mask is None:
+        flash('Invalid subnet prefix (must be 1-30).', 'error')
+        return redirect(VIEW)
+
+    vlan_id = _derive_vlan_id(subnet, subnet_mask)
+    if vlan_id is None:
+        flash('Cannot derive a valid VLAN ID (1–4094) from this subnet/prefix combination.', 'error')
         return redirect(VIEW)
 
     if not _hash_ok():
@@ -51,19 +72,24 @@ def add_vlan():
     vlans = core.setdefault('vlans', [])
 
     if any(v.get('vlan_id') == vlan_id for v in vlans):
-        flash(f'VLAN {vlan_id} already exists.', 'error')
+        flash(f'VLAN {vlan_id} (derived from subnet) already exists.', 'error')
         return redirect(VIEW)
 
-    vlans.append({
+    entry = {
         'vlan_id':         vlan_id,
         'name':            name,
-        'interface':       interface,
-        'dhcp':            {'subnet': subnet},
+        'is_vpn':          is_vpn,
+        'subnet':          subnet,
+        'subnet_mask':     subnet_mask,
         'use_blocklists':  [],
         'radius_default':  radius_default,
         'mdns_reflection': mdns_reflection,
-        'reservations':    [],
-    })
+    }
+    if is_vpn:
+        entry['peers'] = []
+    else:
+        entry['reservations'] = []
+    vlans.append(entry)
     save_core(core)
 
     flash(apply_msg(), 'success')
@@ -78,14 +104,29 @@ def edit_vlan():
         flash('Invalid request.', 'error')
         return redirect(VIEW)
 
-    name           = sanitize.name(request.form.get('name', ''))
-    interface      = sanitize.interface_name(request.form.get('interface', ''))
-    subnet         = sanitize.ip_or_cidr(request.form.get('subnet', ''))
+    name            = sanitize.name(request.form.get('name', '')).lower()
+    subnet          = sanitize.ip(request.form.get('subnet', ''))
     radius_default  = 'radius_default' in request.form
     mdns_reflection = 'mdns_reflection' in request.form
+    use_blocklists  = request.form.getlist('use_blocklists')
 
-    if not name or not interface:
-        flash('Name and interface are required.', 'error')
+    # subnet_mask is only present when the column is visible (not all edit paths send it).
+    # Validate if submitted; fall back to the stored value otherwise.
+    subnet_mask_raw = request.form.get('subnet_mask')
+    if subnet_mask_raw is not None:
+        subnet_mask = sanitize.subnet_mask(subnet_mask_raw)
+        if subnet_mask is None:
+            flash('Invalid subnet prefix (must be 1-30).', 'error')
+            return redirect(VIEW)
+    else:
+        subnet_mask = None  # resolved below after loading core
+
+    if not name:
+        flash('Name is required.', 'error')
+        return redirect(VIEW)
+
+    if not subnet:
+        flash('Subnet IP is required.', 'error')
         return redirect(VIEW)
 
     if not _hash_ok():
@@ -97,8 +138,36 @@ def edit_vlan():
         flash('VLAN not found.', 'error')
         return redirect(VIEW)
 
-    vlans[idx].update({'name': name, 'interface': interface, 'radius_default': radius_default, 'mdns_reflection': mdns_reflection})
-    vlans[idx].setdefault('dhcp', {})['subnet'] = subnet
+    existing   = vlans[idx]
+    # is_vpn is never changed via edit — toggling it would invalidate peers/reservations.
+    is_vpn     = existing.get('is_vpn', False)
+    # Use submitted subnet_mask, or fall back to whatever is already stored.
+    final_mask = subnet_mask if subnet_mask is not None else existing.get('subnet_mask', 24)
+
+    vlan_id = _derive_vlan_id(subnet, final_mask)
+    if vlan_id is None:
+        flash('Cannot derive a valid VLAN ID (1–4094) from this subnet/prefix combination.', 'error')
+        return redirect(VIEW)
+
+    current_id = existing.get('vlan_id')
+    if current_id == 1 and vlan_id != 1:
+        flash('VLAN 1 is the physical interface; change its subnet so the derived ID remains 1.', 'error')
+        return redirect(VIEW)
+
+    if vlan_id != current_id and any(i != idx and v.get('vlan_id') == vlan_id for i, v in enumerate(vlans)):
+        flash(f'VLAN {vlan_id} (derived from subnet) already exists.', 'error')
+        return redirect(VIEW)
+
+    existing.update({
+        'vlan_id':         vlan_id,
+        'name':            name,
+        'is_vpn':          is_vpn,
+        'subnet':          subnet,
+        'subnet_mask':     final_mask,
+        'radius_default':  radius_default,
+        'mdns_reflection': mdns_reflection,
+        'use_blocklists':  use_blocklists,
+    })
     save_core(core)
 
     flash(apply_msg(), 'success')
diff --git a/docker/router-dash/app/action_apply_vpn.py b/docker/router-dash/app/action_apply_vpn.py
index e019f2f..5ff70c9 100644
--- a/docker/router-dash/app/action_apply_vpn.py
+++ b/docker/router-dash/app/action_apply_vpn.py
@@ -1,6 +1,10 @@
-from flask import Blueprint, request, redirect, flash
+import base64
+import ipaddress
+import re
+
+from flask import Blueprint, make_response, redirect, flash, request
 from auth import require_level
-from config_utils import load_core, save_core, verify_core_hash, apply_msg, _APPLY_CMD_VPN
+from config_utils import load_core, save_core, verify_core_hash, apply_msg, CONFIGS_DIR
 import sanitize
 import validate
 
@@ -11,45 +15,136 @@ _MTU_MIN = 576
 _MTU_MAX = 9000
 
 
+def _wg_vlan(core):
+    return next((v for v in core.get('vlans', []) if v.get('is_vpn')), None)
+
+
+def _wg_iface(vlan, core):
+    """Return the WireGuard interface name (wg0, wg1, ...) for a VPN VLAN."""
+    wg_vlans = [v for v in core.get('vlans', []) if v.get('is_vpn')]
+    idx = next((i for i, v in enumerate(wg_vlans) if v is vlan), 0)
+    return f'wg{idx}'
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+def _generate_wg_keypair():
+    """Generate an X25519 keypair compatible with WireGuard. Returns (private_b64, public_b64)."""
+    from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
+    from cryptography.hazmat.primitives.serialization import (
+        Encoding, PublicFormat, PrivateFormat, NoEncryption,
+    )
+    private  = X25519PrivateKey.generate()
+    priv_raw = private.private_bytes(Encoding.Raw, PrivateFormat.Raw, NoEncryption())
+    pub_raw  = private.public_key().public_bytes(Encoding.Raw, PublicFormat.Raw)
+    return base64.b64encode(priv_raw).decode(), base64.b64encode(pub_raw).decode()
+
+
+def _server_pubkey(iface):
+    """Read the server public key written by core.py --apply."""
+    try:
+        with open(f'{CONFIGS_DIR}/.wg-{iface}.pub') as f:
+            return f.read().strip()
+    except OSError:
+        return None
+
+
+def _build_client_conf(vlan, peer_name, peer_ip, private_key, server_pubkey):
+    """Build WireGuard client .conf content."""
+    info      = vlan.get('vpn_information', {})
+    overrides = info.get('explicit_overrides', {})
+    subnet    = vlan.get('subnet', '')
+    mask      = vlan.get('subnet_mask', '')
+    network   = ipaddress.IPv4Network(f'{subnet}/{mask}', strict=False)
+    ident_ips = [s['ip'] for s in vlan.get('server_identities', []) if s.get('ip')]
+    default   = str(min((ipaddress.IPv4Address(ip) for ip in ident_ips),
+                        key=lambda x: x.packed[-1])) if ident_ips else str(next(network.hosts()))
+    gateway   = overrides.get('gateway') or default
+    dns       = overrides.get('dns_server') or gateway
+    prefix    = network.prefixlen
+    mtu       = overrides.get('mtu', '')
+    endpoint  = info.get('server_endpoint', '')
+    listen_port = info.get('listen_port', 51820)
+
+    split_tunnel = next(
+        (p.get('split_tunnel', False) for p in vlan.get('peers', []) if p.get('name') == peer_name),
+        False
+    )
+    allowed_ips = f'{subnet}/{prefix}' if split_tunnel else '0.0.0.0/0'
+
+    lines = [
+        '# Generated by router-dash',
+        '',
+        '[Interface]',
+        f'PrivateKey = {private_key}',
+        f'Address = {peer_ip}/{prefix}',
+        f'DNS = {dns}',
+    ]
+    if mtu:
+        lines.append(f'MTU = {mtu}')
+    lines += ['', '[Peer]', f'PublicKey = {server_pubkey}']
+    if endpoint:
+        lines.append(f'Endpoint = {endpoint}:{listen_port}')
+    lines += [f'AllowedIPs = {allowed_ips}', 'PersistentKeepalive = 25', '']
+    return '\n'.join(lines)
+
+
+def _conf_response(vlan, peer_name, peer_ip, private_key):
+    """Return a .conf file download response, or redirect with error if pubkey unavailable."""
+    core  = load_core()
+    iface = _wg_iface(vlan, core)
+    server_pub = _server_pubkey(iface)
+    if not server_pub:
+        flash('Peer saved. Run sudo python3 ~/router/core.py --apply to generate the server '
+              'public key, then regenerate this peer to download the client config.', 'warning')
+        return redirect(_VIEW)
+    conf = _build_client_conf(vlan, peer_name, peer_ip, private_key, server_pub)
+    safe = re.sub(r'[^A-Za-z0-9_\-]', '_', peer_name)
+    resp = make_response(conf)
+    resp.headers['Content-Type']        = 'text/plain; charset=utf-8'
+    resp.headers['Content-Disposition'] = f'attachment; filename="vpn-client-{safe}.conf"'
+    return resp
+
+
 @bp.route('/action/apply_vpn', methods=['POST'])
 @require_level('administrator')
 def apply_vpn():
-    listen_port_raw = request.form.get('vpn_listen_port', '').strip()
-    gateway_raw     = request.form.get('vpn_gateway',     '').strip()
-    domain          = sanitize.hostname(request.form.get('vpn_domain', ''))
-    dns_raw         = request.form.get('vpn_dns_server',  '').strip()
-    mtu_raw         = request.form.get('vpn_mtu',         '').strip()
+    listen_port_raw = request.form.get('vpn_listen_port',    '').strip()
+    server_endpoint = sanitize.hostname(request.form.get('vpn_server_endpoint', ''))
+    domain          = sanitize.hostname(request.form.get('vpn_domain',          ''))
+    dns_raw         = request.form.get('vpn_dns_server',     '').strip()
+    mtu_raw         = request.form.get('vpn_mtu',            '').strip()
 
-    # -- Listen port -----------------------------------------------------------
     if not listen_port_raw:
-        flash('The configuration has not been saved because the listen port is required.', 'error')
+        flash('Listen port is required.', 'error')
         return redirect(_VIEW)
     try:
         listen_port = int(listen_port_raw)
         if not (1 <= listen_port <= 65535):
             raise ValueError
     except (ValueError, TypeError):
-        flash(f'The configuration has not been saved because "{listen_port_raw}" is not a valid port number (1-65535).', 'error')
+        flash(f'"{listen_port_raw}" is not a valid port number (1-65535).', 'error')
         return redirect(_VIEW)
 
-    # -- Gateway (required) ----------------------------------------------------
-    if not gateway_raw:
-        flash('The configuration has not been saved because a gateway IP address is required.', 'error')
-        return redirect(_VIEW)
-    gateway = validate.ip(gateway_raw)
-    if not gateway:
-        flash(f'The configuration has not been saved because "{gateway_raw}" is not a valid IP address.', 'error')
-        return redirect(_VIEW)
-
-    # -- DNS server (optional) -------------------------------------------------
     dns_server = ''
     if dns_raw:
         dns_server = validate.ip(dns_raw)
         if not dns_server:
-            flash(f'The configuration has not been saved because "{dns_raw}" is not a valid IP address for DNS server.', 'error')
+            flash(f'"{dns_raw}" is not a valid IP address for DNS server.', 'error')
             return redirect(_VIEW)
 
-    # -- MTU (optional) --------------------------------------------------------
     mtu = None
     if mtu_raw:
         try:
@@ -57,25 +152,22 @@ def apply_vpn():
             if not (_MTU_MIN <= mtu <= _MTU_MAX):
                 raise ValueError
         except (ValueError, TypeError):
-            flash(f'The configuration has not been saved because "{mtu_raw}" is not a valid MTU '
-                  f'(must be a number between {_MTU_MIN} and {_MTU_MAX}).', 'error')
+            flash(f'"{mtu_raw}" is not a valid MTU (must be {_MTU_MIN}-{_MTU_MAX}).', 'error')
             return redirect(_VIEW)
 
-    # -- Hash check and save ---------------------------------------------------
-    if not verify_core_hash(request.form.get('config_hash', '')):
-        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+    if not _hash_ok():
         return redirect(_VIEW)
 
-    core     = load_core()
-    vpn_vlan = next((v for v in core.get('vlans', []) if 'vpn_information' in v), None)
+    core = load_core()
+    vpn_vlan = _wg_vlan(core)
     if vpn_vlan is None:
-        flash('The configuration has not been saved because no VPN VLAN was found in the configuration.', 'error')
+        flash('No WireGuard VLAN found in configuration.', 'error')
         return redirect(_VIEW)
 
     info = vpn_vlan.setdefault('vpn_information', {})
-    info['listen_port'] = listen_port
-    info['gateway']     = gateway
-    info['domain']      = domain
+    info['listen_port']     = listen_port
+    info['server_endpoint'] = server_endpoint
+    info['domain']          = domain
 
     overrides = info.setdefault('explicit_overrides', {})
     if dns_server:
@@ -88,6 +180,173 @@ def apply_vpn():
         overrides.pop('mtu', None)
 
     save_core(core)
-
-    flash(apply_msg(_APPLY_CMD_VPN), 'success')
+    flash(apply_msg(), 'success')
     return redirect(_VIEW)
+
+
+@bp.route('/action/add_vpn_peer', methods=['POST'])
+@require_level('administrator')
+def add_vpn_peer():
+    peer_name    = sanitize.name(request.form.get('peer_name', ''))
+    peer_ip_raw  = request.form.get('peer_ip', '').strip()
+    split_tunnel = 'split_tunnel' in request.form
+
+    if not peer_name:
+        flash('Peer name is required.', 'error')
+        return redirect(_VIEW)
+    peer_ip = validate.ip(peer_ip_raw)
+    if not peer_ip:
+        flash(f'"{peer_ip_raw}" is not a valid IP address.', 'error')
+        return redirect(_VIEW)
+
+    if not _hash_ok():
+        return redirect(_VIEW)
+
+    core = load_core()
+    vpn_vlan = _wg_vlan(core)
+    if vpn_vlan is None:
+        flash('No WireGuard VLAN found in configuration.', 'error')
+        return redirect(_VIEW)
+
+    peers = vpn_vlan.setdefault('peers', [])
+    if any(p.get('name') == peer_name for p in peers):
+        flash(f'A peer named "{peer_name}" already exists.', 'error')
+        return redirect(_VIEW)
+    if any(p.get('ip') == peer_ip for p in peers):
+        flash(f'IP address {peer_ip} is already assigned to another peer.', 'error')
+        return redirect(_VIEW)
+
+    private_key, public_key = _generate_wg_keypair()
+    peers.append({
+        'name':         peer_name,
+        'ip':           peer_ip,
+        'public_key':   public_key,
+        'split_tunnel': split_tunnel,
+        'enabled':      True,
+    })
+    save_core(core)
+
+    return _conf_response(vpn_vlan, peer_name, peer_ip, private_key)
+
+
+@bp.route('/action/edit_vpn_peer', methods=['POST'])
+@require_level('administrator')
+def edit_vpn_peer():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(_VIEW)
+
+    peer_name    = sanitize.name(request.form.get('name', ''))
+    split_tunnel = request.form.get('split_tunnel') in ('true', '1', 'on', 'yes')
+    enabled      = request.form.get('enabled') not in ('false', '0', '')
+
+    if not peer_name:
+        flash('Peer name is required.', 'error')
+        return redirect(_VIEW)
+    if not _hash_ok():
+        return redirect(_VIEW)
+
+    core = load_core()
+    vpn_vlan = _wg_vlan(core)
+    if vpn_vlan is None:
+        flash('No WireGuard VLAN found.', 'error')
+        return redirect(_VIEW)
+
+    peers = vpn_vlan.get('peers', [])
+    if idx < 0 or idx >= len(peers):
+        flash('Peer not found.', 'error')
+        return redirect(_VIEW)
+
+    # Reject duplicate name if it belongs to a different peer
+    if any(i != idx and p.get('name') == peer_name for i, p in enumerate(peers)):
+        flash(f'A peer named "{peer_name}" already exists.', 'error')
+        return redirect(_VIEW)
+
+    peers[idx].update({'name': peer_name, 'split_tunnel': split_tunnel, 'enabled': enabled})
+    save_core(core)
+    flash(apply_msg(), 'success')
+    return redirect(_VIEW)
+
+
+@bp.route('/action/toggle_vpn_peer', methods=['POST'])
+@require_level('administrator')
+def toggle_vpn_peer():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(_VIEW)
+    if not _hash_ok():
+        return redirect(_VIEW)
+
+    core = load_core()
+    vpn_vlan = _wg_vlan(core)
+    if vpn_vlan is None:
+        flash('No WireGuard VLAN found.', 'error')
+        return redirect(_VIEW)
+
+    peers = vpn_vlan.get('peers', [])
+    if idx < 0 or idx >= len(peers):
+        flash('Peer not found.', 'error')
+        return redirect(_VIEW)
+
+    peers[idx]['enabled'] = not peers[idx].get('enabled', True)
+    save_core(core)
+    flash(apply_msg(), 'success')
+    return redirect(_VIEW)
+
+
+@bp.route('/action/delete_vpn_peer', methods=['POST'])
+@require_level('administrator')
+def delete_vpn_peer():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(_VIEW)
+    if not _hash_ok():
+        return redirect(_VIEW)
+
+    core = load_core()
+    vpn_vlan = _wg_vlan(core)
+    if vpn_vlan is None:
+        flash('No WireGuard VLAN found.', 'error')
+        return redirect(_VIEW)
+
+    peers = vpn_vlan.get('peers', [])
+    if idx < 0 or idx >= len(peers):
+        flash('Peer not found.', 'error')
+        return redirect(_VIEW)
+
+    peers.pop(idx)
+    save_core(core)
+    flash(apply_msg(), 'success')
+    return redirect(_VIEW)
+
+
+@bp.route('/action/regenerate_vpn_peer', methods=['POST'])
+@require_level('administrator')
+def regenerate_vpn_peer():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(_VIEW)
+    if not _hash_ok():
+        return redirect(_VIEW)
+
+    core = load_core()
+    vpn_vlan = _wg_vlan(core)
+    if vpn_vlan is None:
+        flash('No WireGuard VLAN found.', 'error')
+        return redirect(_VIEW)
+
+    peers = vpn_vlan.get('peers', [])
+    if idx < 0 or idx >= len(peers):
+        flash('Peer not found.', 'error')
+        return redirect(_VIEW)
+
+    private_key, public_key = _generate_wg_keypair()
+    peer = peers[idx]
+    peer['public_key'] = public_key
+    save_core(core)
+
+    return _conf_response(vpn_vlan, peer['name'], peer['ip'], private_key)
diff --git a/docker/router-dash/app/config_utils.py b/docker/router-dash/app/config_utils.py
index 092bf1d..b2ce756 100644
--- a/docker/router-dash/app/config_utils.py
+++ b/docker/router-dash/app/config_utils.py
@@ -1,16 +1,14 @@
 import json, subprocess, hashlib
 from markupsafe import Markup
 
-_APPLY_CMD     = 'sudo python3 ~/router/core.py --apply'
-_APPLY_CMD_VPN = 'sudo python3 ~/router/vpn.py --apply'
+_APPLY_CMD = 'sudo python3 ~/router/core.py --apply'
 
 
-def apply_msg(cmd=None):
+def apply_msg():
     """Return a Markup flash message for the apply reminder."""
-    command = cmd if cmd is not None else _APPLY_CMD
     return Markup(
         f'Configuration updated. To apply changes, run: '
-        f'<code><strong>{command}</strong></code>'
+        f'<code><strong>{_APPLY_CMD}</strong></code>'
     )
 
 CONFIGS_DIR = '/configs'
@@ -54,16 +52,6 @@ def run_apply():
         pass
 
 
-def run_apply_vpn():
-    try:
-        subprocess.run(
-            ['python3', f'{CONFIGS_DIR}/vpn.py', '--apply'],
-            capture_output=True, timeout=30
-        )
-    except Exception:
-        pass
-
-
 def run_update_blocklists():
     try:
         subprocess.run(
diff --git a/docker/router-dash/app/main.py b/docker/router-dash/app/main.py
index 12d2ba7..8ca56a3 100644
--- a/docker/router-dash/app/main.py
+++ b/docker/router-dash/app/main.py
@@ -22,6 +22,7 @@ from action_save_preferences import bp as action_save_preferences_bp
 from action_change_password import bp as action_change_password_bp
 from action_clear_ddns_log import bp as action_clear_ddns_log_bp
 from action_apply_ddns_providers import bp as action_apply_ddns_providers_bp
+from action_apply_interface import bp as action_apply_interface_bp
 
 app = Flask(__name__)
 app.secret_key = os.environ.get('SECRET_KEY', os.urandom(24))
@@ -47,6 +48,7 @@ app.register_blueprint(action_save_preferences_bp)
 app.register_blueprint(action_change_password_bp)
 app.register_blueprint(action_clear_ddns_log_bp)
 app.register_blueprint(action_apply_ddns_providers_bp)
+app.register_blueprint(action_apply_interface_bp)
 
 def _seed_initial_account():
     email = os.environ.get('INITIAL_MANAGER_EMAIL', '').strip().lower()
diff --git a/docker/router-dash/app/sanitize.py b/docker/router-dash/app/sanitize.py
index 85c6a90..53446bc 100644
--- a/docker/router-dash/app/sanitize.py
+++ b/docker/router-dash/app/sanitize.py
@@ -1,4 +1,5 @@
 import re
+import ipaddress
 
 # Curated IANA timezone list for the dropdown. Validation accepts any entry from this set.
 VALID_TIMEZONES = [
@@ -113,12 +114,25 @@ def hostname(value, max_len=253):
     return _strip(value.lower(), r'[^a-z0-9\-.]', max_len)
 
 def ip(value, max_len=45):
-    """IPv4 or IPv6 address: digits, dots, colons, hex letters."""
-    return _strip(value, r'[^0-9a-fA-F.:]', max_len)
+    """IPv4 or IPv6 address. Returns '' if not a valid address."""
+    cleaned = _strip(value, r'[^0-9a-fA-F.:]', max_len)
+    try:
+        ipaddress.ip_address(cleaned)
+        return cleaned
+    except ValueError:
+        return ''
 
 def ip_or_cidr(value, max_len=49):
-    """IP address or CIDR subnet: adds forward slash."""
-    return _strip(value, r'[^0-9a-fA-F.:/]', max_len)
+    """IP address or CIDR subnet. Returns '' if not valid."""
+    cleaned = _strip(value, r'[^0-9a-fA-F.:/]', max_len)
+    try:
+        if '/' in cleaned:
+            ipaddress.ip_network(cleaned, strict=False)
+        else:
+            ipaddress.ip_address(cleaned)
+        return cleaned
+    except ValueError:
+        return ''
 
 def mac(value, max_len=17):
     """MAC address: hex digits and colons."""
@@ -154,3 +168,24 @@ def email(value, max_len=254):
 def timezone(value):
     """Timezone string: must be in VALID_TIMEZONES list. Returns '' if not found."""
     return value if value in _TIMEZONE_SET else ''
+
+_DOTTED_TO_PREFIX = {
+    '255.0.0.0': 8, '255.255.0.0': 16, '255.255.255.0': 24,
+    '255.255.255.128': 25, '255.255.255.192': 26,
+    '255.255.255.224': 27, '255.255.255.240': 28,
+    '255.255.255.248': 29, '255.255.255.252': 30,
+}
+
+def subnet_mask(value):
+    """Subnet prefix length 1-30 (integer). Also accepts legacy dotted notation.
+    Returns int on success, None if invalid."""
+    s = str(value).strip()
+    if s in _DOTTED_TO_PREFIX:
+        return _DOTTED_TO_PREFIX[s]
+    try:
+        n = int(s)
+        if 1 <= n <= 30:
+            return n
+    except (ValueError, TypeError):
+        pass
+    return None
diff --git a/docker/router-dash/app/view_page.py b/docker/router-dash/app/view_page.py
index f6162a9..80e690a 100644
--- a/docker/router-dash/app/view_page.py
+++ b/docker/router-dash/app/view_page.py
@@ -67,6 +67,46 @@ def _run(cmd):
         return ''
 
 
+def _prefix_to_dotted(n):
+    mask = (0xFFFFFFFF << (32 - n)) & 0xFFFFFFFF
+    return '.'.join(str((mask >> (8 * i)) & 0xFF) for i in (3, 2, 1, 0))
+
+
+def _get_system_interfaces():
+    """Return sorted list of physical-ish interface names from `ip link show`."""
+    out = _run('ip link show')
+    names = re.findall(r'^\d+:\s+(\S+):', out, re.MULTILINE)
+    ifaces = sorted({n.split('@')[0] for n in names} - {'lo'})
+    return ifaces
+
+
+def _iface_status(iface):
+    """Return link state for iface by reading /sys/class/net/<iface>/operstate.
+    Returns INVALID if the interface does not exist, otherwise UP/DOWN/UNKNOWN/etc."""
+    if not iface:
+        return 'INVALID'
+    safe = re.sub(r'[^A-Za-z0-9._-]', '', iface)
+    if not safe:
+        return 'INVALID'
+    try:
+        with open(f'/sys/class/net/{safe}/operstate') as f:
+            state = f.read().strip().upper()
+        return state if state else 'UP'
+    except OSError:
+        return 'INVALID'
+
+
+def _resolve_iface(vlan, core):
+    """Compute interface name from is_vpn + vlan_id + general.lan_interface."""
+    if vlan.get('is_vpn'):
+        wg_vlans = [v for v in core.get('vlans', []) if v.get('is_vpn')]
+        idx = next((i for i, v in enumerate(wg_vlans) if v is vlan), 0)
+        return f'wg{idx}'
+    lan = core.get('general', {}).get('lan_interface', 'eth0')
+    vid = vlan.get('vlan_id', 1)
+    return lan if vid == 1 else f'{lan}.{vid}'
+
+
 # -- Live data loaders ---------------------------------------------------------
 
 def _live_dhcp_leases():
@@ -91,11 +131,12 @@ def _live_dhcp_leases():
 def _vlan_name_for_ip(ip):
     import ipaddress
     for vlan in _load_core().get('vlans', []):
-        subnet = vlan.get('dhcp', {}).get('subnet', '')
+        subnet = vlan.get('subnet', '')
+        mask   = vlan.get('subnet_mask', 24)
         if not subnet:
             continue
         try:
-            if ipaddress.ip_address(ip) in ipaddress.ip_network(subnet + '/24', strict=False):
+            if ipaddress.ip_address(ip) in ipaddress.ip_network(f'{subnet}/{mask}', strict=False):
                 return vlan.get('name', '-')
         except Exception:
             pass
@@ -139,6 +180,15 @@ def _config_datasource(name):
     core = _load_core()
     vlans = core.get('vlans', [])
 
+    if name == 'interfaces':
+        gen = core.get('general', {})
+        wan = gen.get('wan_interface', '')
+        lan = gen.get('lan_interface', '')
+        return [
+            {'iface_type': 'WAN', 'interface': wan, 'status': _iface_status(wan)},
+            {'iface_type': 'LAN', 'interface': lan, 'status': _iface_status(lan)},
+        ]
+
     if name == 'banned_ips':
         return core.get('banned_ips', [])
 
@@ -161,10 +211,11 @@ def _config_datasource(name):
         return rows
 
     if name == 'vlans':
+        core = _load_core()
         rows = []
-        for v in vlans:
-            row = {k: v.get(k) for k in ('vlan_id', 'name', 'interface', 'dhcp', 'radius_default', 'mdns_reflection')}
-            row['subnet']        = v.get('dhcp', {}).get('subnet', '')
+        for v in sorted(vlans, key=lambda x: x.get('vlan_id', 0)):
+            row = {k: v.get(k) for k in ('vlan_id', 'name', 'subnet', 'subnet_mask', 'radius_default', 'mdns_reflection', 'is_vpn')}
+            row['interface'] = _resolve_iface(v, core)
             row['use_blocklists'] = json.dumps(v.get('use_blocklists', []))
             rows.append(row)
         return rows
@@ -208,6 +259,18 @@ def _config_datasource(name):
             rows.append(row)
         return rows
 
+    if name == 'vpn_peers':
+        wg_vlan = next((v for v in vlans if v.get('is_vpn')), None)
+        if not wg_vlan:
+            return []
+        rows = []
+        for peer in wg_vlan.get('peers', []):
+            row = dict(peer)
+            row['split_tunnel'] = 'yes' if peer.get('split_tunnel') else 'no'
+            row['pubkey_short'] = peer.get('public_key', '')[:20] + '...' if peer.get('public_key') else '-'
+            rows.append(row)
+        return rows
+
     return []
 
 
@@ -369,7 +432,22 @@ def collect_tokens():
     dns  = core.get('upstream_dns', {})
     vlans = core.get('vlans', [])
     tokens['GENERAL_WAN_INTERFACE']       = str(gen.get('wan_interface', '-'))
+    tokens['GENERAL_LAN_INTERFACE']       = str(gen.get('lan_interface', '-'))
     tokens['GENERAL_LOG_MAX_KB']          = str(gen.get('log_max_kb', '-'))
+
+    sys_ifaces = _get_system_interfaces()
+    # Always include currently-configured values so dropdowns are never blank.
+    for configured in [gen.get('wan_interface', ''), gen.get('lan_interface', '')]:
+        if configured and configured not in sys_ifaces:
+            sys_ifaces.append(configured)
+    sys_ifaces.sort()
+    tokens['NETWORK_INTERFACE_OPTIONS'] = json.dumps(
+        [{'value': i, 'label': i} for i in sys_ifaces]
+    )
+    tokens['NETWORK_INTERFACE_STATUS_OPTIONS'] = json.dumps(
+        [{'value': i, 'label': f'{i} — {_iface_status(i).title()}'} for i in sys_ifaces]
+    )
+
     tokens['GENERAL_LOG_ERRORS_ONLY']     = 'true' if gen.get('log_errors_only') else 'false'
     tokens['GENERAL_DNSMASQ_LOG_QUERIES'] = 'true' if gen.get('dnsmasq_log_queries') else 'false'
     tokens['GENERAL_DAILY_EXECUTE_TIME']  = str(gen.get('daily_execute_time_24hr_local', '-'))
@@ -380,7 +458,7 @@ def collect_tokens():
     tokens['DNS_UPSTREAM_SERVERS_JSON'] = json.dumps(servers)
     tokens['OVERVIEW_UPSTREAM_SERVERS'] = ', '.join(servers) or '-'
 
-    non_vpn_vlans = [v for v in vlans if 'dhcp' in v]
+    non_vpn_vlans = [v for v in vlans if not v.get('is_vpn')]
     vlan_names = [v.get('name', '') for v in vlans]
     tokens['OVERVIEW_VLAN_NAMES'] = ', '.join(vlan_names) or '-'
     tokens['STAT_VLAN_COUNT']     = str(len(non_vpn_vlans))
@@ -392,6 +470,10 @@ def collect_tokens():
     tokens['VLAN_FILTER_OPTIONS']    = filter_opts
     tokens['VLAN_NAMES_AS_OPTIONS']  = json.dumps([{'value': n, 'label': n} for n in vlan_names])
 
+    tokens['VPN_VLAN_COUNT']        = str(sum(1 for v in vlans if v.get('is_vpn')))
+    tokens['EXISTING_VLAN_IDS_JSON']        = json.dumps([v.get('vlan_id') for v in vlans])
+    tokens['EXISTING_VLAN_NAMES_JSON']      = json.dumps([v.get('name', '') for v in vlans])
+    tokens['EXISTING_VLAN_INTERFACES_JSON'] = json.dumps([_resolve_iface(v, core) for v in vlans])
     tokens['STAT_BANNED_IP_COUNT']  = str(sum(1 for b in core.get('banned_ips',  []) if b.get('enabled', True)))
     tokens['STAT_BLOCKLIST_COUNT']  = str(sum(1 for b in core.get('blocklists', []) if b.get('enabled', True)))
 
@@ -405,13 +487,28 @@ def collect_tokens():
         {'value': 'duckdns',    'label': 'DuckDNS'},
     ])
 
-    vpn = _vpn_info()
+    wg_vlan  = next((v for v in vlans if v.get('is_vpn')), {})
+    vpn      = wg_vlan.get('vpn_information', {})
     overrides = vpn.get('explicit_overrides', {})
-    tokens['VPN_LISTEN_PORT'] = str(vpn.get('listen_port', ''))
-    tokens['VPN_GATEWAY']     = str(vpn.get('gateway', ''))
-    tokens['VPN_DOMAIN']      = str(vpn.get('domain', ''))
-    tokens['VPN_DNS_SERVER']  = str(overrides.get('dns_server', ''))
-    tokens['VPN_MTU']         = str(overrides.get('mtu', ''))
+    tokens['VPN_LISTEN_PORT']     = str(vpn.get('listen_port', ''))
+    tokens['VPN_SERVER_ENDPOINT'] = str(vpn.get('server_endpoint', ''))
+    tokens['VPN_DOMAIN']          = str(vpn.get('domain', ''))
+    tokens['VPN_DNS_SERVER']      = str(overrides.get('dns_server', ''))
+    tokens['VPN_MTU']             = str(overrides.get('mtu', ''))
+    # Compute gateway from server_identities (lowest last-octet), fallback to first subnet host
+    try:
+        import ipaddress as _ipaddress
+        ident_ips = [s['ip'] for s in wg_vlan.get('server_identities', []) if s.get('ip')]
+        if ident_ips:
+            default_gw = str(min((_ipaddress.IPv4Address(ip) for ip in ident_ips),
+                                 key=lambda x: x.packed[-1]))
+        else:
+            wg_net     = _ipaddress.IPv4Network(
+                f"{wg_vlan['subnet']}/{wg_vlan['subnet_mask']}", strict=False)
+            default_gw = str(next(wg_net.hosts()))
+        tokens['VPN_GATEWAY'] = overrides.get('gateway') or default_gw
+    except Exception:
+        tokens['VPN_GATEWAY'] = ''
 
     ip_str, sub_str, next_interval = _public_ip_info(ddns)
     tokens['STAT_PUBLIC_IP']       = ip_str
@@ -441,6 +538,28 @@ def collect_tokens():
         blank + [{'value': tz, 'label': tz} for tz in sanitize.VALID_TIMEZONES]
     )
 
+    tokens['PROTOCOL_OPTIONS'] = json.dumps([
+        {'value': 'tcp',  'label': 'TCP'},
+        {'value': 'udp',  'label': 'UDP'},
+        {'value': 'both', 'label': 'TCP/UDP'},
+    ])
+
+    tokens['BLOCKLIST_FORMAT_OPTIONS'] = json.dumps([
+        {'value': 'hosts',   'label': 'hosts (hosts file format)'},
+        {'value': 'dnsmasq', 'label': 'dnsmasq (local=/ syntax)'},
+    ])
+
+    tokens['BLOCKLIST_NAME_OPTIONS'] = json.dumps([
+        {'value': bl.get('name', ''), 'label': bl.get('description', bl.get('name', ''))}
+        for bl in core.get('blocklists', [])
+    ])
+
+    tokens['ACCOUNT_LEVEL_OPTIONS'] = json.dumps([
+        {'value': 'viewer',        'label': 'Viewer (read-only access to live data)'},
+        {'value': 'administrator', 'label': 'Administrator (can modify configuration)'},
+        {'value': 'manager',       'label': 'Manager (full access including account management)'},
+    ])
+
     return tokens
 
 
@@ -511,6 +630,9 @@ def _render_item(item, tokens, inherited_req=None):
     if t == 'spacer':
         return '<div class="spacer"></div>'
 
+    if t == 'divider':
+        return '<hr class="divider">'
+
     if t in ('button_primary', 'button_secondary', 'button_danger', 'button_ghost'):
         cls_map = {
             'button_primary':   'btn-primary',
@@ -522,11 +644,12 @@ def _render_item(item, tokens, inherited_req=None):
         extra = item.get('class', '')
         if extra:
             cls = f'{cls} {extra}'
-        text   = e(apply_tokens(item.get('text', ''), tokens))
-        action = e(apply_tokens(item.get('action', '#'), tokens))
+        text     = e(apply_tokens(item.get('text', ''), tokens))
+        action   = e(apply_tokens(item.get('action', '#'), tokens))
+        disabled = ' disabled' if item.get('disabled') else ''
         if item.get('method', '').lower() == 'post':
             return (f'<form method="post" action="{action}" style="display:inline">'
-                    f'<button type="submit" class="btn {e(cls)}">{text}</button></form>')
+                    f'<button type="submit" class="btn {e(cls)}"{disabled}>{text}</button></form>')
         return f'<a href="{action}" class="btn {e(cls)}">{text}</a>'
 
     if t == 'button_cancel':
@@ -616,13 +739,46 @@ def _render_item(item, tokens, inherited_req=None):
     if t == 'field':
         return _render_field(item, tokens)
 
+    if t == 'field_row':
+        inner = render_items(item.get('items', []), tokens, req)
+        cols  = item.get('cols', 2)
+        return f'<div class="form-row-{cols}">{inner}</div>'
+
+    if t == 'subnet_row':
+        subnet_name  = e(item.get('subnet_name', 'subnet'))
+        prefix_name  = e(item.get('prefix_name', 'subnet_mask'))
+        subnet_val   = apply_tokens(item.get('subnet_value', ''), tokens)
+        prefix_raw   = apply_tokens(item.get('prefix_value', '24'), tokens)
+        subnet_ph    = e(apply_tokens(item.get('subnet_placeholder', ''), tokens))
+        show_derived = item.get('show_derived_vlan_id', False)
+        try:
+            pf = max(1, min(30, int(prefix_raw)))
+        except (ValueError, TypeError):
+            pf = 24
+        dotted = _prefix_to_dotted(pf)
+
+        return (
+            f'<div class="form-group">'
+            f'<label class="form-label">Subnet</label>'
+            f'<div class="subnet-row-wrap">'
+            f'<input type="text" name="{subnet_name}" value="{e(subnet_val)}" placeholder="{subnet_ph}" class="form-input">'
+            f'<span class="subnet-sep">/</span>'
+            f'<input type="number" name="{prefix_name}" value="{pf}" min="1" max="30" class="form-input subnet-prefix-input">'
+            f'<span class="subnet-dotted">{e(dotted)}</span>'
+            f'</div>'
+            f'<p class="form-hint field-dyn-hint" style="display:none"></p>'
+            f'</div>'
+        )
+
     if t == 'editable_list':
         return _render_editable_list(item, tokens)
 
     if t == 'select':
-        name    = e(item.get('name', ''))
-        options = apply_tokens(item.get('options', ''), tokens)
-        return f'<select name="{name}" class="form-select">{options}</select>'
+        name       = e(item.get('name', ''))
+        options    = apply_tokens(item.get('options', ''), tokens)
+        filter_col = item.get('filter_col', '')
+        extra      = f' data-filter-col="{e(filter_col)}"' if filter_col else ''
+        return f'<select name="{name}" class="form-select"{extra}>{options}</select>'
 
     if t == 'button_row':
         inner = render_items(item.get('items', []), tokens, req)
@@ -642,12 +798,22 @@ def _render_field(item, tokens):
     placeholder = e(apply_tokens(item.get('placeholder', ''), tokens))
     hint        = e(apply_tokens(item.get('hint', ''), tokens))
     hint_html   = f'<p class="form-hint">{hint}</p>' if hint else ''
+    extra_cls   = f' {e(item["class"])}' if item.get('class') else ''
+    readonly    = ' readonly' if item.get('readonly') else ''
 
     if input_type == 'hidden':
         return f'<input type="hidden" name="{name}" value="{e(value)}">'
 
     if input_type == 'checkbox':
-        checked = 'checked' if value.lower() in ('true', '1', 'yes') else ''
+        checked  = 'checked' if value.lower() in ('true', '1', 'yes') else ''
+        cb_label = item.get('checkbox_label')
+        if cb_label:
+            return (f'<div class="form-group">'
+                    f'<label class="form-label">{label}</label>'
+                    f'<label class="form-checkbox-row">'
+                    f'<input type="checkbox" name="{name}" {checked} class="form-checkbox">'
+                    f' <span class="form-checkbox-label">{e(cb_label)}</span>'
+                    f'</label>{hint_html}</div>')
         return (f'<div class="form-group">'
                 f'<label class="form-label">'
                 f'<input type="checkbox" name="{name}" {checked} class="form-checkbox"> {label}'
@@ -689,7 +855,7 @@ def _render_field(item, tokens):
         min_attr = f' min="{item["min"]}"' if 'min' in item else ''
         max_attr = f' max="{item["max"]}"' if 'max' in item else ''
         return (f'<div class="form-group"><label class="form-label">{label}</label>'
-                f'<input type="number" name="{name}" value="{e(value)}"{min_attr}{max_attr} class="form-input">'
+                f'<input type="number" name="{name}" value="{e(value)}"{min_attr}{max_attr} class="form-input{extra_cls}"{readonly}>'
                 f'{hint_html}</div>')
 
     if input_type == 'textarea':
@@ -699,9 +865,10 @@ def _render_field(item, tokens):
                 f' class="form-input">{e(value)}</textarea>'
                 f'{hint_html}</div>')
 
+    dyn_hint = '<p class="form-hint field-dyn-hint" style="display:none"></p>' if item.get('readonly') else ''
     return (f'<div class="form-group"><label class="form-label">{label}</label>'
             f'<input type="{e(input_type)}" name="{name}" value="{e(value)}"'
-            f' placeholder="{placeholder}" class="form-input">{hint_html}</div>')
+            f' placeholder="{placeholder}" class="form-input{extra_cls}"{readonly}>{hint_html}{dyn_hint}</div>')
 
 
 def _render_editable_list(item, tokens):
@@ -784,6 +951,10 @@ def _render_table(item, tokens, inherited_req=None):
                     action = e(apply_tokens(ra.get('action', '#'), tokens))
                     method = ra.get('method', 'post').lower()
                     if method == 'post':
+                        disable_if = ra.get('disable_if')
+                        if disable_if and row.get(disable_if.get('field')) == disable_if.get('value'):
+                            btns += f'<button type="button" class="btn {cls}" disabled>{text}</button>'
+                            continue
                         btns += (f'<form method="post" action="{action}" style="display:inline">'
                                  f'<input type="hidden" name="row_index" value="{idx}">'
                                  f'<input type="hidden" name="config_hash" value="{e(hash_val)}">'
@@ -859,6 +1030,18 @@ def _render_table_cell(value, render_fn, col_class='', field='', row_idx=None,
         tags = ''.join(f'<span class="tag">{e(str(t))}</span>' for t in items if str(t).strip())
         return f'{td_open}<div class="tag-list">{tags}</div></td>'
 
+    if render_fn == 'interface_status':
+        v = value.upper()
+        if v == 'INVALID':
+            inner = '<span class="badge badge-danger">Invalid</span>'
+        elif v == 'UP':
+            inner = '<span class="badge badge-enabled">Up</span>'
+        elif v == 'DOWN':
+            inner = '<span class="badge badge-warning">Down</span>'
+        else:
+            inner = f'<span class="badge badge-disabled">{e(value.title())}</span>'
+        return f'{td_open}{inner}</td>'
+
     return f'{td_open}{e(value)}</td>'
 
 
@@ -882,7 +1065,12 @@ def render_layout(view_id, content_html, tokens):
     navbar_html   = _render_navbar(view_id, level, tokens)
     footer_html   = '<footer class="footer">Router Dashboard</footer>'
 
-    page_hash = core_hash()
+    page_hash           = core_hash()
+    lan_iface           = e(tokens.get('GENERAL_LAN_INTERFACE', ''))
+    vpn_count           = tokens.get('VPN_VLAN_COUNT', '0')
+    existing_ids        = tokens.get('EXISTING_VLAN_IDS_JSON', '[]')
+    existing_names      = tokens.get('EXISTING_VLAN_NAMES_JSON', '[]')
+    existing_interfaces = tokens.get('EXISTING_VLAN_INTERFACES_JSON', '[]')
     return (f'<!DOCTYPE html>\n<html lang="en">\n<head>\n'
             f'  <meta charset="UTF-8">\n'
             f'  <meta name="viewport" content="width=device-width, initial-scale=1.0">\n'
@@ -893,7 +1081,7 @@ def render_layout(view_id, content_html, tokens):
             f'{navbar_html}\n'
             f'<main class="main-content">\n{content_html}\n</main>\n'
             f'{footer_html}\n'
-            f'<script>var CONFIG_HASH = "{page_hash}";</script>\n'
+            f'<script>var CONFIG_HASH="{page_hash}";var LAN_IFACE="{lan_iface}";var VPN_VLAN_COUNT={vpn_count};var EXISTING_VLAN_IDS={existing_ids};var EXISTING_VLAN_NAMES={existing_names};var EXISTING_VLAN_INTERFACES={existing_interfaces};</script>\n'
             f'<script>{_inline_js()}</script>\n'
             f'</body>\n</html>')
 
@@ -956,6 +1144,156 @@ def _render_nav_item(item, active_view, level, in_dropdown=False, inherited_req=
 
 def _inline_js():
     return r"""
+function prefixToDotted(n) {
+  if (n < 1 || n > 30) return '';
+  var mask = ((0xFFFFFFFF << (32 - n)) >>> 0);
+  return [(mask >>> 24) & 0xFF, (mask >>> 16) & 0xFF, (mask >>> 8) & 0xFF, mask & 0xFF].join('.');
+}
+
+function deriveVlanId(subnet, prefix) {
+  var parts = subnet.split('.');
+  if (parts.length !== 4) return null;
+  var octets = parts.map(function(p) { return parseInt(p, 10); });
+  if (octets.some(function(o) { return isNaN(o) || o < 0 || o > 255; })) return null;
+  var byteIdx = Math.floor((prefix - 1) / 8);
+  var id = octets[byteIdx];
+  return (id >= 0 && id <= 4094) ? id : null;
+}
+
+function classifySubnet(s) {
+  if (!s) return 'empty';
+  if (/[^0-9.]/.test(s)) return 'invalid_char';
+  if (/\.\./.test(s) || s.charAt(0) === '.') return 'invalid_struct';
+  var parts = s.split('.');
+  if (parts.length > 4) return 'too_many';
+  for (var i = 0; i < parts.length; i++) {
+    var p = parts[i];
+    if (!p) continue;
+    var n = parseInt(p, 10);
+    if (isNaN(n) || n > 255) return 'range';
+  }
+  if (parts.length < 4 || parts[3] === '') return 'incomplete';
+  return 'complete';
+}
+
+function setFieldHint(input, message, state) {
+  // state: 'error' | 'warning' | 'ok'
+  var fg = input.closest('.form-group');
+  if (fg) {
+    var hint = fg.querySelector('.field-dyn-hint');
+    if (hint) {
+      hint.textContent = message;
+      hint.style.display = message ? '' : 'none';
+      hint.style.color = (state === 'error') ? 'var(--danger)' : 'var(--text-muted)';
+    }
+  }
+  input.classList.remove('field-invalid', 'field-warning');
+  if (state === 'error' && message) input.classList.add('field-invalid');
+  else if (state === 'warning')     input.classList.add('field-warning');
+}
+
+function updateAddVlanForm(form) {
+  var nameInp     = form.querySelector('input[name="name"]');
+  var subnetInp   = form.querySelector('input[name="subnet"]');
+  var prefixInp   = form.querySelector('input.subnet-prefix-input');
+  var vpnChk      = form.querySelector('input[name="is_vpn"]');
+  var ifacePrev   = form.querySelector('.vlan-iface-preview');
+  var derivedPrev = form.querySelector('.vlan-derived-id-preview');
+  var submitBtn   = form.querySelector('.add-vlan-btn');
+  if (!subnetInp || !prefixInp) return;
+
+  var subnet = subnetInp.value.trim();
+  var prefix = parseInt(prefixInp.value, 10);
+  var isVpn  = vpnChk && vpnChk.checked;
+  var lan    = typeof LAN_IFACE !== 'undefined' ? LAN_IFACE : 'eth0';
+  var sClass = classifySubnet(subnet);
+  var id     = (sClass === 'complete') ? deriveVlanId(subnet, prefix) : null;
+
+  // Derived VLAN ID preview
+  if (derivedPrev) derivedPrev.value = (id !== null) ? String(id) : '';
+
+  // Interface preview
+  var ifaceVal = '';
+  if (isVpn) {
+    ifaceVal = 'wg' + (typeof VPN_VLAN_COUNT !== 'undefined' ? VPN_VLAN_COUNT : 0);
+  } else if (id !== null) {
+    ifaceVal = (id === 1) ? lan : lan + '.' + id;
+  }
+  if (ifacePrev) ifacePrev.value = ifaceVal;
+
+  // Subnet sub-text + colour
+  var subnetMsg = '', subnetState = 'ok', subnetOk = false;
+  if (sClass === 'empty' || sClass === 'incomplete') {
+    subnetState = 'warning';
+  } else if (sClass === 'invalid_char' || sClass === 'invalid_struct' || sClass === 'too_many') {
+    subnetMsg = 'Invalid'; subnetState = 'error';
+  } else if (sClass === 'range') {
+    subnetMsg = 'Quartet out of range'; subnetState = 'error';
+  } else {
+    if (id === 0) {
+      subnetMsg = 'Reserved'; subnetState = 'warning';
+    } else if (id === null || EXISTING_VLAN_IDS.indexOf(id) !== -1) {
+      subnetMsg = id === null ? '' : 'Duplicate'; subnetState = id === null ? 'warning' : 'error';
+    } else {
+      subnetOk = true;
+    }
+  }
+  setFieldHint(subnetInp, subnetMsg, subnetState);
+
+  // Interface duplicate/reserved sub-text
+  if (ifacePrev) {
+    if (id === 0) {
+      setFieldHint(ifacePrev, 'Reserved', 'error');
+    } else {
+      var ifaceDupe = ifaceVal.length > 0 && EXISTING_VLAN_INTERFACES.indexOf(ifaceVal) !== -1;
+      setFieldHint(ifacePrev, ifaceDupe ? 'Duplicate' : '', ifaceDupe ? 'error' : 'ok');
+    }
+  }
+
+  // VLAN ID duplicate/reserved sub-text
+  if (derivedPrev) {
+    if (id === 0) {
+      setFieldHint(derivedPrev, 'Reserved', 'error');
+    } else {
+      var derivedDupe = id !== null && EXISTING_VLAN_IDS.indexOf(id) !== -1;
+      setFieldHint(derivedPrev, derivedDupe ? 'Duplicate' : '', derivedDupe ? 'error' : 'ok');
+    }
+  }
+
+  // Name validation + colour
+  if (submitBtn) {
+    var name      = nameInp ? nameInp.value.trim().toLowerCase() : '';
+    var nameValid = name.length > 0 && /^[a-z0-9-]+$/.test(name);
+    var nameDupe  = nameValid && EXISTING_VLAN_NAMES.indexOf(name) !== -1;
+    var nameOk    = nameValid && !nameDupe;
+    if (nameInp) {
+      nameInp.classList.remove('field-invalid', 'field-warning');
+      if (name.length === 0)  nameInp.classList.add('field-warning');
+      else if (!nameOk)       nameInp.classList.add('field-invalid');
+    }
+    submitBtn.disabled = !(nameOk && subnetOk);
+  }
+}
+
+document.addEventListener('input', function(e) {
+  var wrap = e.target.closest('.subnet-row-wrap');
+  if (wrap) {
+    var dotLabel = wrap.querySelector('.subnet-dotted');
+    if (dotLabel) {
+      var n = parseInt(wrap.querySelector('.subnet-prefix-input').value, 10);
+      dotLabel.textContent = (n >= 1 && n <= 30) ? prefixToDotted(n) : '';
+    }
+  }
+  var form = e.target.closest('form');
+  if (form && form.querySelector('.add-vlan-btn')) updateAddVlanForm(form);
+});
+
+document.addEventListener('change', function(e) {
+  if (e.target.name !== 'is_vpn') return;
+  var form = e.target.closest('form');
+  if (form && form.querySelector('.add-vlan-btn')) updateAddVlanForm(form);
+});
+
 document.querySelectorAll('.row-edit-btn').forEach(function(btn) {
   btn.addEventListener('click', function() {
     var row    = JSON.parse(this.dataset.row);
@@ -1019,6 +1357,19 @@ document.addEventListener('click', function(e) {
       var checked = (val === true || val === 'true' || val === 1 || val === '1');
       td.innerHTML = '<input type="checkbox" name="' + field + '"' +
         (checked ? ' checked' : '') + ' class="inline-edit-checkbox">';
+    } else if (inputType === 'checkbox_multi') {
+      var opts = fDef.options || [];
+      var checked = [];
+      try { var parsed = JSON.parse(val); if (Array.isArray(parsed)) checked = parsed; } catch(ex) {}
+      var cbHtml = '<div class="checkbox-multi-group">';
+      opts.forEach(function(o) {
+        var isChecked = checked.indexOf(o.value) !== -1;
+        cbHtml += '<label class="checkbox-multi-item">' +
+          '<input type="checkbox" name="' + field + '" value="' + esc(o.value) + '"' +
+          (isChecked ? ' checked' : '') + ' class="inline-edit-checkbox-multi"> ' + esc(o.label) + '</label>';
+      });
+      cbHtml += '</div>';
+      td.innerHTML = cbHtml;
     } else if (inputType === 'select') {
       var opts = fDef.options || [];
       var selHtml = '<select name="' + field + '" class="form-select inline-edit-select">';
@@ -1028,6 +1379,11 @@ document.addEventListener('click', function(e) {
       });
       selHtml += '</select>';
       td.innerHTML = selHtml;
+    } else if (inputType === 'number') {
+      var minAttr = fDef.min !== undefined ? ' min="' + esc(String(fDef.min)) + '"' : '';
+      var maxAttr = fDef.max !== undefined ? ' max="' + esc(String(fDef.max)) + '"' : '';
+      td.innerHTML = '<input type="number" name="' + field + '" value="' + esc(String(val)) +
+        '"' + minAttr + maxAttr + ' class="form-input inline-edit-input">';
     } else if (inputType === 'textarea') {
       var textVal;
       try { var arr = JSON.parse(val); textVal = Array.isArray(arr) ? arr.join('\n') : String(val||''); }
@@ -1075,7 +1431,11 @@ document.addEventListener('click', function(e) {
       addHidden('config_hash', typeof CONFIG_HASH !== 'undefined' ? CONFIG_HASH : '');
       tr.querySelectorAll('td[data-field] input[name], td[data-field] textarea[name], td[data-field] select[name]').forEach(function(inp) {
         if (inp.type === 'checkbox') {
-          if (inp.checked) addHidden(inp.name, 'on');
+          if (inp.classList.contains('inline-edit-checkbox-multi')) {
+            if (inp.checked) addHidden(inp.name, inp.value);
+          } else {
+            if (inp.checked) addHidden(inp.name, 'on');
+          }
         } else {
           addHidden(inp.name, inp.value);
         }
@@ -1093,6 +1453,26 @@ document.addEventListener('click', function(e) {
   }
 });
 
+document.querySelectorAll('select[data-filter-col]').forEach(function(sel) {
+  function applyFilter() {
+    var col     = sel.dataset.filterCol;
+    var val     = sel.value;
+    var toolbar = sel.closest('.table-toolbar');
+    if (!toolbar) return;
+    var wrapper = toolbar.nextElementSibling;
+    if (!wrapper || !wrapper.classList.contains('table-wrapper')) return;
+    wrapper.querySelectorAll('tbody tr').forEach(function(tr) {
+      if (val === 'all') {
+        tr.style.display = '';
+      } else {
+        var td = tr.querySelector('td[data-field="' + col + '"]');
+        tr.style.display = (td && td.textContent.trim() === val) ? '' : 'none';
+      }
+    });
+  }
+  sel.addEventListener('change', applyFilter);
+});
+
 document.querySelectorAll('.js-hide-card').forEach(function(btn) {
   btn.addEventListener('click', function(e) {
     e.preventDefault();
diff --git a/docker/router-dash/data/page_content.json b/docker/router-dash/data/page_content.json
index 57b1451..62920c8 100644
--- a/docker/router-dash/data/page_content.json
+++ b/docker/router-dash/data/page_content.json
@@ -488,6 +488,51 @@
             }
           ]
         },
+        {
+          "type": "card",
+          "label": "Network Interfaces",
+          "client_requirement": "client_is_viewer+",
+          "items": [
+            {
+              "type": "table",
+              "datasource": "config:interfaces",
+              "empty_message": "No interfaces configured.",
+              "columns": [
+                {
+                  "label": "Type",
+                  "field": "iface_type",
+                  "class": "col-mono"
+                },
+                {
+                  "label": "Interface",
+                  "field": "interface",
+                  "class": "col-mono"
+                },
+                {
+                  "label": "Status",
+                  "field": "status",
+                  "render": "interface_status"
+                }
+              ],
+              "row_actions": [
+                {
+                  "text": "Edit",
+                  "class": "btn-ghost btn-sm",
+                  "action": "/action/apply_interface",
+                  "method": "inline_edit",
+                  "client_requirement": "client_is_administrator+",
+                  "fields": [
+                    {
+                      "col": "interface",
+                      "input_type": "select",
+                      "options": "%NETWORK_INTERFACE_STATUS_OPTIONS%"
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
         {
           "type": "card",
           "label": "General",
@@ -497,15 +542,6 @@
               "action": "/action/apply_general",
               "method": "post",
               "items": [
-                {
-                  "type": "field",
-                  "label": "WAN Interface",
-                  "name": "wan_interface",
-                  "input_type": "text",
-                  "value": "%GENERAL_WAN_INTERFACE%",
-                  "placeholder": "e.g. eno2",
-                  "hint": "The network interface facing your ISP modem or ONT."
-                },
                 {
                   "type": "field",
                   "label": "Max Log Size (KB)",
@@ -955,16 +991,7 @@
                 {
                   "col": "format",
                   "input_type": "select",
-                  "options": [
-                    {
-                      "value": "hosts",
-                      "label": "hosts \u2014 /etc/hosts format"
-                    },
-                    {
-                      "value": "dnsmasq",
-                      "label": "dnsmasq \u2014 local=/ syntax"
-                    }
-                  ]
+                  "options": "%BLOCKLIST_FORMAT_OPTIONS%"
                 },
                 {
                   "col": "url",
@@ -1015,16 +1042,7 @@
                   "label": "Format",
                   "name": "format",
                   "input_type": "select",
-                  "options": [
-                    {
-                      "value": "hosts",
-                      "label": "hosts \u2014 /etc/hosts format"
-                    },
-                    {
-                      "value": "dnsmasq",
-                      "label": "dnsmasq \u2014 local=/ syntax"
-                    }
-                  ]
+                  "options": "%BLOCKLIST_FORMAT_OPTIONS%"
                 },
                 {
                   "type": "field",
@@ -1070,7 +1088,7 @@
         {
           "type": "info_bar",
           "variant": "info",
-          "text": "For a basic flat network with no VLAN segmentation, only use VLAN 1 and delete the others."
+          "text": "VLAN ID is derived automatically from the subnet and prefix using the active-octet rule: for /24 the third octet is used (192.168.10.0/24 → VLAN 10), for /16 the second octet, for /8 the first octet, for /25–/30 the fourth. For a basic flat network with no VLAN segmentation, only use VLAN 1 and delete the others."
         },
         {
           "type": "table",
@@ -1096,6 +1114,11 @@
               "field": "subnet",
               "class": "col-mono"
             },
+            {
+              "label": "Mask",
+              "field": "subnet_mask",
+              "class": "col-mono"
+            },
             {
               "label": "Blocklists",
               "field": "use_blocklists",
@@ -1125,12 +1148,14 @@
                   "input_type": "text"
                 },
                 {
-                  "col": "interface",
+                  "col": "subnet",
                   "input_type": "text"
                 },
                 {
-                  "col": "subnet",
-                  "input_type": "text"
+                  "col": "subnet_mask",
+                  "input_type": "number",
+                  "min": 1,
+                  "max": 30
                 },
                 {
                   "col": "radius_default",
@@ -1139,6 +1164,11 @@
                 {
                   "col": "mdns_reflection",
                   "input_type": "checkbox"
+                },
+                {
+                  "col": "use_blocklists",
+                  "input_type": "checkbox_multi",
+                  "options": "%BLOCKLIST_NAME_OPTIONS%"
                 }
               ]
             },
@@ -1147,7 +1177,11 @@
               "class": "btn-danger btn-sm",
               "action": "/action/delete_vlan",
               "method": "post",
-              "client_requirement": "client_is_administrator+"
+              "client_requirement": "client_is_administrator+",
+              "disable_if": {
+                "field": "vlan_id",
+                "value": 1
+              }
             }
           ]
         },
@@ -1163,35 +1197,70 @@
               "method": "post",
               "items": [
                 {
-                  "type": "field",
-                  "label": "VLAN ID",
-                  "name": "vlan_id",
-                  "input_type": "number",
-                  "min": 1,
-                  "max": 4094,
-                  "placeholder": "e.g. 10"
+                  "type": "field_row",
+                  "cols": 2,
+                  "items": [
+                    {
+                      "type": "field",
+                      "label": "VLAN Name",
+                      "name": "name",
+                      "input_type": "text",
+                      "hint": "Lowercase letters, digits, hyphens. E.g. iot"
+                    },
+                    {
+                      "type": "subnet_row",
+                      "subnet_name": "subnet",
+                      "prefix_name": "subnet_mask",
+                      "subnet_placeholder": "e.g. 192.168.x.0",
+                      "prefix_value": "24"
+                    }
+                  ]
+                },
+                {
+                  "type": "field_row",
+                  "cols": 3,
+                  "items": [
+                    {
+                      "type": "field",
+                      "label": "Interface",
+                      "name": "",
+                      "input_type": "text",
+                      "readonly": true,
+                      "class": "vlan-iface-preview form-input-mono",
+                      "value": ""
+                    },
+                    {
+                      "type": "field",
+                      "label": "VLAN ID",
+                      "name": "",
+                      "input_type": "text",
+                      "readonly": true,
+                      "class": "vlan-derived-id-preview form-input-mono",
+                      "value": ""
+                    },
+                    {
+                      "type": "field",
+                      "label": "VLAN Type",
+                      "name": "is_vpn",
+                      "input_type": "checkbox",
+                      "checkbox_label": "Is VPN",
+                      "hint": "Check if this VLAN uses a WireGuard interface (e.g. wg0, wg1, etc)."
+                    }
+                  ]
+                },
+                {
+                  "type": "divider"
                 },
                 {
                   "type": "field",
-                  "label": "Name",
-                  "name": "name",
-                  "input_type": "text",
-                  "placeholder": "e.g. IoT"
+                  "label": "Blocklists",
+                  "name": "use_blocklists",
+                  "input_type": "checkbox_group",
+                  "options": "%BLOCKLIST_NAME_OPTIONS%",
+                  "hint": "Note: Selected lists will be merged and de-duplicated prior to use."
                 },
                 {
-                  "type": "field",
-                  "label": "Interface",
-                  "name": "interface",
-                  "input_type": "text",
-                  "placeholder": "e.g. eth0.10"
-                },
-                {
-                  "type": "field",
-                  "label": "Subnet",
-                  "name": "subnet",
-                  "input_type": "text",
-                  "placeholder": "e.g. 192.168.10.0/24",
-                  "hint": "DHCP subnet for this VLAN."
+                  "type": "divider"
                 },
                 {
                   "type": "field",
@@ -1214,7 +1283,9 @@
                       "type": "button_primary",
                       "text": "Add VLAN",
                       "action": "/action/add_vlan",
-                      "method": "post"
+                      "method": "post",
+                      "class": "add-vlan-btn",
+                      "disabled": true
                     }
                   ]
                 }
@@ -1291,20 +1362,7 @@
                 {
                   "col": "protocol",
                   "input_type": "select",
-                  "options": [
-                    {
-                      "value": "tcp",
-                      "label": "TCP"
-                    },
-                    {
-                      "value": "udp",
-                      "label": "UDP"
-                    },
-                    {
-                      "value": "both",
-                      "label": "TCP/UDP"
-                    }
-                  ]
+                  "options": "%PROTOCOL_OPTIONS%"
                 },
                 {
                   "col": "src_ip_or_subnet",
@@ -1356,20 +1414,7 @@
                   "label": "Protocol",
                   "name": "protocol",
                   "input_type": "select",
-                  "options": [
-                    {
-                      "value": "tcp",
-                      "label": "TCP"
-                    },
-                    {
-                      "value": "udp",
-                      "label": "UDP"
-                    },
-                    {
-                      "value": "both",
-                      "label": "TCP/UDP"
-                    }
-                  ]
+                  "options": "%PROTOCOL_OPTIONS%"
                 },
                 {
                   "type": "field",
@@ -1476,20 +1521,7 @@
                 {
                   "col": "protocol",
                   "input_type": "select",
-                  "options": [
-                    {
-                      "value": "tcp",
-                      "label": "TCP"
-                    },
-                    {
-                      "value": "udp",
-                      "label": "UDP"
-                    },
-                    {
-                      "value": "both",
-                      "label": "TCP/UDP"
-                    }
-                  ]
+                  "options": "%PROTOCOL_OPTIONS%"
                 },
                 {
                   "col": "dest_port",
@@ -1541,20 +1573,7 @@
                   "label": "Protocol",
                   "name": "protocol",
                   "input_type": "select",
-                  "options": [
-                    {
-                      "value": "tcp",
-                      "label": "TCP"
-                    },
-                    {
-                      "value": "udp",
-                      "label": "UDP"
-                    },
-                    {
-                      "value": "both",
-                      "label": "TCP/UDP"
-                    }
-                  ]
+                  "options": "%PROTOCOL_OPTIONS%"
                 },
                 {
                   "type": "field",
@@ -1685,7 +1704,8 @@
                 "type": "select",
                 "name": "vlan_filter",
                 "value": "all",
-                "options": "%VLAN_FILTER_OPTIONS%"
+                "options": "%VLAN_FILTER_OPTIONS%",
+                "filter_col": "vlan_name"
               }
             ]
           },
@@ -1816,12 +1836,13 @@
             },
             {
               "type": "p",
-              "text": "Active WireGuard peer connections and server interface configuration."
+              "text": "WireGuard peer management and server interface configuration."
             }
           ]
         },
         {
           "type": "table",
+          "label": "Active Sessions",
           "datasource": "live:vpn_sessions",
           "empty_message": "No active VPN sessions.",
           "columns": [
@@ -1860,6 +1881,126 @@
             }
           ]
         },
+        {
+          "type": "table",
+          "label": "Peers",
+          "datasource": "config:vpn_peers",
+          "empty_message": "No peers configured. Use Add Peer below.",
+          "columns": [
+            {
+              "label": "Name",
+              "field": "name"
+            },
+            {
+              "label": "IP",
+              "field": "ip",
+              "class": "col-mono"
+            },
+            {
+              "label": "Split Tunnel",
+              "field": "split_tunnel"
+            },
+            {
+              "label": "Enabled",
+              "field": "enabled",
+              "render": "badge_enabled_disabled"
+            },
+            {
+              "label": "Public Key",
+              "field": "pubkey_short",
+              "class": "col-mono"
+            }
+          ],
+          "row_actions": [
+            {
+              "text": "Edit",
+              "class": "btn-ghost btn-sm",
+              "action": "/action/edit_vpn_peer",
+              "method": "inline_edit",
+              "client_requirement": "client_is_administrator+",
+              "fields": [
+                {
+                  "col": "name",
+                  "input_type": "text"
+                },
+                {
+                  "col": "split_tunnel",
+                  "input_type": "checkbox"
+                },
+                {
+                  "col": "enabled",
+                  "input_type": "checkbox"
+                }
+              ]
+            },
+            {
+              "text": "Regen Conf",
+              "class": "btn-ghost btn-sm",
+              "action": "/action/regenerate_vpn_peer",
+              "method": "post",
+              "client_requirement": "client_is_administrator+"
+            },
+            {
+              "text": "Delete",
+              "class": "btn-danger btn-sm",
+              "action": "/action/delete_vpn_peer",
+              "method": "post",
+              "client_requirement": "client_is_administrator+"
+            }
+          ]
+        },
+        {
+          "type": "card",
+          "label": "Add Peer",
+          "client_requirement": "client_is_administrator+",
+          "items": [
+            {
+              "type": "form",
+              "action": "/action/add_vpn_peer",
+              "method": "post",
+              "items": [
+                {
+                  "type": "field",
+                  "label": "Name",
+                  "name": "peer_name",
+                  "input_type": "text",
+                  "placeholder": "e.g. laptop",
+                  "hint": "Friendly name for this peer."
+                },
+                {
+                  "type": "field",
+                  "label": "IP Address",
+                  "name": "peer_ip",
+                  "input_type": "text",
+                  "placeholder": "e.g. 192.168.40.2",
+                  "hint": "Static IP assigned to this peer within the VPN subnet."
+                },
+                {
+                  "type": "field",
+                  "label": "Split Tunnel",
+                  "name": "split_tunnel",
+                  "input_type": "checkbox",
+                  "hint": "Route only VPN subnet traffic through the tunnel. When unchecked all traffic is routed through the VPN."
+                },
+                {
+                  "type": "button_row",
+                  "items": [
+                    {
+                      "type": "button_primary",
+                      "text": "Add Peer & Download Conf",
+                      "action": "/action/add_vpn_peer",
+                      "method": "post"
+                    },
+                    {
+                      "type": "button_cancel",
+                      "text": "Cancel"
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
         {
           "type": "card",
           "client_requirement": "client_is_administrator+",
@@ -1882,12 +2023,12 @@
                 },
                 {
                   "type": "field",
-                  "label": "Gateway IP",
-                  "name": "vpn_gateway",
+                  "label": "Server Endpoint",
+                  "name": "vpn_server_endpoint",
                   "input_type": "text",
-                  "value": "%VPN_GATEWAY%",
-                  "placeholder": "e.g. 192.168.40.1",
-                  "hint": "Router IP on the VPN subnet, assigned to the WireGuard interface."
+                  "value": "%VPN_SERVER_ENDPOINT%",
+                  "placeholder": "e.g. vpn.example.com",
+                  "hint": "Publicly reachable hostname or IP of this server, embedded in client config files."
                 },
                 {
                   "type": "field",
@@ -1904,7 +2045,7 @@
                   "name": "vpn_dns_server",
                   "input_type": "text",
                   "value": "%VPN_DNS_SERVER%",
-                  "placeholder": "Leave blank to use gateway IP",
+                  "placeholder": "Leave blank to use gateway IP (%VPN_GATEWAY%)",
                   "hint": "Explicit DNS server pushed to peers. Defaults to the gateway IP."
                 },
                 {
@@ -2381,20 +2522,7 @@
                   "label": "Access Level",
                   "name": "access_level",
                   "input_type": "select",
-                  "options": [
-                    {
-                      "value": "viewer",
-                      "label": "Viewer \u2014 read-only access to live data"
-                    },
-                    {
-                      "value": "administrator",
-                      "label": "Administrator \u2014 can modify configuration"
-                    },
-                    {
-                      "value": "manager",
-                      "label": "Manager \u2014 full access including account management"
-                    }
-                  ]
+                  "options": "%ACCOUNT_LEVEL_OPTIONS%"
                 },
                 {
                   "type": "button_row",
diff --git a/docker/router-dash/docker-compose.yml b/docker/router-dash/docker-compose.yml
index 5bf422e..1caf2dd 100644
--- a/docker/router-dash/docker-compose.yml
+++ b/docker/router-dash/docker-compose.yml
@@ -10,6 +10,7 @@ services:
       - ./data:/data
       - $HOME/router:/configs
       - $HOME/router/validation.py:/app/validation.py
+      - /sys/class/net:/sys/class/net:ro
     environment:
       - INITIAL_MANAGER_EMAIL=mgrotke@gmail.com
       - SECRET_KEY=ey8hSQCCYE5kQXV8nOg1CB44LSd3AoUet2ZBc3aZlFrwBbazE7aHcxXWyuT97eAObet5jmOL0CjMg0rB1hE4d2SBVYHPfl8De55EiFv307r1QP3Mf5XgOSSCxD3TuD
diff --git a/router/README.md b/router/README.md
index 33f9a39..4459580 100644
--- a/router/README.md
+++ b/router/README.md
@@ -48,19 +48,19 @@ The suite is organized into three independent but complementary scripts, each ma
 - Manages a `.radius-secret` shared secret file (generated automatically on first `--apply` if RADIUS is enabled)
 - Configures `avahi-daemon` as an mDNS reflector to forward service discovery announcements (AirPrint, AirPlay, Chromecast, etc.) across VLANs
 
-### Optional: VPN (`vpn.py`)
+### Optional: WireGuard VPN (managed by `core.py` and the dashboard)
 
 - Supports any number of WireGuard interfaces defined in `core.json` (any VLAN with an interface name starting with `wg`)
-- Allocates IP addresses to remote peers automatically from the VPN VLAN subnet
-- Generates per-peer client config files ready for import into any WireGuard client, with per-peer choice of split tunnel or full tunnel routing
-- Resolves the server's public endpoint from the DDNS config or manual entry
-- Stores peer data in per-interface dotfiles (`.vpn-wg0`, etc.) alongside the scripts
-- Reports per-peer handshake times and RX/TX byte counts
+- `core.py --apply` generates the server keypair on first run, writes the server conf to `/etc/wireguard/`, and brings the interface up with `wg-quick`. Subsequent applies sync peer changes live without restarting the interface
+- Peer management is done through the router dashboard: add a peer, set its IP and tunnel mode, and the dashboard generates and downloads the ready-to-import client `.conf` file immediately — the private key is never stored
+- Peer data (name, IP, public key, enabled state) is stored directly in `core.json` alongside the rest of the network config
+- Supports per-peer choice of split-tunnel (VPN subnet only) or full-tunnel (all traffic) routing
+- Reports active peer connections, handshake times, and RX/TX byte counts on the dashboard VPN view
 
 ### Optional: DDNS (`ddns.py`)
 
 - Detects the current public IP by rotating through multiple IP-check services
-- Updates the specified DNS providers (currently supporting No-IP and DuckDNS), supporting multiple hostnames and subdomains per provider
+- Updates the specified DNS providers (currently supporting Cloudflare, No-IP and DuckDNS), supporting multiple hostnames and subdomains per provider
 - Caches the last known IP per provider to avoid unnecessary API calls
 - Installs a `systemd` timer that runs every 5 minutes by default
 - Logs all updates and errors to `ddns.log`
@@ -80,7 +80,7 @@ These packages are required. `core.py --install` checks that they are installed
 | `chrony` | NTP server - synchronizes system clock and serves time to VLAN clients | `core.py` |
 | `freeradius` | RADIUS server for dynamic VLAN assignment via MAC auth | `core.py` |
 | `avahi-daemon` | mDNS reflector for cross-VLAN service discovery | `core.py` |
-| `wireguard-tools` | WireGuard VPN (`wg`, `wg-quick`) | `vpn.py` |
+| `wireguard-tools` | WireGuard VPN (`wg`, `wg-quick`) | `core.py` (when WireGuard VLANs are configured) |
 
 ---
 
@@ -108,7 +108,7 @@ All configuration lives in two JSON files. Edit these to match your network befo
 
 | File | Controls |
 |---|---|
-| `core.json` | VLANs, subnets, gateways, dynamic pools, static/dynamic reservations, RADIUS client flags, mDNS reflection scope, WireGuard interface and listen port, upstream DNS servers, blocklist sources, per-VLAN blocklist assignments, host overrides, banned IPs, WAN interface, port forwarding rules, port wrangling, inter-VLAN exceptions |
+| `core.json` | VLANs, subnets, gateways, dynamic pools, static/dynamic reservations, RADIUS client flags, mDNS reflection scope, WireGuard interface settings and peers, upstream DNS servers, blocklist sources, per-VLAN blocklist assignments, host overrides, banned IPs, WAN interface, port forwarding rules, port wrangling, inter-VLAN exceptions |
 | `ddns.json` | DDNS provider credentials, hostnames/subdomains, update interval, IP-check services |
 
 ### Dotfiles (auto-generated, do not edit)
@@ -116,7 +116,7 @@ All configuration lives in two JSON files. Edit these to match your network befo
 | File | Purpose |
 |---|---|
 | `.radius-secret` | Shared secret between FreeRADIUS and RADIUS clients (APs, switches). Generated automatically on first `--apply` when RADIUS is enabled. Root-owned intentionally. |
-| `.vpn-wg0` (etc.) | WireGuard peer data per interface. Managed by `vpn.py`. |
+| `.wg-<iface>.pub` | WireGuard server public key per interface (e.g. `.wg-wg0.pub`). Written by `core.py --apply`; read by the dashboard to embed in client config downloads. |
 | `.ddns-last-ip-*` | Cached public IP per DDNS provider. Managed by `ddns.py`. |
 | `.ddns-last-service` | Tracks IP-check service rotation. Managed by `ddns.py`. |
 
@@ -144,33 +144,41 @@ Edit the `vlans` array to match your network topology. For each VLAN:
 - Set `interface` to the NIC name for VLAN 1 (e.g. `enp6s0`); sub-interfaces are named automatically (e.g. `enp6s0.10`). For WireGuard VLANs, use `wg0`, `wg1`, etc.
 - Set `radius_default` to `true` on exactly one VLAN - unknown MACs will be placed here (typically guest). All other VLANs set this to `false`.
 - Set `use_blocklists` to a list of blocklist names for this VLAN - leave empty for unfiltered DNS
-- Set `server_identities` to the IPs the router itself will hold on this VLAN. The lowest last-octet IP is auto-used as gateway, DNS, and NTP server unless overridden in `dhcp.explicit_overrides`.
-- Set `dhcp` fields: `subnet`, `subnet_mask`, pool start/end, `lease_time`, and optionally `explicit_overrides` for gateway, dns_server, or ntp_server
+- Set `server_identities` to the IPs the router itself will hold on this VLAN. The lowest last-octet IP is auto-used as gateway, DNS, and NTP server unless overridden in `dhcp_information.explicit_overrides`.
+- Set `subnet` and `subnet_mask` at the top level of the VLAN object
+- Set `dhcp_information` fields: pool start/end, `lease_time`, and optionally `explicit_overrides` for gateway, dns_server, or ntp_server
 - Add `reservations` for devices that need a known VLAN assignment by MAC address. The `ip` field is optional:
   - Omit `ip`, set it to `""`, or set it to `"dynamic"` to let DHCP assign from the pool (hostname is still set)
   - Set `ip` to a specific address outside the dynamic pool to pin the device to that IP
   - Set `radius_client: true` on any device (AP, switch) that will authenticate other devices via RADIUS
 - Add per-VLAN `port_wrangling` entries to redirect DNS or NTP requests to the local resolver
-- For WireGuard VLANs, include a `vpn_information` block instead of `dhcp` and `server_identities`:
+- For WireGuard VLANs, include a `vpn_information` block instead of `dhcp_information` and `server_identities`, and a `peers` array instead of `reservations`. Peer management (add, edit, regenerate conf, delete) is done through the dashboard:
 
 ```json
 {
   "vlan_id": 40,
   "name": "vpn",
   "interface": "wg0",
+  "subnet": "192.168.40.0",
+  "subnet_mask": "255.255.255.0",
   "radius_default": false,
   "use_blocklists": ["oisd-big"],
+  "server_identities": [
+    { "description": "Router/Gateway", "ip": "192.168.40.1" }
+  ],
   "vpn_information": {
     "listen_port": 51820,
-    "gateway": "192.168.40.1",
+    "server_endpoint": "vpn.example.com",
     "domain": "local",
-    "explicit_overrides": { "dns_server": "", "mtu": "" }
+    "explicit_overrides": { "gateway": "", "dns_server": "", "mtu": "" }
   },
-  "reservations": [],
+  "peers": [],
   "port_wrangling": [...]
 }
 ```
 
+The gateway IP is derived from the `server_identities` entry with the lowest value in the last octet (same rule as non-WG VLANs). If `explicit_overrides.gateway` is set, it must match one of the `server_identities` IPs.
+
 ### Banned IPs
 
 The top-level `banned_ips` array blocks inbound and outbound traffic to/from specific IPs or networks at the firewall level. This is useful for blocking known malicious hosts, entire ASNs, or geographic ranges. Entries support a flexible address syntax:
@@ -272,15 +280,26 @@ Optional (if DDNS is desired):
 sudo python3 ddns.py --start              # Run an immediate IP update and install the update timer
 ```
 
-Optional (if VPN is desired):
+Optional (if WireGuard VPN is desired):
+
+1. Add a WireGuard VLAN to `core.json` with `interface: "wg0"` (see configuration example above)
+2. Run `sudo python3 core.py --apply` — this generates the server keypair, writes `/etc/wireguard/wg0.conf`, and brings the interface up
+3. Add peers using one of the two methods below, then run `sudo python3 core.py --apply` again to sync them to the live interface
+
+**With the router dashboard:**
+Open the VPN view, fill in the Server Endpoint (your public hostname or IP), and add peers — each peer triggers an immediate `.conf` file download ready to import into any WireGuard client.
+
+**Without the dashboard (`create_vpn_peer.py`):**
 
 ```bash
-sudo python3 vpn.py --add-peer            # Add a VPN peer interactively
-sudo python3 vpn.py --apply               # Write WireGuard config and start the interface
-sudo python3 core.py --apply              # Run again after VPN to start dnsmasq for the VPN VLAN(s)
+python3 create_vpn_peer.py --name laptop --ip 192.168.40.2
+python3 create_vpn_peer.py --name laptop --ip 192.168.40.2 --iface wg0
+python3 create_vpn_peer.py --name laptop --ip 192.168.40.2 --vlan-id 40
+python3 create_vpn_peer.py --name phone  --ip 192.168.40.3 --split-tunnel
+python3 create_vpn_peer.py --name tablet --ip 192.168.40.4 --output ~/tablet.conf
 ```
 
-After adding VPN peers, transfer `vpn-client-<n>.conf` to the peer device by secure means, then delete it from this server.
+The script reads the specified WireGuard VLAN from `core.json`, validates the IP against the VLAN subnet, generates a keypair, appends the peer to `core.json`, and writes the client `.conf` file. If the config has exactly one WireGuard VLAN, `--iface` and `--vlan-id` are optional. Transfer the `.conf` to the peer device by secure means, then delete it from the server.
 
 ---
 
@@ -309,19 +328,23 @@ python3 core.py --view-rules                # Active nftables ruleset
 python3 core.py --view-metrics              # Lifetime DNS metrics across all VLAN instances
 ```
 
-### vpn.py
+### create_vpn_peer.py
 
-All `vpn.py` commands require `sudo`.
+Does not require `sudo`. Requires `wireguard-tools` (`wg` must be on PATH) and a prior `core.py --apply` to generate the server keypair.
 
 ```
-sudo python3 vpn.py --add-peer              # Add a VPN peer interactively
-sudo python3 vpn.py --manage-peers          # Rename, regenerate keys, or delete a peer
-sudo python3 vpn.py --apply                 # Write WireGuard config and start/restart the interface
-sudo python3 vpn.py --disable               # Stop WireGuard on all interfaces
-sudo python3 vpn.py --status                # WireGuard service and interface status
-sudo python3 vpn.py --view-peers            # Per-peer handshake times and traffic stats
+python3 create_vpn_peer.py --name NAME --ip IP [--iface IFACE | --vlan-id ID] [--split-tunnel] [--output FILE]
+
+  --name NAME        Peer name (e.g. laptop)
+  --ip IP            Peer IP within the VPN subnet (e.g. 192.168.40.2)
+  --iface IFACE      WireGuard interface to add the peer to (e.g. wg0)
+  --vlan-id ID       VLAN ID of the WireGuard VLAN (e.g. 40); alternative to --iface
+  --split-tunnel     Route only VPN subnet traffic through the tunnel (default: full tunnel)
+  --output FILE      Output path for the client .conf file (default: vpn-client-<name>.conf)
 ```
 
+`--iface` and `--vlan-id` are mutually exclusive. Both are optional when the config contains exactly one WireGuard VLAN.
+
 ### ddns.py
 
 Only `--start` and `--disable` require `sudo` as they install/remove systemd timer files. All other commands run as a normal user.
@@ -342,6 +365,7 @@ python3 ddns.py --getip                     # Print current public IP and exit
 
 ```bash
 sudo python3 core.py --disable              # Revert to network client (interactive wizard)
-sudo python3 vpn.py --disable               # Stop WireGuard on all interfaces
 sudo python3 ddns.py --disable              # Stop and remove DDNS timer
 ```
+
+WireGuard interfaces are brought down automatically by `core.py --disable`. To stop a WireGuard interface independently: `sudo wg-quick down wg0`.
diff --git a/router/core.json b/router/core.json
index 4d81e79..0fdb403 100644
--- a/router/core.json
+++ b/router/core.json
@@ -1,12 +1,12 @@
 {
   "general": {
     "wan_interface": "eno2",
+    "lan_interface": "enp6s0",
     "log_max_kb": 1024,
     "log_errors_only": false,
     "dnsmasq_log_queries": false,
     "daily_execute_time_24hr_local": "02:30"
   },
-
   "upstream_dns": {
     "strict_order": false,
     "cache_size": 10000,
@@ -17,19 +17,53 @@
       "2606:4700:4700::1001"
     ]
   },
-
   "banned_ips": [
-    { "description": "Example: single IPv4 ban",               "enabled": false, "ip": "94.130.52.18"        },
-    { "description": "Example: ban IPv4 /24 by wildcard",      "enabled": false, "ip": "94.130.52.*"         },
-    { "description": "Example: ban IPv4 /16 by wildcard",      "enabled": false, "ip": "94.130.*.*"          },
-    { "description": "Example: ban IPv4 CIDR",                 "enabled": false, "ip": "94.130.0.0/16"       },
-    { "description": "Example: ban IPv4 range in one quartet", "enabled": false, "ip": "94.130.52.1-20"      },
-    { "description": "Example: ban IPv4 range and wildcard",   "enabled": false, "ip": "94.130-133.52.*"     },
-    { "description": "Example: single IPv6 ban",               "enabled": false, "ip": "2a01:4f8:c17:b0f::2" },
-    { "description": "Example: ban IPv6 /48 by wildcard",      "enabled": false, "ip": "2a01:4f8:c17:*"      },
-    { "description": "Example: ban IPv6 CIDR",                 "enabled": false, "ip": "2a01:4f8::/32"       }
+    {
+      "description": "Example: single IPv4 ban",
+      "enabled": false,
+      "ip": "94.130.52.18"
+    },
+    {
+      "description": "Example: ban IPv4 /24 by wildcard",
+      "enabled": false,
+      "ip": "94.130.52.*"
+    },
+    {
+      "description": "Example: ban IPv4 /16 by wildcard",
+      "enabled": false,
+      "ip": "94.130.*.*"
+    },
+    {
+      "description": "Example: ban IPv4 CIDR",
+      "enabled": false,
+      "ip": "94.130.0.0/16"
+    },
+    {
+      "description": "Example: ban IPv4 range in one quartet",
+      "enabled": false,
+      "ip": "94.130.52.1-20"
+    },
+    {
+      "description": "Example: ban IPv4 range and wildcard",
+      "enabled": false,
+      "ip": "94.130-133.52.*"
+    },
+    {
+      "description": "Example: single IPv6 ban",
+      "enabled": false,
+      "ip": "2a01:4f8:c17:b0f::2"
+    },
+    {
+      "description": "Example: ban IPv6 /48 by wildcard",
+      "enabled": false,
+      "ip": "2a01:4f8:c17:*"
+    },
+    {
+      "description": "Example: ban IPv6 CIDR",
+      "enabled": false,
+      "ip": "2a01:4f8::/32"
+    }
   ],
-
   "host_overrides": [
     {
       "description": "LAN DNS override for home server DDNS hostname",
@@ -38,213 +72,615 @@
       "ip": "192.168.1.20"
     }
   ],
-
   "blocklists": [
     {
       "name": "oisd-big",
-      "description": "OISD Big - ads, phishing, malware, telemetry",
+      "description": "OISD Big (ads, phishing, malware, telemetry)",
       "save_as": "oisd-big.conf",
       "url": "https://big.oisd.nl/dnsmasq2",
       "format": "dnsmasq"
     },
     {
       "name": "hagezi-light",
-      "description": "Hagezi Light - ads, tracking, metrics, badware",
+      "description": "Hagezi Light (ads, tracking, metrics, badware)",
       "save_as": "hagezi-light.conf",
       "url": "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/light.txt",
       "format": "dnsmasq"
     },
     {
       "name": "hagezi-pro-plus",
-      "description": "Hagezi Pro Plus - ads, tracking, porn, gambling combined",
+      "description": "Hagezi Pro Plus (ads, tracking, porn, gambling)",
       "save_as": "hagezi-pro-plus.conf",
       "url": "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.plus.txt",
       "format": "dnsmasq"
     }
   ],
-
   "inter_vlan_exceptions": [
-    { "description": "IoT TV -> Plex",                  "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.10.3",    "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 32400 },
-    { "description": "IoT Streaming Box -> Plex",       "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.10.4",    "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 32400 },
-    { "description": "Kids -> Plex",                    "enabled": true,  "protocol": "both", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 32400 },
-    { "description": "Kids -> SMB",                     "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 445   },
-    { "description": "Kids -> Game Server",             "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 25565 },
-    { "description": "Kids -> Web Server HTTP",         "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 80    },
-    { "description": "Kids -> Web Server HTTPS",        "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 443   },
-    { "description": "Trusted -> Printer (RAW)",        "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.1.0/24",  "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 9100  },
-    { "description": "Trusted -> Printer (IPP)",        "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.1.0/24",  "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 631   },
-    { "description": "Kids -> Printer (RAW)",           "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 9100  },
-    { "description": "Kids -> Printer (IPP)",           "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 631   },
-    { "description": "Guest -> Printer (RAW)",          "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.20.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 9100  },
-    { "description": "Guest -> Printer (IPP)",          "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.20.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 631   },
-    { "description": "VPN -> SSH + Rsync",              "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.40.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 22    },
-    { "description": "VPN -> SMB",                      "enabled": false, "protocol": "tcp",  "src_ip_or_subnet": "192.168.40.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 445   },
-    { "description": "Trusted -> Kids (LAN Gaming)",    "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.1.0/24",  "dst_ip_or_subnet": "192.168.30.0/24"                    },
-    { "description": "Parent PC -> Kids (LAN Gaming)",  "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.1.50",    "dst_ip_or_subnet": "192.168.30.0/24"                    },
-    { "description": "Kids -> Parent PC (LAN Gaming)",  "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.50"                       }
+    {
+      "description": "IoT TV -> Plex",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.10.3",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 32400
+    },
+    {
+      "description": "IoT Streaming Box -> Plex",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.10.4",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 32400
+    },
+    {
+      "description": "Kids -> Plex",
+      "enabled": true,
+      "protocol": "both",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 32400
+    },
+    {
+      "description": "Kids -> SMB",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 445
+    },
+    {
+      "description": "Kids -> Game Server",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 25565
+    },
+    {
+      "description": "Kids -> Web Server HTTP",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 80
+    },
+    {
+      "description": "Kids -> Web Server HTTPS",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 443
+    },
+    {
+      "description": "Trusted -> Printer (RAW)",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.1.0/24",
+      "dst_ip_or_subnet": "192.168.10.2",
+      "dst_port": 9100
+    },
+    {
+      "description": "Trusted -> Printer (IPP)",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.1.0/24",
+      "dst_ip_or_subnet": "192.168.10.2",
+      "dst_port": 631
+    },
+    {
+      "description": "Kids -> Printer (RAW)",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.10.2",
+      "dst_port": 9100
+    },
+    {
+      "description": "Kids -> Printer (IPP)",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.10.2",
+      "dst_port": 631
+    },
+    {
+      "description": "Guest -> Printer (RAW)",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.20.0/24",
+      "dst_ip_or_subnet": "192.168.10.2",
+      "dst_port": 9100
+    },
+    {
+      "description": "Guest -> Printer (IPP)",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.20.0/24",
+      "dst_ip_or_subnet": "192.168.10.2",
+      "dst_port": 631
+    },
+    {
+      "description": "VPN -> SSH + Rsync",
+      "enabled": true,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.40.0/24",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 22
+    },
+    {
+      "description": "VPN -> SMB",
+      "enabled": false,
+      "protocol": "tcp",
+      "src_ip_or_subnet": "192.168.40.0/24",
+      "dst_ip_or_subnet": "192.168.1.20",
+      "dst_port": 445
+    },
+    {
+      "description": "Trusted -> Kids (LAN Gaming)",
+      "enabled": false,
+      "protocol": "both",
+      "src_ip_or_subnet": "192.168.1.0/24",
+      "dst_ip_or_subnet": "192.168.30.0/24"
+    },
+    {
+      "description": "Parent PC -> Kids (LAN Gaming)",
+      "enabled": false,
+      "protocol": "both",
+      "src_ip_or_subnet": "192.168.1.50",
+      "dst_ip_or_subnet": "192.168.30.0/24"
+    },
+    {
+      "description": "Kids -> Parent PC (LAN Gaming)",
+      "enabled": false,
+      "protocol": "both",
+      "src_ip_or_subnet": "192.168.30.0/24",
+      "dst_ip_or_subnet": "192.168.1.50"
+    }
   ],
-
   "port_forwarding": [
-    { "description": "WireGuard VPN",    "enabled": true,  "protocol": "udp",  "dest_port": 51820, "nat_ip": "192.168.1.20", "nat_port": 51820 },
-    { "description": "Plex Server",      "enabled": true,  "protocol": "both", "dest_port": 32400, "nat_ip": "192.168.1.20", "nat_port": 32400 },
-    { "description": "Web Server HTTP",  "enabled": true,  "protocol": "tcp",  "dest_port": 80,    "nat_ip": "192.168.1.20", "nat_port": 80    },
-    { "description": "Web Server HTTPS", "enabled": true,  "protocol": "tcp",  "dest_port": 443,   "nat_ip": "192.168.1.20", "nat_port": 443   },
-    { "description": "Game Server",      "enabled": true,  "protocol": "tcp",  "dest_port": 25565, "nat_ip": "192.168.1.20", "nat_port": 25565 },
-    { "description": "SSH",              "enabled": false, "protocol": "tcp",  "dest_port": 22,    "nat_ip": "192.168.1.20", "nat_port": 22    }
+    {
+      "description": "WireGuard VPN",
+      "enabled": true,
+      "protocol": "udp",
+      "dest_port": 51820,
+      "nat_ip": "192.168.1.20",
+      "nat_port": 51820
+    },
+    {
+      "description": "Plex Server",
+      "enabled": true,
+      "protocol": "both",
+      "dest_port": 32400,
+      "nat_ip": "192.168.1.20",
+      "nat_port": 32400
+    },
+    {
+      "description": "Web Server HTTP",
+      "enabled": true,
+      "protocol": "tcp",
+      "dest_port": 80,
+      "nat_ip": "192.168.1.20",
+      "nat_port": 80
+    },
+    {
+      "description": "Web Server HTTPS",
+      "enabled": true,
+      "protocol": "tcp",
+      "dest_port": 443,
+      "nat_ip": "192.168.1.20",
+      "nat_port": 443
+    },
+    {
+      "description": "Game Server",
+      "enabled": true,
+      "protocol": "tcp",
+      "dest_port": 25565,
+      "nat_ip": "192.168.1.20",
+      "nat_port": 25565
+    },
+    {
+      "description": "SSH",
+      "enabled": false,
+      "protocol": "tcp",
+      "dest_port": 22,
+      "nat_ip": "192.168.1.20",
+      "nat_port": 22
+    }
   ],
-
   "vlans": [
-
     {
       "vlan_id": 1,
       "name": "trusted",
-      "interface": "enp6s0",
+      "subnet": "192.168.1.0",
+      "subnet_mask": 24,
       "radius_default": false,
       "mdns_reflection": false,
-      "use_blocklists": ["oisd-big", "hagezi-light"],
-      "server_identities": [
-        { "description": "Router/Gateway",               "ip": "192.168.1.1"  },
-        { "description": "Home Server",                  "ip": "192.168.1.20", "hostname": "homeserver" },
-        { "description": "UniFi Controller Inform Host", "ip": "192.168.1.10", "hostname": "unifi-controller" }
+      "use_blocklists": [
+        "oisd-big",
+        "hagezi-light"
       ],
-      "dhcp": {
-        "subnet": "192.168.1.0",
-        "subnet_mask": "255.255.255.0",
+      "server_identities": [
+        {
+          "description": "Router/Gateway",
+          "ip": "192.168.1.1"
+        },
+        {
+          "description": "Home Server",
+          "ip": "192.168.1.20",
+          "hostname": "homeserver"
+        },
+        {
+          "description": "UniFi Controller Inform Host",
+          "ip": "192.168.1.10",
+          "hostname": "unifi-controller"
+        }
+      ],
+      "dhcp_information": {
         "dynamic_pool_start": "192.168.1.100",
         "dynamic_pool_end": "192.168.1.245",
         "lease_time": "24h",
         "domain": "local",
-        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
+        "explicit_overrides": {
+          "gateway": "",
+          "dns_server": "",
+          "ntp_server": ""
+        }
       },
       "reservations": [
-        { "enabled": true, "description": "UniFi Switch",         "hostname": "unifi-switch",      "mac": "aa:bb:cc:dd:ee:01", "ip": "192.168.1.2",  "radius_client": true },
-        { "enabled": true, "description": "UniFi AP (Kitchen)",   "hostname": "unifi-ap-kitchen",  "mac": "aa:bb:cc:dd:ee:02", "ip": "192.168.1.3",  "radius_client": true },
-        { "enabled": true, "description": "UniFi AP (Lounge)",    "hostname": "unifi-ap-lounge",   "mac": "aa:bb:cc:dd:ee:03", "ip": "192.168.1.4",  "radius_client": true },
-        { "enabled": true, "description": "UniFi AP (Upstairs)",  "hostname": "unifi-ap-upstairs", "mac": "aa:bb:cc:dd:ee:04", "ip": "192.168.1.5",  "radius_client": true },
-        { "enabled": true, "description": "Home Server",          "hostname": "homeserver",        "mac": "aa:bb:cc:dd:ee:05", "ip": "192.168.1.20"                        },
-        { "enabled": true, "description": "Desktop PC",           "hostname": "desktop-pc",        "mac": "aa:bb:cc:dd:ee:06", "ip": "192.168.1.50"                        }
+        {
+          "enabled": true,
+          "description": "UniFi Switch",
+          "hostname": "unifi-switch",
+          "mac": "aa:bb:cc:dd:ee:01",
+          "ip": "192.168.1.2",
+          "radius_client": true
+        },
+        {
+          "enabled": true,
+          "description": "UniFi AP (Kitchen)",
+          "hostname": "unifi-ap-kitchen",
+          "mac": "aa:bb:cc:dd:ee:02",
+          "ip": "192.168.1.3",
+          "radius_client": true
+        },
+        {
+          "enabled": true,
+          "description": "UniFi AP (Lounge)",
+          "hostname": "unifi-ap-lounge",
+          "mac": "aa:bb:cc:dd:ee:03",
+          "ip": "192.168.1.4",
+          "radius_client": true
+        },
+        {
+          "enabled": true,
+          "description": "UniFi AP (Upstairs)",
+          "hostname": "unifi-ap-upstairs",
+          "mac": "aa:bb:cc:dd:ee:04",
+          "ip": "192.168.1.5",
+          "radius_client": true
+        },
+        {
+          "enabled": true,
+          "description": "Home Server",
+          "hostname": "homeserver",
+          "mac": "aa:bb:cc:dd:ee:05",
+          "ip": "192.168.1.20"
+        },
+        {
+          "enabled": true,
+          "description": "Desktop PC",
+          "hostname": "desktop-pc",
+          "mac": "aa:bb:cc:dd:ee:06",
+          "ip": "192.168.1.50"
+        }
       ],
       "port_wrangling": [
-        { "description": "DNS wrangling - redirect Trusted DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.1.1" },
-        { "description": "NTP wrangling - redirect Trusted NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.1.1" }
-      ]
+        {
+          "description": "DNS wrangling - redirect Trusted DNS to local resolver",
+          "enabled": true,
+          "protocol": "both",
+          "dest_port": 53,
+          "redirect_to": "192.168.1.1"
+        },
+        {
+          "description": "NTP wrangling - redirect Trusted NTP to local time server",
+          "enabled": false,
+          "protocol": "udp",
+          "dest_port": 123,
+          "redirect_to": "192.168.1.1"
+        }
+      ],
+      "is_vpn": false
     },
-
     {
       "vlan_id": 10,
       "name": "iot",
-      "interface": "enp6s0.10",
+      "subnet": "192.168.10.0",
+      "subnet_mask": 24,
       "radius_default": false,
       "mdns_reflection": true,
-      "use_blocklists": ["oisd-big", "hagezi-light"],
-      "server_identities": [
-        { "description": "Router/Gateway", "ip": "192.168.10.1" }
+      "use_blocklists": [
+        "oisd-big",
+        "hagezi-light"
       ],
-      "dhcp": {
-        "subnet": "192.168.10.0",
-        "subnet_mask": "255.255.255.0",
+      "server_identities": [
+        {
+          "description": "Router/Gateway",
+          "ip": "192.168.10.1"
+        }
+      ],
+      "dhcp_information": {
         "dynamic_pool_start": "192.168.10.100",
         "dynamic_pool_end": "192.168.10.245",
         "lease_time": "24h",
         "domain": "local",
-        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
+        "explicit_overrides": {
+          "gateway": "",
+          "dns_server": "",
+          "ntp_server": ""
+        }
       },
       "reservations": [
-        { "enabled": true, "description": "Network Printer",          "hostname": "printer",            "mac": "aa:bb:cc:dd:ee:10", "ip": "192.168.10.2"  },
-        { "enabled": true, "description": "Smart TV",                 "hostname": "smart-tv",           "mac": "aa:bb:cc:dd:ee:11", "ip": "192.168.10.3"  },
-        { "enabled": true, "description": "Streaming Box (Eth)",      "hostname": "streaming-box-eth",  "mac": "aa:bb:cc:dd:ee:12", "ip": "192.168.10.4"  },
-        { "enabled": true, "description": "Streaming Box (Wifi)",     "hostname": "streaming-box-wifi", "mac": "aa:bb:cc:dd:ee:13", "ip": "192.168.10.4"  },
-        { "enabled": true, "description": "Raspberry Pi",             "hostname": "rpi",                "mac": "aa:bb:cc:dd:ee:14", "ip": "192.168.10.12" },
-        { "enabled": true, "description": "NAS",                      "hostname": "nas",                "mac": "aa:bb:cc:dd:ee:15", "ip": "192.168.10.14" },
-        { "enabled": true, "description": "Doorbell Camera",          "hostname": "doorbell-camera",    "mac": "aa:bb:cc:dd:ee:16", "ip": "dynamic"       },
-        { "enabled": true, "description": "Smart Speaker",            "hostname": "smart-speaker",      "mac": "aa:bb:cc:dd:ee:17", "ip": "dynamic"       }
+        {
+          "enabled": true,
+          "description": "Network Printer",
+          "hostname": "printer",
+          "mac": "aa:bb:cc:dd:ee:10",
+          "ip": "192.168.10.2"
+        },
+        {
+          "enabled": true,
+          "description": "Smart TV",
+          "hostname": "smart-tv",
+          "mac": "aa:bb:cc:dd:ee:11",
+          "ip": "192.168.10.3"
+        },
+        {
+          "enabled": true,
+          "description": "Streaming Box (Eth)",
+          "hostname": "streaming-box-eth",
+          "mac": "aa:bb:cc:dd:ee:12",
+          "ip": "192.168.10.4"
+        },
+        {
+          "enabled": true,
+          "description": "Streaming Box (Wifi)",
+          "hostname": "streaming-box-wifi",
+          "mac": "aa:bb:cc:dd:ee:13",
+          "ip": "192.168.10.4"
+        },
+        {
+          "enabled": true,
+          "description": "Raspberry Pi",
+          "hostname": "rpi",
+          "mac": "aa:bb:cc:dd:ee:14",
+          "ip": "192.168.10.12"
+        },
+        {
+          "enabled": true,
+          "description": "NAS",
+          "hostname": "nas",
+          "mac": "aa:bb:cc:dd:ee:15",
+          "ip": "192.168.10.14"
+        },
+        {
+          "enabled": true,
+          "description": "Doorbell Camera",
+          "hostname": "doorbell-camera",
+          "mac": "aa:bb:cc:dd:ee:16",
+          "ip": "dynamic"
+        },
+        {
+          "enabled": true,
+          "description": "Smart Speaker",
+          "hostname": "smart-speaker",
+          "mac": "aa:bb:cc:dd:ee:17",
+          "ip": "dynamic"
+        }
       ],
       "port_wrangling": [
-        { "description": "DNS wrangling - redirect IoT DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.10.1" },
-        { "description": "NTP wrangling - redirect IoT NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.10.1" }
-      ]
+        {
+          "description": "DNS wrangling - redirect IoT DNS to local resolver",
+          "enabled": true,
+          "protocol": "both",
+          "dest_port": 53,
+          "redirect_to": "192.168.10.1"
+        },
+        {
+          "description": "NTP wrangling - redirect IoT NTP to local time server",
+          "enabled": false,
+          "protocol": "udp",
+          "dest_port": 123,
+          "redirect_to": "192.168.10.1"
+        }
+      ],
+      "is_vpn": false
     },
-
     {
       "vlan_id": 20,
       "name": "guest",
-      "interface": "enp6s0.20",
+      "subnet": "192.168.20.0",
+      "subnet_mask": 24,
       "radius_default": true,
       "mdns_reflection": true,
-      "use_blocklists": ["oisd-big", "hagezi-light"],
-      "server_identities": [
-        { "description": "Router/Gateway", "ip": "192.168.20.1" }
+      "use_blocklists": [
+        "oisd-big",
+        "hagezi-light"
       ],
-      "dhcp": {
-        "subnet": "192.168.20.0",
-        "subnet_mask": "255.255.255.0",
+      "server_identities": [
+        {
+          "description": "Router/Gateway",
+          "ip": "192.168.20.1"
+        }
+      ],
+      "dhcp_information": {
         "dynamic_pool_start": "192.168.20.100",
         "dynamic_pool_end": "192.168.20.245",
         "lease_time": "4h",
         "domain": "local",
-        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
+        "explicit_overrides": {
+          "gateway": "",
+          "dns_server": "",
+          "ntp_server": ""
+        }
       },
       "reservations": [
-        { "enabled": true, "description": "Family Member Phone 1", "hostname": "phone-1", "mac": "aa:bb:cc:dd:ee:20", "ip": "dynamic" },
-        { "enabled": true, "description": "Family Member Phone 2", "hostname": "phone-2", "mac": "aa:bb:cc:dd:ee:21", "ip": "dynamic" }
+        {
+          "enabled": true,
+          "description": "Family Member Phone 1",
+          "hostname": "phone-1",
+          "mac": "aa:bb:cc:dd:ee:20",
+          "ip": "dynamic"
+        },
+        {
+          "enabled": true,
+          "description": "Family Member Phone 2",
+          "hostname": "phone-2",
+          "mac": "aa:bb:cc:dd:ee:21",
+          "ip": "dynamic"
+        }
       ],
       "port_wrangling": [
-        { "description": "DNS wrangling - redirect Guest DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.20.1" },
-        { "description": "NTP wrangling - redirect Guest NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.20.1" }
-      ]
+        {
+          "description": "DNS wrangling - redirect Guest DNS to local resolver",
+          "enabled": true,
+          "protocol": "both",
+          "dest_port": 53,
+          "redirect_to": "192.168.20.1"
+        },
+        {
+          "description": "NTP wrangling - redirect Guest NTP to local time server",
+          "enabled": false,
+          "protocol": "udp",
+          "dest_port": 123,
+          "redirect_to": "192.168.20.1"
+        }
+      ],
+      "is_vpn": false
     },
-
     {
       "vlan_id": 30,
       "name": "kids",
-      "interface": "enp6s0.30",
+      "subnet": "192.168.30.0",
+      "subnet_mask": 24,
       "radius_default": false,
       "mdns_reflection": true,
-      "use_blocklists": ["oisd-big", "hagezi-light", "hagezi-pro-plus"],
-      "server_identities": [
-        { "description": "Router/Gateway", "ip": "192.168.30.1" }
+      "use_blocklists": [
+        "oisd-big",
+        "hagezi-light",
+        "hagezi-pro-plus"
       ],
-      "dhcp": {
-        "subnet": "192.168.30.0",
-        "subnet_mask": "255.255.255.0",
+      "server_identities": [
+        {
+          "description": "Router/Gateway",
+          "ip": "192.168.30.1"
+        }
+      ],
+      "dhcp_information": {
         "dynamic_pool_start": "192.168.30.100",
         "dynamic_pool_end": "192.168.30.245",
         "lease_time": "24h",
         "domain": "local",
-        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
+        "explicit_overrides": {
+          "gateway": "",
+          "dns_server": "",
+          "ntp_server": ""
+        }
       },
       "reservations": [
-        { "enabled": true, "description": "Child 1 Laptop",  "hostname": "child1-laptop",  "mac": "aa:bb:cc:dd:ee:30", "ip": "dynamic" },
-        { "enabled": true, "description": "Child 2 Laptop",  "hostname": "child2-laptop",  "mac": "aa:bb:cc:dd:ee:31", "ip": "dynamic" },
-        { "enabled": true, "description": "Child 3 Laptop",  "hostname": "child3-laptop",  "mac": "aa:bb:cc:dd:ee:32", "ip": "dynamic" },
-        { "enabled": true, "description": "Child Tablet",    "hostname": "child-tablet",   "mac": "aa:bb:cc:dd:ee:33", "ip": "dynamic" }
+        {
+          "enabled": true,
+          "description": "Child 1 Laptop",
+          "hostname": "child1-laptop",
+          "mac": "aa:bb:cc:dd:ee:30",
+          "ip": "dynamic"
+        },
+        {
+          "enabled": true,
+          "description": "Child 2 Laptop",
+          "hostname": "child2-laptop",
+          "mac": "aa:bb:cc:dd:ee:31",
+          "ip": "dynamic"
+        },
+        {
+          "enabled": true,
+          "description": "Child 3 Laptop",
+          "hostname": "child3-laptop",
+          "mac": "aa:bb:cc:dd:ee:32",
+          "ip": "dynamic"
+        },
+        {
+          "enabled": true,
+          "description": "Child Tablet",
+          "hostname": "child-tablet",
+          "mac": "aa:bb:cc:dd:ee:33",
+          "ip": "dynamic"
+        }
       ],
       "port_wrangling": [
-        { "description": "DNS wrangling - redirect Kids DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.30.1" },
-        { "description": "NTP wrangling - redirect Kids NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.30.1" }
-      ]
+        {
+          "description": "DNS wrangling - redirect Kids DNS to local resolver",
+          "enabled": true,
+          "protocol": "both",
+          "dest_port": 53,
+          "redirect_to": "192.168.30.1"
+        },
+        {
+          "description": "NTP wrangling - redirect Kids NTP to local time server",
+          "enabled": false,
+          "protocol": "udp",
+          "dest_port": 123,
+          "redirect_to": "192.168.30.1"
+        }
+      ],
+      "is_vpn": false
     },
-
     {
       "vlan_id": 40,
       "name": "vpn",
-      "interface": "wg0",
+      "subnet": "192.168.40.0",
+      "subnet_mask": 24,
       "radius_default": false,
       "mdns_reflection": false,
-      "use_blocklists": ["oisd-big", "hagezi-light"],
+      "use_blocklists": [
+        "oisd-big",
+        "hagezi-light"
+      ],
+      "server_identities": [
+        {
+          "description": "Router/Gateway",
+          "ip": "192.168.40.1"
+        }
+      ],
       "vpn_information": {
         "listen_port": 51820,
-        "gateway": "192.168.40.1",
+        "server_endpoint": "",
         "domain": "local",
-        "explicit_overrides": { "dns_server": "", "mtu": "" }
+        "explicit_overrides": {
+          "gateway": "",
+          "dns_server": "",
+          "mtu": ""
+        }
       },
-      "reservations": [],
+      "peers": [],
       "port_wrangling": [
-        { "description": "DNS wrangling - redirect VPN DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.40.1" },
-        { "description": "NTP wrangling - redirect VPN NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.40.1" }
-      ]
+        {
+          "description": "DNS wrangling - redirect VPN DNS to local resolver",
+          "enabled": true,
+          "protocol": "both",
+          "dest_port": 53,
+          "redirect_to": "192.168.40.1"
+        },
+        {
+          "description": "NTP wrangling - redirect VPN NTP to local time server",
+          "enabled": false,
+          "protocol": "udp",
+          "dest_port": 123,
+          "redirect_to": "192.168.40.1"
+        }
+      ],
+      "is_vpn": true
     }
-
   ]
-
 }
diff --git a/router/core.py b/router/core.py
index 73c5d03..945b4c0 100644
--- a/router/core.py
+++ b/router/core.py
@@ -4,7 +4,7 @@ core.py -- Apply core.json to systemd-networkd, per-VLAN dnsmasq instances, and
 
 Each VLAN defined in core.json gets its own dnsmasq instance that handles
 both DHCP and DNS for that VLAN. WireGuard VLANs get a DNS-only instance
-(no DHCP, since WireGuard peers get IPs from vpn.py).
+(no DHCP, since peers have statically assigned IPs).
 
 Each instance binds exclusively to its VLAN gateway IP on port 53, so
 instances do not conflict with each other or with the system dnsmasq.service,
@@ -117,6 +117,8 @@ TIMER_SVC_FILE    = SYSTEMD_DIR / f"{TIMER_NAME}.service"
 RESOLV_CONF       = Path("/etc/resolv.conf")
 NAT_SERVICE_NAME  = "core-nat"
 NAT_SERVICE_FILE  = SYSTEMD_DIR / f"{NAT_SERVICE_NAME}.service"
+WG_DIR            = Path("/etc/wireguard")
+WG_KEEPALIVE      = 25
 
 log = None
 
@@ -180,13 +182,15 @@ def check_root():
     if os.geteuid() != 0:
         die("This script must be run as root (sudo).")
 
+def prefix_to_dotted(n):
+    mask = (0xFFFFFFFF << (32 - int(n))) & 0xFFFFFFFF
+    return '.'.join(str((mask >> (8 * i)) & 0xFF) for i in (3, 2, 1, 0))
+
 def network_for(vlan):
-    d = vlan["dhcp"]
-    return ipaddress.IPv4Network(f"{d['subnet']}/{d['subnet_mask']}", strict=False)
+    return ipaddress.IPv4Network(f"{vlan['subnet']}/{vlan['subnet_mask']}", strict=False)
 
 def lowest_quartet_ip(vlan):
-    """Return the server_identity IP with the lowest value in the last octet.
-    Only called for non-WG VLANs which have a server_identities list."""
+    """Return the server_identity IP with the lowest value in the last octet."""
     identities = vlan.get("server_identities", [])
     ips = []
     for s in identities:
@@ -202,26 +206,28 @@ def resolve_vlan_options(vlan):
     """
     Resolve gateway, dns_server, and ntp_server for a VLAN.
 
-    For WG VLANs: gateway comes directly from vpn_information.gateway.
-    dns_server defaults to gateway unless explicit_overrides.dns_server
-    is set. ntp_server is None -- WireGuard has no DHCP so NTP cannot
-    be advertised to peers.
+    For both WG and non-WG VLANs: gateway defaults to the lowest-last-octet
+    server_identity IP unless overridden in explicit_overrides. The gateway
+    override must be one of the server_identity IPs.
 
-    For non-WG VLANs: all three default to the lowest-last-octet
-    server_identity IP unless overridden in dhcp.explicit_overrides.
+    WG VLANs: ntp_server is None (WireGuard has no DHCP so NTP cannot be
+    advertised to peers). Overrides live in vpn_information.explicit_overrides.
+
+    Non-WG VLANs: overrides live in dhcp_information.explicit_overrides.
     Returns a dict with keys: gateway, dns_server, ntp_server.
     """
     if is_wg(vlan):
         vpi       = vlan["vpn_information"]
-        gateway   = vpi["gateway"]
         overrides = vpi.get("explicit_overrides", {})
+        default   = lowest_quartet_ip(vlan) or str(next(network_for(vlan).hosts()))
+        gateway   = overrides.get("gateway", "") or default
         dns       = overrides.get("dns_server", "") or gateway
         return {
             "gateway":    gateway,
             "dns_server": dns,
             "ntp_server": None,
         }
-    overrides = vlan.get("dhcp", {}).get("explicit_overrides", {})
+    overrides = vlan.get("dhcp_information", {}).get("explicit_overrides", {})
     default   = lowest_quartet_ip(vlan)
     return {
         "gateway":    overrides.get("gateway",    "") or default,
@@ -233,7 +239,27 @@ def is_physical(vlan):
     return vlan["vlan_id"] == 1
 
 def is_wg(vlan):
-    return vlan.get("interface", "").startswith("wg")
+    return vlan.get("is_vpn", False)
+
+
+def inject_interfaces(data):
+    """Compute and inject the 'interface' field for every VLAN from is_vpn + vlan_id.
+
+    is_vpn=False (regular VLAN):
+        vlan_id 1  → general.lan_interface  (e.g. enp6s0)
+        vlan_id N  → lan_interface.N         (e.g. enp6s0.10)
+    is_vpn=True (WireGuard VLAN):
+        1st WG VLAN → wg0, 2nd → wg1, etc. (order in vlans array)
+    """
+    lan = data.get("general", {}).get("lan_interface", "eth0")
+    wg_idx = 0
+    for vlan in data.get("vlans", []):
+        if vlan.get("is_vpn"):
+            vlan["interface"] = f"wg{wg_idx}"
+            wg_idx += 1
+        else:
+            vid = vlan.get("vlan_id", 1)
+            vlan["interface"] = lan if vid == 1 else f"{lan}.{vid}"
 
 def networkd_stem(vlan):
     return f"10-router-{vlan['name']}"
@@ -298,6 +324,7 @@ def load_config():
 # ===================================================================
 
 def validate_config(data):
+    inject_interfaces(data)
     errors = []
     seen_vlan_ids    = {}
     seen_interfaces  = {}
@@ -308,11 +335,15 @@ def validate_config(data):
     if not data.get("upstream_dns", {}).get("upstream_servers"):
         errors.append("upstream_dns.upstream_servers is missing or empty.")
 
-    # -- WAN interface ---------------------------------------------------------
-    wan = data.get("general", {}).get("wan_interface", "")
+    # -- WAN / LAN interfaces --------------------------------------------------
+    gen = data.get("general", {})
+    wan = gen.get("wan_interface", "")
+    lan = gen.get("lan_interface", "")
     if not wan:
         errors.append("general.wan_interface is missing or empty.")
-    else:
+    if not lan:
+        errors.append("general.lan_interface is missing or empty.")
+    if wan and lan:
         available_interfaces = set()
         try:
             result = subprocess.run(["ip", "link", "show"], capture_output=True, text=True)
@@ -320,8 +351,13 @@ def validate_config(data):
             available_interfaces = {i.split("@")[0] for i in available_interfaces}
         except Exception:
             pass
-        if available_interfaces and wan not in available_interfaces:
-            errors.append(f"general.wan_interface: '{wan}' does not exist on this system.")
+        if available_interfaces:
+            if wan not in available_interfaces:
+                errors.append(f"general.wan_interface: '{wan}' does not exist on this system.")
+            if lan not in available_interfaces:
+                errors.append(f"general.lan_interface: '{lan}' does not exist on this system.")
+        if wan == lan:
+            errors.append(f"general.wan_interface and general.lan_interface must be different (both set to '{wan}').")
 
     # -- Blocklist library -----------------------------------------------------
     blocklists_by_name = {}
@@ -370,9 +406,11 @@ def validate_config(data):
             errors.append(f"{label}: mdns_reflection must be false for WireGuard interfaces.")
 
         if is_wg(vlan):
+            # -- vpn_information -----------------------------------------------
             vpi = vlan.get("vpn_information")
             if not isinstance(vpi, dict):
                 errors.append(f"{label}: vpn_information must be a plain object.")
+                vpi = {}
             else:
                 lp = vpi.get("listen_port")
                 if not isinstance(lp, int) or not (1 <= lp <= 65535):
@@ -382,160 +420,234 @@ def validate_config(data):
                                   f"'{seen_listen_ports[lp]}'.")
                 else:
                     seen_listen_ports[lp] = name
-                gw = vpi.get("gateway", "")
-                if not gw:
-                    errors.append(f"{label}: vpn_information.gateway is required.")
+
+            # -- subnet/subnet_mask --------------------------------------------
+            for field in ("subnet", "subnet_mask"):
+                if not vlan.get(field):
+                    errors.append(f"{label}: missing required field '{field}'.")
+            wg_net = None
+            if vlan.get("subnet") and vlan.get("subnet_mask"):
+                try:
+                    wg_net = ipaddress.IPv4Network(f"{vlan['subnet']}/{vlan['subnet_mask']}", strict=False)
+                    vlan_networks[iface] = wg_net
+                except ValueError as e:
+                    errors.append(f"{label}: invalid subnet/subnet_mask: {e}")
+
+            # -- server_identities ---------------------------------------------
+            if not vlan.get("server_identities"):
+                errors.append(f"{label}: server_identities is empty or missing.")
+            identity_ips = []
+            for idx, ident in enumerate(vlan.get("server_identities", [])):
+                ip_str = ident.get("ip", "")
+                ilabel = f"{label} server_identities[{idx}] '{ident.get('description', '?')}'"
+                if not ip_str:
+                    errors.append(f"{ilabel}: missing 'ip' field.")
+                    continue
+                try:
+                    ip = ipaddress.IPv4Address(ip_str)
+                    if wg_net and ip not in wg_net:
+                        errors.append(f"{ilabel}: ip '{ip_str}' is not within subnet {wg_net}.")
+                    else:
+                        identity_ips.append(ip)
+                except ValueError:
+                    errors.append(f"{ilabel}: ip '{ip_str}' is not a valid IPv4 address.")
+
+            # -- vpn_information.explicit_overrides ----------------------------
+            eo = vpi.get("explicit_overrides", {}) if isinstance(vpi, dict) else {}
+            if not isinstance(eo, dict):
+                errors.append(f"{label}: vpn_information.explicit_overrides must be a plain object.")
+            else:
+                gw = eo.get("gateway", "")
+                if gw:
+                    try:
+                        gw_ip = ipaddress.IPv4Address(gw)
+                        if identity_ips and gw_ip not in identity_ips:
+                            errors.append(
+                                f"{label}: vpn_information.explicit_overrides.gateway '{gw}' does not match "
+                                f"any server_identity IP. Must be one of: "
+                                f"{[str(ip) for ip in identity_ips]}."
+                            )
+                    except ValueError:
+                        errors.append(f"{label}: vpn_information.explicit_overrides.gateway '{gw}' is not a valid IPv4 address.")
+                dns = eo.get("dns_server", "")
+                if dns:
+                    try:
+                        ipaddress.IPv4Address(dns)
+                    except ValueError:
+                        errors.append(f"{label}: vpn_information.explicit_overrides.dns_server '{dns}' is not a valid IPv4 address.")
+                mtu = eo.get("mtu", "")
+                if mtu:
+                    try:
+                        m = int(mtu)
+                        if not (576 <= m <= 9000):
+                            errors.append(f"{label}: vpn_information.explicit_overrides.mtu {mtu} is out of valid range (576-9000).")
+                    except (ValueError, TypeError):
+                        errors.append(f"{label}: vpn_information.explicit_overrides.mtu '{mtu}' is not a valid integer.")
+
+            # -- peers ---------------------------------------------------------
+            seen_peer_names = {}
+            seen_peer_ips   = {}
+            for pidx, peer in enumerate(vlan.get("peers", [])):
+                pname  = peer.get("name", "")
+                plabel = f"{label} peer[{pidx}] '{pname}'"
+                if not pname:
+                    errors.append(f"{plabel}: missing 'name' field.")
+                elif pname in seen_peer_names:
+                    errors.append(f"{plabel}: duplicate peer name '{pname}'.")
+                else:
+                    seen_peer_names[pname] = pidx
+                if not peer.get("public_key"):
+                    errors.append(f"{plabel}: missing 'public_key' field.")
+                pip_str = peer.get("ip", "")
+                if not pip_str:
+                    errors.append(f"{plabel}: missing 'ip' field.")
                 else:
                     try:
-                        ipaddress.IPv4Address(gw)
+                        pip = ipaddress.IPv4Address(pip_str)
+                        if wg_net and pip not in wg_net:
+                            errors.append(f"{plabel}: ip '{pip_str}' is not within subnet {wg_net}.")
+                        if pip in identity_ips:
+                            errors.append(f"{plabel}: ip '{pip_str}' conflicts with a server_identity.")
+                        if pip_str in seen_peer_ips:
+                            errors.append(
+                                f"{plabel}: duplicate peer ip '{pip_str}' "
+                                f"(also used by peer '{seen_peer_ips[pip_str]}')."
+                            )
+                        else:
+                            seen_peer_ips[pip_str] = pname
                     except ValueError:
-                        errors.append(f"{label}: vpn_information.gateway '{gw}' is not a valid IPv4 address.")
-                eo = vpi.get("explicit_overrides", {})
-                if not isinstance(eo, dict):
-                    errors.append(f"{label}: vpn_information.explicit_overrides must be a plain object.")
-                else:
-                    dns = eo.get("dns_server", "")
-                    if dns:
-                        try:
-                            ipaddress.IPv4Address(dns)
-                        except ValueError:
-                            errors.append(f"{label}: vpn_information.explicit_overrides.dns_server '{dns}' is not a valid IPv4 address.")
-                    mtu = eo.get("mtu", "")
-                    if mtu:
-                        try:
-                            m = int(mtu)
-                            if not (576 <= m <= 9000):
-                                errors.append(f"{label}: vpn_information.explicit_overrides.mtu {mtu} is out of valid range (576-9000).")
-                        except (ValueError, TypeError):
-                            errors.append(f"{label}: vpn_information.explicit_overrides.mtu '{mtu}' is not a valid integer.")
-            # WG VLANs have no server_identities or dhcp block -- skip remaining validation
+                        errors.append(f"{plabel}: ip '{pip_str}' is not a valid IPv4 address.")
             continue
 
         if not vlan.get("server_identities"):
             errors.append(f"{label}: server_identities is empty or missing.")
             continue
 
-        d = vlan.get("dhcp", {})
-        required_dhcp = {"subnet", "subnet_mask", "dynamic_pool_start",
-                         "dynamic_pool_end", "lease_time"}
-        missing = required_dhcp - set(d.keys())
-        if missing:
-            errors.append(f"{label}: missing dhcp fields: {missing}")
+        for field in ("subnet", "subnet_mask"):
+            if not vlan.get(field):
+                errors.append(f"{label}: missing required top-level field '{field}'.")
+        if not vlan.get("subnet") or not vlan.get("subnet_mask"):
             continue
 
-        if not is_wg(vlan):
+        try:
+            network = ipaddress.IPv4Network(f"{vlan['subnet']}/{vlan['subnet_mask']}", strict=False)
+            vlan_networks[iface] = network
+        except ValueError as e:
+            errors.append(f"{label}: invalid subnet/subnet_mask: {e}")
+            continue
+
+        d = vlan.get("dhcp_information", {})
+        required_dhcp = {"dynamic_pool_start", "dynamic_pool_end", "lease_time"}
+        missing = required_dhcp - set(d.keys())
+        if missing:
+            errors.append(f"{label}: missing dhcp_information fields: {missing}")
+            continue
+
+        def check_ip(field_label, ip_str, allow_none=False):
+            if ip_str is None:
+                if not allow_none:
+                    errors.append(f"{label}: {field_label} is null/missing.")
+                return None
             try:
-                network = ipaddress.IPv4Network(f"{d['subnet']}/{d['subnet_mask']}", strict=False)
-                vlan_networks[iface] = network
-            except ValueError as e:
-                errors.append(f"{label}: invalid subnet/subnet_mask: {e}")
-                continue
+                ip = ipaddress.IPv4Address(ip_str)
+            except ValueError:
+                errors.append(f"{label}: {field_label} '{ip_str}' is not a valid IPv4 address.")
+                return None
+            if ip not in network:
+                errors.append(f"{label}: {field_label} '{ip_str}' is not within subnet {network}.")
+            return ip
 
-            def check_ip(field_label, ip_str, allow_none=False):
-                if ip_str is None:
-                    if not allow_none:
-                        errors.append(f"{label}: {field_label} is null/missing.")
-                    return None
-                try:
-                    ip = ipaddress.IPv4Address(ip_str)
-                except ValueError:
-                    errors.append(f"{label}: {field_label} '{ip_str}' is not a valid IPv4 address.")
-                    return None
-                if ip not in network:
-                    errors.append(f"{label}: {field_label} '{ip_str}' is not within subnet {network}.")
-                return ip
+        identity_ips = []
+        for idx, ident in enumerate(vlan["server_identities"]):
+            ip = check_ip(
+                f"server_identities[{idx}] '{ident.get('description', '?')}'",
+                ident.get("ip")
+            )
+            if ip:
+                identity_ips.append(ip)
 
-            identity_ips = []
-            for idx, ident in enumerate(vlan["server_identities"]):
-                ip = check_ip(
-                    f"server_identities[{idx}] '{ident.get('description', '?')}'",
-                    ident.get("ip")
-                )
-                if ip:
-                    identity_ips.append(ip)
+        # -- Validate explicit_overrides -----------------------------------
+        eo = d.get("explicit_overrides", {})
+        if not isinstance(eo, dict):
+            errors.append(f"{label}: explicit_overrides must be a plain object.")
+        else:
+            gw = eo.get("gateway", "")
+            if gw:
+                gw_ip = check_ip("explicit_overrides.gateway", gw)
+                if gw_ip and gw_ip not in identity_ips:
+                    errors.append(
+                        f"{label}: explicit_overrides.gateway '{gw}' does not match "
+                        f"any server_identity IP. Must be one of: "
+                        f"{[str(ip) for ip in identity_ips]}."
+                    )
+            dns = eo.get("dns_server", "")
+            if dns:
+                check_ip("explicit_overrides.dns_server", dns)
+            ntp = eo.get("ntp_server", "")
+            if ntp:
+                check_ip("explicit_overrides.ntp_server", ntp)
 
-            # -- Validate explicit_overrides -----------------------------------
-            eo = d.get("explicit_overrides", {})
-            if not isinstance(eo, dict):
-                errors.append(f"{label}: explicit_overrides must be a plain object.")
+        pool_start = check_ip("dynamic_pool_start", d["dynamic_pool_start"])
+        pool_end   = check_ip("dynamic_pool_end",   d["dynamic_pool_end"])
+
+        if pool_start and pool_end and pool_start > pool_end:
+            errors.append(
+                f"{label}: dynamic_pool_start '{pool_start}' is greater than "
+                f"dynamic_pool_end '{pool_end}'."
+            )
+
+        if pool_start and pool_end:
+            for ip in identity_ips:
+                if pool_start <= ip <= pool_end:
+                    errors.append(
+                        f"{label}: server_identity '{ip}' falls inside the dynamic "
+                        f"pool ({pool_start} - {pool_end})."
+                    )
+
+        seen_res_ips  = {}
+        seen_res_macs = {}
+        for r in vlan.get("reservations", []):
+            rdesc = r.get("description", "?")
+            rmac  = r.get("mac", "").lower().strip()
+
+            if is_dynamic_ip(r):
+                rip = None  # no pinned IP -- skip all IP validation
             else:
-                gw = eo.get("gateway", "")
-                if gw:
-                    gw_ip = check_ip("explicit_overrides.gateway", gw)
-                    if gw_ip and gw_ip not in identity_ips:
+                rip = check_ip(f"reservation '{rdesc}' ip", r.get("ip"))
+
+            if rip:
+                if pool_start and pool_end and pool_start <= rip <= pool_end:
+                    errors.append(
+                        f"{label}: reservation '{rdesc}' ip '{rip}' falls inside "
+                        f"the dynamic pool ({pool_start} - {pool_end})."
+                    )
+                rip_str = str(rip)
+                if rip_str in seen_res_ips:
+                    # Allow same IP for different MACs (multi-interface device)
+                    # Only flag if same MAC is also duplicated (caught below)
+                    if rmac and rmac in seen_res_ips[rip_str]:
                         errors.append(
-                            f"{label}: explicit_overrides.gateway '{gw}' does not match "
-                            f"any server_identity IP. Must be one of: "
-                            f"{[str(ip) for ip in identity_ips]}."
+                            f"{label}: reservation '{rdesc}' ip '{rip}' and MAC '{rmac}' "
+                            f"duplicates '{seen_res_ips[rip_str][rmac]}'."
                         )
-                dns = eo.get("dns_server", "")
-                if dns:
-                    check_ip("explicit_overrides.dns_server", dns)
-                ntp = eo.get("ntp_server", "")
-                if ntp:
-                    check_ip("explicit_overrides.ntp_server", ntp)
-
-            pool_start = check_ip("dynamic_pool_start", d["dynamic_pool_start"])
-            pool_end   = check_ip("dynamic_pool_end",   d["dynamic_pool_end"])
-
-            if pool_start and pool_end and pool_start > pool_end:
-                errors.append(
-                    f"{label}: dynamic_pool_start '{pool_start}' is greater than "
-                    f"dynamic_pool_end '{pool_end}'."
-                )
-
-            if pool_start and pool_end:
-                for ip in identity_ips:
-                    if pool_start <= ip <= pool_end:
-                        errors.append(
-                            f"{label}: server_identity '{ip}' falls inside the dynamic "
-                            f"pool ({pool_start} - {pool_end})."
-                        )
-
-            seen_res_ips  = {}
-            seen_res_macs = {}
-            for r in vlan.get("reservations", []):
-                rdesc = r.get("description", "?")
-                rmac  = r.get("mac", "").lower().strip()
-
-                if is_dynamic_ip(r):
-                    rip = None  # no pinned IP -- skip all IP validation
+                    else:
+                        seen_res_ips[rip_str][rmac] = rdesc
                 else:
-                    rip = check_ip(f"reservation '{rdesc}' ip", r.get("ip"))
+                    seen_res_ips[rip_str] = {rmac: rdesc}
+                if rip in identity_ips:
+                    errors.append(
+                        f"{label}: reservation '{rdesc}' ip '{rip}' conflicts "
+                        f"with a server_identity."
+                    )
 
-                if rip:
-                    if pool_start and pool_end and pool_start <= rip <= pool_end:
-                        errors.append(
-                            f"{label}: reservation '{rdesc}' ip '{rip}' falls inside "
-                            f"the dynamic pool ({pool_start} - {pool_end})."
-                        )
-                    rip_str = str(rip)
-                    if rip_str in seen_res_ips:
-                        # Allow same IP for different MACs (multi-interface device)
-                        # Only flag if same MAC is also duplicated (caught below)
-                        if rmac and rmac in seen_res_ips[rip_str]:
-                            errors.append(
-                                f"{label}: reservation '{rdesc}' ip '{rip}' and MAC '{rmac}' "
-                                f"duplicates '{seen_res_ips[rip_str][rmac]}'."
-                            )
-                        else:
-                            seen_res_ips[rip_str][rmac] = rdesc
-                    else:
-                        seen_res_ips[rip_str] = {rmac: rdesc}
-                    if rip in identity_ips:
-                        errors.append(
-                            f"{label}: reservation '{rdesc}' ip '{rip}' conflicts "
-                            f"with a server_identity."
-                        )
-
-                if rmac:
-                    if rmac in seen_res_macs:
-                        errors.append(
-                            f"{label}: reservation '{rdesc}' MAC '{rmac}' duplicates "
-                            f"'{seen_res_macs[rmac]}'."
-                        )
-                    else:
-                        seen_res_macs[rmac] = rdesc
+            if rmac:
+                if rmac in seen_res_macs:
+                    errors.append(
+                        f"{label}: reservation '{rdesc}' MAC '{rmac}' duplicates "
+                        f"'{seen_res_macs[rmac]}'."
+                    )
+                else:
+                    seen_res_macs[rmac] = rdesc
 
         for bl_name in vlan.get("use_blocklists", []):
             if bl_name not in blocklists_by_name:
@@ -631,6 +743,25 @@ def validate_config(data):
         errors.append(f"Multiple VLANs have radius_default: true ({', '.join(defaults)}). "
                       f"Only one VLAN may be the RADIUS default.")
 
+    # -- host_overrides validation ---------------------------------------------
+    all_vlan_nets = list(vlan_networks.values())
+    for idx, entry in enumerate(data.get("host_overrides", [])):
+        lbl = f"host_overrides[{idx}] '{entry.get('host', '?')}'"
+        if not entry.get("host"):
+            errors.append(f"{lbl}: missing 'host' field.")
+        ip_str = entry.get("ip", "")
+        if not ip_str:
+            errors.append(f"{lbl}: missing 'ip' field.")
+        else:
+            try:
+                ip_addr = ipaddress.IPv4Address(ip_str)
+                if all_vlan_nets and not any(ip_addr in net for net in all_vlan_nets):
+                    errors.append(
+                        f"{lbl}: '{ip_str}' does not fall within any configured VLAN subnet."
+                    )
+            except ValueError:
+                errors.append(f"{lbl}: '{ip_str}' is not a valid IPv4 address.")
+
     # -- banned_ips validation -------------------------------------------------
     for idx, entry in enumerate(data.get("banned_ips", [])):
         ip  = entry.get("ip", "")
@@ -947,7 +1078,7 @@ def build_vlan_dnsmasq_conf(vlan, data):
     overrides = [o for o in data.get("host_overrides", []) if o.get("enabled") is True]
     name      = vlan["name"]
     iface     = vlan["interface"]
-    d         = vlan.get("dhcp", {})
+    d         = vlan.get("dhcp_information", {})
     opts      = resolve_vlan_options(vlan)
     gateway   = opts["gateway"]
 
@@ -982,7 +1113,8 @@ def build_vlan_dnsmasq_conf(vlan, data):
 
     if not is_wg(vlan):
         line("# -- DHCP -----------------------------------------------------------")
-        line(f"dhcp-range=set:{name},{d['dynamic_pool_start']},{d['dynamic_pool_end']},{d['subnet_mask']},{d['lease_time']}")
+        dotted_mask = prefix_to_dotted(vlan['subnet_mask'])
+        line(f"dhcp-range=set:{name},{d['dynamic_pool_start']},{d['dynamic_pool_end']},{dotted_mask},{d['lease_time']}")
         line(f"domain={d.get('domain', 'local')}")
         line()
         line(f"dhcp-option=tag:{name},option:router,{gateway}")
@@ -1207,13 +1339,7 @@ def ensure_chrony(data):
         content  = chrony_conf.read_text()
         subnets  = []
         for v in data["vlans"]:
-            if is_wg(v):
-                # Derive subnet from gateway IP -- always a /24
-                gw = v["vpn_information"]["gateway"]
-                net = ipaddress.IPv4Network(f"{gw}/24", strict=False)
-                subnets.append(str(net))
-            else:
-                subnets.append(str(network_for(v)))
+            subnets.append(str(network_for(v)))
         added    = []
         for subnet in subnets:
             line = f"allow {subnet}"
@@ -1297,6 +1423,123 @@ def wg_interface_up(iface):
                             capture_output=True, text=True)
     return result.returncode == 0
 
+def wg_server_key_path(iface):
+    return WG_DIR / f"{iface}.key"
+
+def wg_server_pubkey_path(iface):
+    """Public key written to the configs dir so the Flask app can read it."""
+    return SCRIPT_DIR / f".wg-{iface}.pub"
+
+def wg_conf_path_for(iface):
+    return WG_DIR / f"{iface}.conf"
+
+def generate_wg_server_key(iface):
+    WG_DIR.mkdir(exist_ok=True)
+    result = subprocess.run(["wg", "genkey"], capture_output=True, text=True, check=True)
+    private = result.stdout.strip()
+    kf = wg_server_key_path(iface)
+    kf.write_text(private + "\n")
+    kf.chmod(0o600)
+    return private
+
+def build_wg_server_conf(vlan, server_private_key):
+    """Build the /etc/wireguard/<iface>.conf content from core.json peers."""
+    iface       = vlan["interface"]
+    info        = vlan["vpn_information"]
+    gateway     = resolve_vlan_options(vlan)["gateway"]
+    network     = network_for(vlan)
+    server_ip   = f"{gateway}/{network.prefixlen}"
+    listen_port = info["listen_port"]
+    domain      = info.get("domain", "local")
+
+    L = [
+        "# Generated by core.py -- do not edit manually.",
+        "# Run: sudo python3 core.py --apply",
+        "",
+        "[Interface]",
+        f"PrivateKey = {server_private_key}",
+        f"Address = {server_ip}",
+        f"ListenPort = {listen_port}",
+        "",
+    ]
+
+    for peer in vlan.get("peers", []):
+        if not peer.get("enabled", True):
+            L += [f"# DISABLED: {peer['name']}", ""]
+            continue
+        L += [
+            f"# {peer['name']}",
+            "[Peer]",
+            f"PublicKey = {peer['public_key']}",
+            f"AllowedIPs = {peer['ip']}/32",
+            f"PersistentKeepalive = {WG_KEEPALIVE}",
+            "",
+        ]
+
+    return "\n".join(L)
+
+def ensure_wg_interfaces(data):
+    """Generate WireGuard server confs and bring up / sync all WG interfaces."""
+    wg_vlans = [v for v in data.get("vlans", []) if is_wg(v)]
+    if not wg_vlans:
+        return
+
+    for vlan in wg_vlans:
+        iface = vlan["interface"]
+        print(f"  [{iface}]")
+
+        kf = wg_server_key_path(iface)
+        if not kf.exists():
+            print(f"    Generating server private key...")
+            private = generate_wg_server_key(iface)
+        else:
+            private = kf.read_text().strip()
+
+        pub_result = subprocess.run(
+            ["wg", "pubkey"], input=private, capture_output=True, text=True, check=True
+        )
+        public = pub_result.stdout.strip()
+        pubkey_file = wg_server_pubkey_path(iface)
+        pubkey_file.write_text(public + "\n")
+        chown_to_script_dir_owner(pubkey_file)
+        print(f"    Server public key: {public[:20]}...")
+
+        WG_DIR.mkdir(exist_ok=True)
+        conf_file   = wg_conf_path_for(iface)
+        new_conf    = build_wg_server_conf(vlan, private)
+        listen_port = vlan["vpn_information"]["listen_port"]
+
+        port_changed = False
+        if conf_file.exists():
+            m = re.search(r'ListenPort\s*=\s*(\d+)', conf_file.read_text())
+            if m and int(m.group(1)) != listen_port:
+                port_changed = True
+
+        conf_file.write_text(new_conf)
+        conf_file.chmod(0o600)
+
+        peer_count = len([p for p in vlan.get("peers", []) if p.get("enabled", True)])
+        print(f"    Wrote {conf_file} ({peer_count} enabled peer(s))")
+
+        if not wg_interface_up(iface):
+            print(f"    Bringing up {iface}...")
+            r = subprocess.run(["wg-quick", "up", iface], capture_output=True, text=True)
+            if r.returncode != 0:
+                print(f"    WARNING: wg-quick up {iface} failed: {r.stderr.strip()}")
+            else:
+                print(f"    {iface} is up.")
+        elif port_changed:
+            print(f"    Listen port changed -- restarting {iface}...")
+            subprocess.run(["wg-quick", "down", iface], capture_output=True, text=True)
+            r = subprocess.run(["wg-quick", "up",   iface], capture_output=True, text=True)
+            if r.returncode != 0:
+                print(f"    WARNING: wg-quick up {iface} failed: {r.stderr.strip()}")
+            else:
+                print(f"    {iface} restarted.")
+        else:
+            print(f"    Syncing peers to live {iface}...")
+            subprocess.run(["wg", "syncconf", iface, str(conf_file)], capture_output=True, text=True)
+
 def get_container_bridges():
     """Return all active bridge interfaces not managed by our VLAN config.
     Works universally for Docker, Podman, LXC, libvirt, etc. -- anything
@@ -1358,9 +1601,7 @@ def apply_dnsmasq_instances(data, dry_run=False, start_if_needed=True):
 
     for vlan in data["vlans"]:
         if is_wg(vlan) and not dry_run and not wg_interface_up(vlan["interface"]):
-            print(f"Skipped VLAN '{vlan['name']}': {vlan['interface']} is not up (WireGuard not running).")
-            print("  To enable the VPN VLAN, start WireGuard with vpn.py --apply")
-            print("  (core.py --apply will be called again automatically).")
+            print(f"Skipped VLAN '{vlan['name']}': {vlan['interface']} is not up. Run --apply again after WireGuard is up.")
             continue
 
         conf_content = build_vlan_dnsmasq_conf(vlan, data)
@@ -1690,13 +1931,11 @@ def build_nft_config(data, dry_run=False):
     # Build interface -> network map for nat_ip -> iface lookup in forward chain
     vlan_networks = {}
     for v in vlans:
-        if not is_wg(v):
-            d = v.get("dhcp", {})
-            try:
-                net = ipaddress.IPv4Network(f"{d['subnet']}/{d['subnet_mask']}", strict=False)
-                vlan_networks[v["interface"]] = net
-            except (KeyError, ValueError):
-                pass
+        try:
+            net = network_for(v)
+            vlan_networks[v["interface"]] = net
+        except (KeyError, ValueError):
+            pass
 
     all_except = rule_enabled(data.get("inter_vlan_exceptions", []))
     banned_v4, banned_v6 = banned_ip_sets(data)
@@ -2000,16 +2239,14 @@ def apply_nftables(data, dry_run=False):
     print("nftables rules applied successfully.")
 
     # Build set of active subnets for filtering exception display
-    import ipaddress as _ipaddress
     active_subnets = []
     for v in data["vlans"]:
-        if is_wg(v):
-            if wg_interface_up(v["interface"]):
-                gw  = v["vpn_information"]["gateway"]
-                active_subnets.append(_ipaddress.IPv4Network(f"{gw}/24", strict=False))
-        else:
-            d   = v["dhcp"]
-            active_subnets.append(_ipaddress.IPv4Network(f"{d['subnet']}/{d['subnet_mask']}", strict=False))
+        if is_wg(v) and not wg_interface_up(v["interface"]):
+            continue
+        try:
+            active_subnets.append(network_for(v))
+        except (KeyError, ValueError):
+            pass
 
     def dst_is_active(r):
         dst = r.get("dst_ip_or_subnet") or r.get("dst_ip", "")
@@ -2894,14 +3131,7 @@ def _dry_run_conflicting_services(data):
         chrony_conf = Path("/etc/chrony/chrony.conf")
         if chrony_conf.exists():
             content = chrony_conf.read_text()
-            subnets = []
-            for v in data["vlans"]:
-                if is_wg(v):
-                    gw  = v["vpn_information"]["gateway"]
-                    net = ipaddress.IPv4Network(f"{gw}/24", strict=False)
-                    subnets.append(str(net))
-                else:
-                    subnets.append(str(network_for(v)))
+            subnets = [str(network_for(v)) for v in data["vlans"]]
             missing = [s for s in subnets if f"allow {s}" not in content]
             if missing:
                 print(f"  Would add chrony allow directives for: {', '.join(missing)}")
@@ -3261,6 +3491,7 @@ def cmd_apply(data, dry_run=False):
     dnsmasq confs, start/restart all services whose interface is up, nftables,
     timer, and boot service. Safe to run repeatedly.
     """
+    inject_interfaces(data)
     if dry_run:
         print("[DRY RUN] --apply would perform the following actions:")
         print()
@@ -3307,14 +3538,16 @@ def cmd_apply(data, dry_run=False):
 
     total_enabled  = sum(
         len([r for r in v.get("reservations", []) if r.get("enabled") is True])
-        for v in data["vlans"]
+        for v in data["vlans"] if not is_wg(v)
     )
     total_disabled = sum(
         len([r for r in v.get("reservations", []) if r.get("enabled") is not True])
-        for v in data["vlans"]
+        for v in data["vlans"] if not is_wg(v)
     )
+    total_wg_peers = sum(len(v.get("peers", [])) for v in data["vlans"] if is_wg(v))
+    wg_part = f", {total_wg_peers} WG peer(s)" if total_wg_peers else ""
     print(f"Applying config: {len(data['vlans'])} VLAN(s), "
-          f"{total_enabled} reservation(s), {total_disabled} skipped.")
+          f"{total_enabled} reservation(s), {total_disabled} skipped{wg_part}.")
     print()
 
     print("-- Conflicting services ----------------------------------------------")
@@ -3327,6 +3560,11 @@ def cmd_apply(data, dry_run=False):
     apply_networkd(data, only_if_changed=True)
     print()
 
+    if any(is_wg(v) for v in data["vlans"]):
+        print("-- WireGuard interfaces ----------------------------------------------")
+        ensure_wg_interfaces(data)
+        print()
+
     print("-- dnsmasq instances -------------------------------------------------")
     if not blocklists_available(data):
         print("  NOTE: No merged blocklist files found -- blocklist rules will be absent.")
diff --git a/router/create_vpn_peer.py b/router/create_vpn_peer.py
new file mode 100644
index 0000000..73a6052
--- /dev/null
+++ b/router/create_vpn_peer.py
@@ -0,0 +1,229 @@
+#!/usr/bin/env python3
+"""
+create_vpn_peer.py -- Add a WireGuard peer to core.json and write the client .conf file.
+
+Generates a fresh keypair, appends the peer to the specified WireGuard VLAN in core.json,
+and saves a ready-to-import client config file.
+
+Use --iface or --vlan-id to select the target VLAN. If the config contains exactly one
+WireGuard VLAN, both flags are optional and it is selected automatically.
+
+Run core.py --apply after adding peers to sync the changes to the live interface.
+
+Usage:
+  python3 create_vpn_peer.py --name laptop --ip 192.168.40.2
+  python3 create_vpn_peer.py --name laptop --ip 192.168.40.2 --iface wg0
+  python3 create_vpn_peer.py --name laptop --ip 192.168.40.2 --vlan-id 40
+  python3 create_vpn_peer.py --name phone  --ip 192.168.40.3 --split-tunnel
+  python3 create_vpn_peer.py --name tablet --ip 192.168.40.4 --output ~/tablet.conf
+"""
+
+import argparse
+import ipaddress
+import json
+import subprocess
+import sys
+from pathlib import Path
+
+SCRIPT_DIR  = Path(__file__).parent
+CONFIG_FILE = SCRIPT_DIR / "core.json"
+
+
+def die(msg):
+    print(f"ERROR: {msg}", file=sys.stderr)
+    sys.exit(1)
+
+
+def load_config():
+    if not CONFIG_FILE.exists():
+        die(f"Config file not found: {CONFIG_FILE}")
+    with open(CONFIG_FILE) as f:
+        return json.load(f)
+
+
+def save_config(data):
+    with open(CONFIG_FILE, "w") as f:
+        json.dump(data, f, indent=2)
+
+
+def resolve_wg_iface(vlan, data):
+    """Return wg0, wg1, ... based on position among is_vpn VLANs."""
+    wg_vlans = [v for v in data.get("vlans", []) if v.get("is_vpn")]
+    idx = next((i for i, v in enumerate(wg_vlans) if v is vlan), 0)
+    return f"wg{idx}"
+
+
+def find_wg_vlan(data, iface=None, vlan_id=None):
+    """Return the target WireGuard VLAN, or die with a helpful message."""
+    wg_vlans = [v for v in data.get("vlans", []) if v.get("is_vpn")]
+
+    if iface is not None:
+        vlan = next((v for v in wg_vlans if resolve_wg_iface(v, data) == iface), None)
+        if vlan is None:
+            known = ", ".join(resolve_wg_iface(v, data) for v in wg_vlans) or "none"
+            die(f"No WireGuard VLAN with interface '{iface}' found in core.json. "
+                f"Known WireGuard interfaces: {known}.")
+        return vlan
+
+    if vlan_id is not None:
+        vlan = next((v for v in wg_vlans if v.get("vlan_id") == vlan_id), None)
+        if vlan is None:
+            known = ", ".join(
+                f"{v['vlan_id']} ({resolve_wg_iface(v, data)})" for v in wg_vlans
+            ) or "none"
+            die(f"No WireGuard VLAN with vlan_id {vlan_id} found in core.json. "
+                f"Known WireGuard VLANs: {known}.")
+        return vlan
+
+    if not wg_vlans:
+        die("No WireGuard VLANs found in core.json. "
+            "Add a VLAN with is_vpn set to true.")
+    if len(wg_vlans) > 1:
+        options = "  " + "\n  ".join(
+            f"--iface {resolve_wg_iface(v, data)}   or   --vlan-id {v['vlan_id']}  ({v.get('name', '?')})"
+            for v in wg_vlans
+        )
+        die(f"Multiple WireGuard VLANs found. Specify one:\n{options}")
+    return wg_vlans[0]
+
+
+def server_pubkey(iface):
+    path = SCRIPT_DIR / f".wg-{iface}.pub"
+    if not path.exists():
+        die(
+            f"Server public key not found: {path}\n"
+            f"Run 'sudo python3 core.py --apply' first to generate the server keypair."
+        )
+    return path.read_text().strip()
+
+
+def generate_keypair():
+    try:
+        private = subprocess.run(
+            ["wg", "genkey"], capture_output=True, text=True, check=True
+        ).stdout.strip()
+        public = subprocess.run(
+            ["wg", "pubkey"], input=private, capture_output=True, text=True, check=True
+        ).stdout.strip()
+        return private, public
+    except FileNotFoundError:
+        die("'wg' not found. Install wireguard-tools: sudo apt install wireguard-tools")
+    except subprocess.CalledProcessError as e:
+        die(f"Key generation failed: {e.stderr.strip()}")
+
+
+def build_client_conf(vlan, peer_ip, private_key, server_pub, split_tunnel):
+    info      = vlan.get("vpn_information", {})
+    overrides = info.get("explicit_overrides", {})
+    subnet    = vlan["subnet"]
+    mask      = vlan["subnet_mask"]
+    network   = ipaddress.IPv4Network(f"{subnet}/{mask}", strict=False)
+    ident_ips = [s["ip"] for s in vlan.get("server_identities", []) if s.get("ip")]
+    default   = str(min((ipaddress.IPv4Address(ip) for ip in ident_ips),
+                        key=lambda x: x.packed[-1])) if ident_ips else str(next(network.hosts()))
+    gateway   = overrides.get("gateway") or default
+    dns       = overrides.get("dns_server") or gateway
+    prefix    = network.prefixlen
+    mtu       = overrides.get("mtu", "")
+    endpoint  = info.get("server_endpoint", "")
+    listen_port = info.get("listen_port", 51820)
+
+    allowed_ips = f"{subnet}/{prefix}" if split_tunnel else "0.0.0.0/0"
+
+    lines = [
+        "# Generated by create_vpn_peer.py",
+        "",
+        "[Interface]",
+        f"PrivateKey = {private_key}",
+        f"Address = {peer_ip}/{prefix}",
+        f"DNS = {dns}",
+    ]
+    if mtu:
+        lines.append(f"MTU = {mtu}")
+    lines += ["", "[Peer]", f"PublicKey = {server_pub}"]
+    if endpoint:
+        lines.append(f"Endpoint = {endpoint}:{listen_port}")
+    lines += [f"AllowedIPs = {allowed_ips}", "PersistentKeepalive = 25", ""]
+    return "\n".join(lines)
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Add a WireGuard peer to core.json and write the client .conf file."
+    )
+    parser.add_argument("--name",         required=True, help="Peer name (e.g. laptop)")
+    parser.add_argument("--ip",           required=True, help="Peer IP within the VPN subnet (e.g. 192.168.40.2)")
+    parser.add_argument("--split-tunnel", action="store_true",
+                        help="Route only VPN subnet traffic through the tunnel (default: full tunnel)")
+    parser.add_argument("--output",       default=None,
+                        help="Output path for the client .conf file (default: vpn-client-<name>.conf)")
+
+    sel = parser.add_mutually_exclusive_group()
+    sel.add_argument("--iface",   default=None, metavar="IFACE",
+                     help="WireGuard interface to add the peer to (e.g. wg0)")
+    sel.add_argument("--vlan-id", default=None, type=int, metavar="ID",
+                     help="VLAN ID of the WireGuard VLAN to add the peer to (e.g. 40)")
+    args = parser.parse_args()
+
+    # -- Validate IP -----------------------------------------------------------
+    try:
+        peer_ip = str(ipaddress.IPv4Address(args.ip))
+    except ValueError:
+        die(f"'{args.ip}' is not a valid IPv4 address.")
+
+    # -- Load config and find WG VLAN ------------------------------------------
+    data = load_config()
+    vlan = find_wg_vlan(data, iface=args.iface, vlan_id=args.vlan_id)
+
+    iface = resolve_wg_iface(vlan, data)
+
+    # -- Validate peer IP is within subnet -------------------------------------
+    try:
+        network = ipaddress.IPv4Network(f"{vlan['subnet']}/{vlan['subnet_mask']}", strict=False)
+    except (KeyError, ValueError) as e:
+        die(f"Invalid subnet in WireGuard VLAN: {e}")
+
+    if ipaddress.IPv4Address(peer_ip) not in network:
+        die(f"IP {peer_ip} is not within the VPN subnet {network}.")
+
+    # -- Check for duplicates --------------------------------------------------
+    peers = vlan.setdefault("peers", [])
+    if any(p.get("name") == args.name for p in peers):
+        die(f"A peer named '{args.name}' already exists.")
+    if any(p.get("ip") == peer_ip for p in peers):
+        die(f"IP {peer_ip} is already assigned to another peer.")
+
+    # -- Generate keypair and read server public key ---------------------------
+    print(f"Generating keypair for '{args.name}'...")
+    private_key, public_key = generate_keypair()
+    srv_pub = server_pubkey(iface)
+
+    # -- Update core.json ------------------------------------------------------
+    peers.append({
+        "name":         args.name,
+        "ip":           peer_ip,
+        "public_key":   public_key,
+        "split_tunnel": args.split_tunnel,
+        "enabled":      True,
+    })
+    save_config(data)
+    print(f"Added peer '{args.name}' to core.json.")
+
+    # -- Write client conf -----------------------------------------------------
+    conf_content = build_client_conf(vlan, peer_ip, private_key, srv_pub, args.split_tunnel)
+    if args.output:
+        out_path = Path(args.output)
+    else:
+        safe = "".join(c if c.isalnum() or c in "-_" else "_" for c in args.name)
+        out_path = SCRIPT_DIR / f"vpn-client-{safe}.conf"
+
+    out_path.write_text(conf_content)
+    print(f"Client config saved: {out_path}")
+    print()
+    print("Next steps:")
+    print(f"  1. Transfer {out_path.name} to the peer device by secure means, then delete it.")
+    print(f"  2. Run 'sudo python3 core.py --apply' to sync the new peer to the live interface.")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/router/vpn.py b/router/vpn.py
deleted file mode 100644
index 0a02bba..0000000
--- a/router/vpn.py
+++ /dev/null
@@ -1,1005 +0,0 @@
-#!/usr/bin/env python3
-"""
-vpn.py -- Manage WireGuard VPN server and peers.
-
-Reads core.json for VPN interface configuration. Any VLAN whose interface
-name starts with "wg" is treated as a WireGuard interface. Peer data is
-stored in per-interface dotfiles (.vpn-wg0, .vpn-wg1, etc.) in the same
-directory as this script.
-
-Server private keys:
-  Stored at /etc/wireguard/<iface>.key (root read-only, 600).
-  Generated once on --apply if not already present.
-
-Peer key model (WireGuard is symmetric):
-  Each peer generates a keypair. The peer's PRIVATE key is embedded in
-  their client config file and must be transferred to them securely.
-  The peer's PUBLIC key is stored in the dotfile and written into the
-  WireGuard conf. The server's public key is embedded in each client config.
-
-Client config files:
-  Generated as vpn-client-<name>.conf in the same directory as vpn.py.
-  Permissions: 600 (root read-only).
-  Contains the peer's private key -- transfer to the client by secure means
-  (e.g. encrypted email, USB), then delete from this server.
-
-Usage:
-  sudo python3 vpn.py --add-peer     Add a new peer interactively
-  sudo python3 vpn.py --manage-peers  List and manage existing peers
-  sudo python3 vpn.py --apply         Write WireGuard config and sync peers
-  sudo python3 vpn.py --disable       Stop WireGuard on all interfaces
-  sudo python3 vpn.py --status        Show WireGuard service and interface status
-  sudo python3 vpn.py --view-peers    Show per-peer handshake and traffic stats
-"""
-
-import ipaddress
-import json
-import os
-import re
-import subprocess
-import sys
-import argparse
-from pathlib import Path
-from datetime import datetime, timezone
-from validation import ip as validate_ip
-
-SCRIPT_DIR       = Path(__file__).parent
-DHCP_CONFIG_FILE = SCRIPT_DIR / "core.json"
-DDNS_CONFIG_FILE = SCRIPT_DIR / "ddns.json"
-WG_DIR           = Path("/etc/wireguard")
-KEEPALIVE        = 25
-
-# ===================================================================
-# Helpers
-# ===================================================================
-
-def die(msg):
-    print(f"ERROR: {msg}", file=sys.stderr)
-    sys.exit(1)
-
-def check_root():
-    if os.geteuid() != 0:
-        die("This script must be run as root (sudo).")
-
-def chown_to_script_dir_owner(path):
-    """Chown a file to the owner of the script directory.
-    Keeps SCRIPT_DIR files user-owned even when running as root.
-    /etc/wireguard files are intentionally excluded - they stay root-owned.
-    """
-    try:
-        stat = SCRIPT_DIR.stat()
-        os.chown(path, stat.st_uid, stat.st_gid)
-    except OSError:
-        pass  # non-fatal
-
-def run(cmd, check=True, capture=True):
-    return subprocess.run(cmd, capture_output=capture, text=True, check=check)
-
-def wg_available():
-    return subprocess.run(["which", "wg"], capture_output=True).returncode == 0
-
-def sense_mtu(dhcp_data):
-    """
-    Derive the recommended WireGuard tunnel MTU from the WAN interface MTU.
-    WireGuard adds 60 bytes of overhead for IPv4, so tunnel MTU = link MTU - 60.
-    Falls back to 1420 (correct for standard 1500 MTU links) if sensing fails.
-    Reads wan_interface from core.json general block.
-    """
-    wan = dhcp_data.get("general", {}).get("wan_interface", "")
-    if wan:
-        try:
-            result = subprocess.run(
-                ["ip", "link", "show", wan],
-                capture_output=True, text=True
-            )
-            m = re.search(r"\bmtu\s+(\d+)", result.stdout)
-            if m:
-                return int(m.group(1)) - 60
-        except Exception:
-            pass
-    return 1420
-
-def check_wireguard_tools():
-    """Ensure wireguard-tools is installed; prompt to install via apt if not."""
-    if wg_available():
-        return
-    print("wireguard-tools is not installed (provides wg and wg-quick).")
-    print()
-    while True:
-        choice = input("Install wireguard-tools now via apt? [y/N]: ").strip().lower()
-        if choice in ("y", "yes"):
-            break
-        if choice in ("n", "no", ""):
-            die("Cannot continue without wireguard-tools. Install it and retry.")
-    result = subprocess.run(["apt-get", "install", "-y", "wireguard-tools"])
-    if result.returncode != 0:
-        die("Package installation failed. Install wireguard-tools manually and retry.")
-
-def _fmt_bytes(n):
-    if n < 1024:
-        return f"{n} B"
-    elif n < 1024 ** 2:
-        return f"{n / 1024:.1f} KB"
-    elif n < 1024 ** 3:
-        return f"{n / 1024**2:.1f} MB"
-    else:
-        return f"{n / 1024**3:.2f} GB"
-
-# ===================================================================
-# Load core.json / dotfiles
-# ===================================================================
-
-def load_dhcp():
-    if not DHCP_CONFIG_FILE.exists():
-        die(f"Config file not found: {DHCP_CONFIG_FILE}")
-    with open(DHCP_CONFIG_FILE) as f:
-        return json.load(f)
-
-def wg_interfaces(dhcp_data):
-    """Return list of VLAN dicts whose interface name starts with 'wg'."""
-    return [v for v in dhcp_data.get("vlans", [])
-            if v.get("interface", "").startswith("wg")]
-
-def dotfile_path(iface):
-    return SCRIPT_DIR / f".vpn-{iface}"
-
-def vpi(vlan):
-    """Return the vpn_information dict for a WG VLAN (plain object, not list)."""
-    return vlan["vpn_information"]
-
-def server_key_path(iface):
-    return WG_DIR / f"{iface}.key"
-
-def wg_conf_path(iface):
-    return WG_DIR / f"{iface}.conf"
-
-def load_peers(iface):
-    """Load peers list from the dotfile. Returns [] if file does not exist."""
-    path = dotfile_path(iface)
-    if not path.exists():
-        return []
-    with open(path) as f:
-        return json.load(f).get("peers", [])
-
-def save_peers(iface, peers):
-    """Write peers list to the dotfile with 600 permissions."""
-    path = dotfile_path(iface)
-    with open(path, "w") as f:
-        json.dump({"peers": peers}, f, indent=2)
-        f.write("\n")
-    path.chmod(0o600)
-    chown_to_script_dir_owner(path)
-
-# ===================================================================
-# IP allocation
-# ===================================================================
-
-def next_available_ip(vlan, peers):
-    """
-    Find the first available peer IP in the wg VLAN subnet, starting from .2.
-    Skips the gateway IP. Scans .2-.254 for the first gap.
-    """
-    gateway = vpi(vlan)["gateway"]
-    gw_net  = ipaddress.IPv4Interface(f"{gateway}/24")
-    network = gw_net.network
-    base    = int(network.network_address)
-
-    used = {int(ipaddress.IPv4Address(gateway))}
-    for peer in peers:
-        try:
-            used.add(int(ipaddress.IPv4Interface(peer["ip"]).ip))
-        except (KeyError, ValueError):
-            pass
-
-    for offset in range(2, 255):
-        candidate = ipaddress.IPv4Address(base + offset)
-        if int(candidate) not in used:
-            return f"{candidate}/32"
-
-    die(f"No available IPs in VPN subnet {network} (all .2-.254 allocated).")
-
-# ===================================================================
-# Key management
-# ===================================================================
-
-def generate_server_key(iface):
-    """Generate server private key and store at WG_DIR/<iface>.key (600)."""
-    WG_DIR.mkdir(exist_ok=True)
-    private = run(["wg", "genkey"]).stdout.strip()
-    kf = server_key_path(iface)
-    kf.write_text(private + "\n")
-    kf.chmod(0o600)
-    print(f"Server private key generated: {kf}")
-
-def get_server_public_key(iface):
-    """Derive and return the server's public key from the stored private key."""
-    kf = server_key_path(iface)
-    if not kf.exists():
-        die(f"Server private key not found at {kf}. Run --apply first.")
-    private = kf.read_text().strip()
-    return subprocess.run(
-        ["wg", "pubkey"], input=private, capture_output=True, text=True, check=True
-    ).stdout.strip()
-
-def generate_peer_keypair():
-    """Generate and return (private_key, public_key) for a peer."""
-    private = run(["wg", "genkey"]).stdout.strip()
-    public  = subprocess.run(
-        ["wg", "pubkey"], input=private, capture_output=True, text=True, check=True
-    ).stdout.strip()
-    return private, public
-
-# ===================================================================
-# Endpoint resolution
-# ===================================================================
-
-def resolve_endpoint(listen_port):
-    """
-    Resolve the public endpoint for client configs.
-
-    Resolution order:
-      1. First enabled provider hostname from ddns.json
-      2. Manual entry prompt if ddns.json is missing or has no enabled provider
-
-    The user is always shown the resolved value and given the opportunity to
-    edit it before it is used.
-    """
-    import readline
-
-    candidate = None
-    source    = None
-
-    if DDNS_CONFIG_FILE.exists():
-        with open(DDNS_CONFIG_FILE) as f:
-            ddns = json.load(f)
-        for provider in ddns.get("providers", []):
-            if provider.get("enabled") is not True:
-                continue
-            ptype = provider.get("provider", "").lower()
-            if ptype == "noip":
-                hostnames = provider.get("hostnames", [])
-                if hostnames:
-                    candidate = f"{hostnames[0]}:{listen_port}"
-                    source    = "ddns.json"
-                    break
-            elif ptype == "duckdns":
-                subdomains = provider.get("subdomains", [])
-                if subdomains:
-                    candidate = f"{subdomains[0]}.duckdns.org:{listen_port}"
-                    source    = "ddns.json"
-                    break
-        if not candidate:
-            print("No enabled DDNS provider found in ddns.json.")
-    else:
-        print(f"ddns.json not found at {DDNS_CONFIG_FILE}.")
-
-    if candidate:
-        prompt = f"Public endpoint (from {source}): "
-    else:
-        print("Please enter the public endpoint manually.")
-        prompt = "Public endpoint (hostname:port): "
-
-    while True:
-        try:
-            readline.set_startup_hook(
-                lambda: readline.insert_text(candidate) if candidate else None
-            )
-            entry = input(prompt).strip()
-        finally:
-            readline.set_startup_hook(None)
-
-        if not entry:
-            print("  Endpoint cannot be empty.")
-            continue
-        if ":" not in entry:
-            entry = f"{entry}:{listen_port}"
-        return entry
-
-# ===================================================================
-# Split-tunnel route computation
-# ===================================================================
-
-def split_tunnel_routes(dhcp_data):
-    """
-    Return a list of CIDR strings for all VLANs defined in core.json.
-    WG VLANs use vpn_information.gateway to derive their subnet.
-    Used as AllowedIPs in client configs when split_tunnel is true.
-    """
-    routes = []
-    for v in dhcp_data.get("vlans", []):
-        if v.get("interface", "").startswith("wg"):
-            gw  = vpi(v)["gateway"]
-            net = ipaddress.IPv4Network(f"{gw}/24", strict=False)
-            routes.append(str(net))
-        else:
-            d   = v["dhcp"]
-            net = ipaddress.IPv4Network(f"{d['subnet']}/{d['subnet_mask']}", strict=False)
-            routes.append(str(net))
-    return routes
-
-# ===================================================================
-# Client config
-# ===================================================================
-
-def build_client_conf(peer, private_key, server_public_key, endpoint,
-                      allowed_ips, dns, domain, mtu):
-    dns_line = f"DNS = {dns}, {domain}" if domain else f"DNS = {dns}"
-    return "\n".join([
-        "[Interface]",
-        f"PrivateKey = {private_key}",
-        f"Address = {peer['ip']}",
-        dns_line,
-        f"MTU = {mtu}",
-        "",
-        "[Peer]",
-        f"PublicKey = {server_public_key}",
-        f"Endpoint = {endpoint}",
-        f"AllowedIPs = {allowed_ips}",
-        f"PersistentKeepalive = {KEEPALIVE}",
-        "",
-    ])
-
-def write_client_conf(peer, private_key, server_public_key, endpoint,
-                      allowed_ips, dns, domain, mtu):
-    conf_path = SCRIPT_DIR / f"vpn-client-{peer['name']}.conf"
-    content   = build_client_conf(peer, private_key, server_public_key,
-                                  endpoint, allowed_ips, dns, domain, mtu)
-    conf_path.write_text(content)
-    conf_path.chmod(0o600)
-    chown_to_script_dir_owner(conf_path)
-    return conf_path
-
-# ===================================================================
-# WireGuard server conf
-# ===================================================================
-
-def build_wg_conf(vlan, peers, server_private_key):
-    iface       = vlan["interface"]
-    info        = vpi(vlan)
-    gateway     = info["gateway"]
-    gw_net      = ipaddress.IPv4Interface(f"{gateway}/24")
-    server_ip   = f"{gateway}/{gw_net.network.prefixlen}"
-    listen_port = info["listen_port"]
-
-    lines = [
-        "# Generated by vpn.py -- do not edit manually.",
-        "# Run: sudo python3 vpn.py --apply",
-        "",
-        "[Interface]",
-        f"PrivateKey = {server_private_key}",
-        f"Address = {server_ip}",
-        f"ListenPort = {listen_port}",
-        "",
-    ]
-    for peer in peers:
-        if peer.get("enabled") is True:
-            lines += [
-                f"# {peer['name']}",
-                "[Peer]",
-                f"PublicKey = {peer['public_key']}",
-                f"AllowedIPs = {peer['ip']}",
-                "",
-            ]
-    return "\n".join(lines)
-
-# ===================================================================
-# Live peer sync
-# ===================================================================
-
-def sync_peers_live(iface, peers):
-    """
-    Sync live WireGuard peers to match the dotfile state without a service
-    restart. Adds peers present in the dotfile (enabled) but not live;
-    removes peers live but not in the enabled dotfile set.
-    """
-    result = run(["wg", "show", iface, "dump"], check=False)
-    if result.returncode != 0:
-        return  # interface not up yet
-
-    lines     = result.stdout.strip().splitlines()
-    live_keys = set()
-    for line in lines[1:]:  # first line is the server interface itself
-        parts = line.split("\t")
-        if parts:
-            live_keys.add(parts[0])
-
-    enabled_peers = {
-        p["public_key"]: p
-        for p in peers
-        if p.get("enabled") is True
-    }
-    dotfile_keys = set(enabled_peers.keys())
-
-    for key in dotfile_keys - live_keys:
-        peer = enabled_peers[key]
-        run(["wg", "set", iface, "peer", key, "allowed-ips", peer["ip"]])
-        print(f"  Added peer: {peer['name']} ({peer['ip']})")
-
-    for key in live_keys - dotfile_keys:
-        run(["wg", "set", iface, "peer", key, "remove"])
-        print(f"  Removed peer: {key[:16]}...")
-
-# ===================================================================
-# Interface selection
-# ===================================================================
-
-def validate_wg_vlans(wg_vlans):
-    """Die with a clear message if any wg VLAN is missing a valid vpn_information block."""
-    for vlan in wg_vlans:
-        iface = vlan.get("interface", "?")
-        info  = vlan.get("vpn_information")
-        if not isinstance(info, dict):
-            die(f"Interface '{iface}' is missing a vpn_information block in core.json. "
-                f"Add: \"vpn_information\": {{\"listen_port\": 51820, \"gateway\": \"...\"}}")
-        if not isinstance(info.get("listen_port"), int):
-            die(f"Interface '{iface}' vpn_information is missing a valid listen_port in core.json.")
-        gw = info.get("gateway", "")
-        if not gw:
-            die(f"Interface '{iface}' vpn_information is missing gateway in core.json.")
-        elif not validate_ip(gw):
-            die(f"Interface '{iface}' vpn_information.gateway '{gw}' is not a valid IP address.")
-
-def pick_wg_interface(wg_vlans):
-    """
-    If only one wg interface exists, return it immediately.
-    Otherwise, print a numbered list and prompt the user to pick.
-    """
-    if len(wg_vlans) == 1:
-        return wg_vlans[0]
-
-    print("Available WireGuard interfaces:")
-    for i, vlan in enumerate(wg_vlans, 1):
-        lp = vpi(vlan)["listen_port"]
-        print(f"  {i}. {vlan['interface']}  ({vlan['name']}, port {lp})")
-    print()
-
-    while True:
-        choice = input("Select interface number: ").strip()
-        try:
-            idx = int(choice) - 1
-            if 0 <= idx < len(wg_vlans):
-                return wg_vlans[idx]
-        except ValueError:
-            pass
-        print("  Invalid selection.")
-
-# ===================================================================
-# --add-peer
-# ===================================================================
-
-def cmd_add_peer(dhcp_data):
-    check_root()
-    check_wireguard_tools()
-
-    wg_vlans = wg_interfaces(dhcp_data)
-
-    vlan  = pick_wg_interface(wg_vlans)
-    iface = vlan["interface"]
-    peers = load_peers(iface)
-
-    # -- Resolve endpoint -------------------------------------------------------
-    endpoint = resolve_endpoint(vpi(vlan)["listen_port"])
-
-    # -- Peer name -------------------------------------------------------------
-    print()
-    while True:
-        name = input("Peer name (e.g. norman-laptop): ").strip()
-        if not name:
-            print("  Name cannot be empty.")
-            continue
-        if any(p["name"] == name for p in peers):
-            print(f"  A peer named '{name}' already exists for {iface}.")
-            continue
-        break
-
-    # -- Peer IP ---------------------------------------------------------------
-    prefill = next_available_ip(vlan, peers)
-    print(f"Peer IP [{prefill}]: ", end="", flush=True)
-    ip_input = input().strip()
-    peer_ip  = ip_input if ip_input else prefill
-
-    d       = vpi(vlan)
-    gateway = d["gateway"]
-    network = ipaddress.IPv4Network(f"{gateway}/24", strict=False)
-    try:
-        iface_ip = ipaddress.IPv4Interface(peer_ip)
-        if iface_ip.ip not in network:
-            die(f"IP '{peer_ip}' is not within VPN subnet {network}.")
-        if iface_ip.ip == ipaddress.IPv4Address(gateway):
-            die(f"IP '{peer_ip}' is the server gateway. Choose a different IP.")
-        for p in peers:
-            if ipaddress.IPv4Interface(p["ip"]).ip == iface_ip.ip:
-                die(f"IP '{peer_ip}' is already assigned to peer '{p['name']}'.")
-    except ValueError as e:
-        die(f"Invalid IP '{peer_ip}': {e}")
-
-    # -- Generate keypair -------------------------------------------------------
-    print(f"\nGenerating keypair for '{name}'...")
-    private_key, public_key = generate_peer_keypair()
-
-    # -- Ensure server key exists -----------------------------------------------
-    kf = server_key_path(iface)
-    if not kf.exists():
-        print(f"Server private key not found for {iface} -- generating now...")
-        generate_server_key(iface)
-    server_public_key = get_server_public_key(iface)
-
-    # -- Split tunnel prompt ---------------------------------------------------
-    print()
-    st_input = input("Split tunnel? Route only VPN subnets (not all traffic) through WireGuard. [Y/n]: ").strip().lower()
-    split_tunnel = st_input != "n"
-
-    if split_tunnel:
-        allowed_ips = ", ".join(split_tunnel_routes(dhcp_data))
-    else:
-        allowed_ips = "0.0.0.0/0"
-
-    info       = vpi(vlan)
-    dns        = info.get("explicit_overrides", {}).get("dns_server", "") or gateway
-    domain     = info.get("domain", "")
-    mtu_override = info.get("explicit_overrides", {}).get("mtu", "")
-    mtu        = int(mtu_override) if mtu_override else sense_mtu(dhcp_data)
-
-    # -- Add peer to dotfile ----------------------------------------------------
-    new_peer = {"name": name, "ip": peer_ip, "public_key": public_key,
-                "split_tunnel": split_tunnel, "enabled": True}
-    peers.append(new_peer)
-    save_peers(iface, peers)
-    print(f"Peer '{name}' added to {dotfile_path(iface).name} (ip: {peer_ip}).")
-
-    # -- Write client config ----------------------------------------------------
-    conf_path = write_client_conf(new_peer, private_key, server_public_key,
-                                  endpoint, allowed_ips, dns, domain, mtu)
-
-    private_key = "0" * len(private_key)
-    del private_key
-
-    # -- Instructions -----------------------------------------------------------
-    print()
-    print("=" * 68)
-    print(f"  Client config written: {conf_path}")
-    print()
-    print("  NEXT STEPS:")
-    print(f"  1. Transfer {conf_path.name} to '{name}' by secure means")
-    print("     (encrypted email, USB drive, etc.).")
-    print("  2. The recipient imports it into their WireGuard app.")
-    print(f"  3. Delete {conf_path} from this server once transferred.")
-    print()
-    print("  WARNING: This file contains the peer's private key.")
-    print("  Do not leave it on this server longer than necessary.")
-    print("=" * 68)
-    print()
-    print("  To apply changes to WireGuard, run:")
-    print("    sudo python3 vpn.py --apply")
-    print()
-
-# ===================================================================
-# --list-peers
-# ===================================================================
-
-def cmd_list_peers(dhcp_data):
-    check_root()
-    check_wireguard_tools()
-
-    wg_vlans = wg_interfaces(dhcp_data)
-
-    # -- Collect all peers across all interfaces --------------------------------
-    # Each entry: (iface, peer_dict, vlan_dict, peers_list)
-    all_entries = []
-    for vlan in wg_vlans:
-        iface = vlan["interface"]
-        peers = load_peers(iface)
-        for peer in peers:
-            all_entries.append((iface, peer, vlan, peers))
-
-    if not all_entries:
-        print("No peers found across any WireGuard interface.")
-        return
-
-    # -- List peers -------------------------------------------------------------
-    print("Peers:")
-    for i, (iface, peer, _, _) in enumerate(all_entries, 1):
-        status = "enabled" if peer.get("enabled") else "disabled"
-        print(f"  {i}. [{iface}] {peer['name']}  {peer['ip']}  [{status}]")
-    print()
-
-    while True:
-        choice = input("Select peer number (or Enter to cancel): ").strip()
-        if not choice:
-            return
-        try:
-            idx = int(choice) - 1
-            if 0 <= idx < len(all_entries):
-                break
-        except ValueError:
-            pass
-        print("  Invalid selection.")
-
-    iface, peer, vlan, peers = all_entries[idx]
-    print(f"\nSelected: {peer['name']} on {iface}")
-    print("  1. Rename")
-    print("  2. Regenerate keys")
-    print("  3. Delete")
-    print("  4. Cancel")
-    print()
-
-    action = input("Select action: ").strip()
-    modified = False
-
-    if action == "1":
-        # -- Rename ----------------------------------------------------------------
-        while True:
-            new_name = input(f"New name [{peer['name']}]: ").strip()
-            if not new_name:
-                print("  Name cannot be empty.")
-                continue
-            if any(p["name"] == new_name for p in peers if p is not peer):
-                print(f"  A peer named '{new_name}' already exists for {iface}.")
-                continue
-            break
-
-        old_conf = SCRIPT_DIR / f"vpn-client-{peer['name']}.conf"
-        new_conf = SCRIPT_DIR / f"vpn-client-{new_name}.conf"
-        if old_conf.exists():
-            old_conf.rename(new_conf)
-            print(f"  Renamed client config: {old_conf.name} -> {new_conf.name}")
-
-        peer["name"] = new_name
-        save_peers(iface, peers)
-        print(f"Peer renamed to '{new_name}'.")
-        modified = True
-
-    elif action == "2":
-        # -- Regenerate keys -------------------------------------------------------
-        kf = server_key_path(iface)
-        if not kf.exists():
-            die(f"Server private key not found at {kf}. Run --apply first.")
-
-        endpoint = resolve_endpoint(vpi(vlan)["listen_port"])
-        print(f"\nRegenerating keypair for '{peer['name']}'...")
-        private_key, public_key = generate_peer_keypair()
-        server_public_key = get_server_public_key(iface)
-
-        if peer.get("split_tunnel", True):
-            allowed_ips = ", ".join(split_tunnel_routes(dhcp_data))
-        else:
-            allowed_ips = "0.0.0.0/0"
-
-        info         = vpi(vlan)
-        gateway      = info["gateway"]
-        dns          = info.get("explicit_overrides", {}).get("dns_server", "") or gateway
-        domain       = info.get("domain", "")
-        mtu_override = info.get("explicit_overrides", {}).get("mtu", "")
-        mtu          = int(mtu_override) if mtu_override else sense_mtu(dhcp_data)
-
-        peer["public_key"] = public_key
-        save_peers(iface, peers)
-
-        conf_path = write_client_conf(peer, private_key, server_public_key,
-                                      endpoint, allowed_ips, dns, domain, mtu)
-
-        private_key = "0" * len(private_key)
-        del private_key
-
-        print()
-        print("=" * 68)
-        print(f"  New client config written: {conf_path}")
-        print()
-        print("  WARNING: This file contains the peer's private key.")
-        print("  The previous client config is now invalid.")
-        print("  Transfer the new config and delete it from this server.")
-        print("=" * 68)
-        modified = True
-
-    elif action == "3":
-        # -- Delete ----------------------------------------------------------------
-        confirm = input(f"\nDelete peer '{peer['name']}' from {iface}? [y/N]: ").strip().lower()
-        if confirm != "y":
-            print("Cancelled.")
-            return
-
-        peers[:] = [p for p in peers if p["name"] != peer["name"]]
-        save_peers(iface, peers)
-
-        conf_path = SCRIPT_DIR / f"vpn-client-{peer['name']}.conf"
-        if conf_path.exists():
-            print(f"  NOTE: Client config {conf_path.name} still exists on this server.")
-            print(f"  It is now invalid and should be deleted.")
-
-        print(f"Peer '{peer['name']}' deleted from {iface}.")
-        modified = True
-
-    elif action == "4":
-        print("Cancelled.")
-        return
-
-    else:
-        die("Invalid action.")
-
-    if modified:
-        print()
-        print("  To apply changes to WireGuard, run:")
-        print("    sudo python3 vpn.py --apply")
-        print()
-
-# ===================================================================
-# --apply
-# ===================================================================
-
-def cmd_apply(dhcp_data):
-    check_root()
-    check_wireguard_tools()
-
-    wg_vlans = wg_interfaces(dhcp_data)
-
-    for vlan in wg_vlans:
-        iface = vlan["interface"]
-        print(f"-- {iface} " + "-" * 58)
-
-        peers = load_peers(iface)
-
-        # -- Ensure server key -----------------------------------------------
-        kf = server_key_path(iface)
-        if not kf.exists():
-            print(f"  Generating server private key for {iface}...")
-            generate_server_key(iface)
-        else:
-            print(f"  Using existing server key: {kf}")
-
-        server_private_key = kf.read_text().strip()
-        server_public_key  = get_server_public_key(iface)
-
-        # -- Write wg conf ---------------------------------------------------
-        WG_DIR.mkdir(exist_ok=True)
-        conf_file    = wg_conf_path(iface)
-        new_conf     = build_wg_conf(vlan, peers, server_private_key)
-        listen_port  = vpi(vlan)["listen_port"]
-
-        # Detect whether the listen port has changed in the existing conf
-        port_changed = False
-        if conf_file.exists():
-            for line in conf_file.read_text().splitlines():
-                if line.startswith("ListenPort"):
-                    old_port = line.split("=")[1].strip()
-                    port_changed = old_port != str(listen_port)
-                    break
-
-        conf_file.write_text(new_conf)
-        conf_file.chmod(0o600)
-        print(f"  Written: {conf_file}")
-
-        # -- Start or sync service -------------------------------------------
-        svc    = f"wg-quick@{iface}"
-        result = run(["systemctl", "is-active", svc], check=False)
-
-        if result.stdout.strip() == "active":
-            if port_changed:
-                print(f"  Listen port changed -- restarting {svc}...")
-                result2 = run(["systemctl", "restart", svc], check=False)
-                if result2.returncode != 0:
-                    die(f"Failed to restart {svc}:\n{result2.stderr.strip()}")
-                print(f"  Service {svc} restarted.")
-            else:
-                print(f"  Service {svc} is active -- syncing peers live...")
-                sync_peers_live(iface, peers)
-        else:
-            result2 = run(["systemctl", "enable", "--now", svc], check=False)
-            if result2.returncode != 0:
-                result3 = run(["systemctl", "reload-or-restart", svc], check=False)
-                if result3.returncode != 0:
-                    die(f"Failed to start {svc}:\n{result3.stderr.strip()}")
-            print(f"  Service {svc} enabled and started.")
-
-        # -- Summary ---------------------------------------------------------
-        enabled_peers = [p for p in peers if p.get("enabled") is True]
-        print(f"  Server public key: {server_public_key}")
-        print(f"  Listen port:       UDP {vpi(vlan)['listen_port']}")
-        print(f"  Enabled peers:     {len(enabled_peers)}")
-        for p in enabled_peers:
-            print(f"    {p['ip']:<22} {p['name']}")
-        print()
-
-    # -- Apply core config to pick up VPN firewall rules ---------------------
-    core_py = SCRIPT_DIR / "core.py"
-    if core_py.exists():
-        print("-- Applying core config (core.py --apply) ----------------------------")
-        result = subprocess.run(
-            [sys.executable, str(core_py), "--apply"],
-            capture_output=False
-        )
-        if result.returncode != 0:
-            print("WARNING: core.py --apply returned non-zero. Check output above.")
-    else:
-        print(f"WARNING: {core_py} not found -- run core.py --apply manually to load VPN firewall rules.")
-
-# ===================================================================
-# --disable
-# ===================================================================
-
-def cmd_disable(dhcp_data):
-    check_root()
-    wg_vlans = wg_interfaces(dhcp_data)
-
-    for vlan in wg_vlans:
-        iface  = vlan["interface"]
-        svc    = f"wg-quick@{iface}"
-        result = run(["systemctl", "disable", "--now", svc], check=False)
-        if result.returncode != 0:
-            print(f"WARNING: {svc} may not have been running:\n{result.stderr.strip()}")
-        else:
-            print(f"WireGuard service {svc} stopped and disabled.")
-
-# ===================================================================
-# --status
-# ===================================================================
-
-def cmd_status(dhcp_data):
-    check_root()
-    wg_vlans = wg_interfaces(dhcp_data)
-
-    print(f"  {'UNIT':<45} {'ACTIVE':<12} {'ENABLED'}")
-    print(f"  {'-'*45} {'-'*12} {'-'*10}")
-
-    for vlan in wg_vlans:
-        iface = vlan["interface"]
-        svc   = f"wg-quick@{iface}"
-
-        r_active  = run(["systemctl", "is-active",  svc], check=False)
-        r_enabled = run(["systemctl", "is-enabled", svc], check=False)
-        active    = r_active.stdout.strip()
-        enabled   = r_enabled.stdout.strip()
-        active_sym  = "+" if active  == "active"  else "x"
-        enabled_sym = "+" if enabled == "enabled" else "x"
-        print(f"  {svc:<45} {active_sym} {active:<10}  {enabled_sym} {enabled}")
-
-        if active == "active":
-            result = run(["wg", "show", iface], check=False)
-            if result.returncode == 0:
-                info = {}
-                for line in result.stdout.splitlines():
-                    line = line.strip()
-                    if line.startswith("public key:"):
-                        info["pubkey"] = line.split(":", 1)[1].strip()
-                    elif line.startswith("listening port:"):
-                        info["port"] = line.split(":", 1)[1].strip()
-                    elif line.startswith("peer:"):
-                        info.setdefault("peers", 0)
-                        info["peers"] += 1
-                if "pubkey" in info:
-                    print(f"    public key:     {info['pubkey']}")
-                if "port" in info:
-                    print(f"    listening port: {info['port']}")
-                peers = load_peers(iface)
-                enabled_peers = [p for p in peers if p.get("enabled") is True]
-                print(f"    peers:          {len(enabled_peers)} configured, {info.get('peers', 0)} connected")
-
-# ===================================================================
-# --logs
-# ===================================================================
-
-def cmd_logs(dhcp_data):
-    check_root()
-    wg_vlans = wg_interfaces(dhcp_data)
-
-    now = datetime.now(timezone.utc)
-
-    for vlan in wg_vlans:
-        iface       = vlan["interface"]
-        peers       = load_peers(iface)
-        peer_by_key = {p["public_key"]: p["name"] for p in peers}
-
-        print(f"-- {iface} " + "-" * 58)
-
-        result = run(["wg", "show", iface, "dump"], check=False)
-        if result.returncode != 0:
-            print(f"  WireGuard interface '{iface}' is not up.")
-            print()
-            continue
-
-        lines      = result.stdout.strip().splitlines()
-        peer_lines = lines[1:]  # first line is the server interface itself
-
-        if not peer_lines:
-            print("  No peers currently configured.")
-            print()
-            continue
-
-        print(f"  {'PEER':<22} {'IP':<20} {'ENDPOINT':<26} {'LAST HANDSHAKE':<22} {'RX':<12} {'TX'}")
-        print("  " + "-" * 106)
-
-        for ln in peer_lines:
-            parts = ln.split("\t")
-            if len(parts) < 6:
-                continue
-            pub_key     = parts[0]
-            endpoint    = parts[2] if parts[2] != "(none)" else "not connected"
-            allowed_ips = parts[3]
-            last_hs_ts  = parts[4]
-            rx_bytes    = int(parts[5])
-            tx_bytes    = int(parts[6]) if len(parts) > 6 else 0
-
-            name = peer_by_key.get(pub_key, pub_key[:12] + "...")
-
-            if last_hs_ts == "0":
-                last_hs = "never"
-            else:
-                ts      = int(last_hs_ts)
-                hs_dt   = datetime.fromtimestamp(ts, tz=timezone.utc)
-                delta   = now - hs_dt
-                seconds = int(delta.total_seconds())
-                if seconds < 60:
-                    last_hs = f"{seconds}s ago"
-                elif seconds < 3600:
-                    last_hs = f"{seconds // 60}m ago"
-                elif seconds < 86400:
-                    last_hs = f"{seconds // 3600}h ago"
-                else:
-                    last_hs = f"{seconds // 86400}d ago"
-
-            rx_str     = _fmt_bytes(rx_bytes)
-            tx_str     = _fmt_bytes(tx_bytes)
-            display_ip = allowed_ips.split(",")[0].strip()
-
-            print(f"  {name:<22} {display_ip:<20} {endpoint:<26} {last_hs:<22} {rx_str:<12} {tx_str}")
-
-        print()
-
-# ===================================================================
-# Main
-# ===================================================================
-
-def main():
-    parser = argparse.ArgumentParser(
-        description="Manage WireGuard VPN server and peers",
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-        epilog=(
-            "examples:\n"
-            "  sudo python3 vpn.py --add-peer     Add a new peer interactively\n"
-            "  sudo python3 vpn.py --manage-peers  List and manage existing peers\n"
-            "  sudo python3 vpn.py --apply         Write WireGuard config and sync peers\n"
-            "  sudo python3 vpn.py --disable       Stop WireGuard on all interfaces\n"
-            "  sudo python3 vpn.py --status        Show WireGuard service and interface status\n"
-            "  sudo python3 vpn.py --view-peers    Show per-peer handshake and traffic stats\n"
-        )
-    )
-    parser.add_argument("--add-peer",          action="store_true",
-                        help="Add a new peer interactively")
-    parser.add_argument("--manage-peers", action="store_true",
-                        help="List and manage existing peers")
-    parser.add_argument("--apply",        action="store_true",
-                        help="Write WireGuard config and sync peers")
-    parser.add_argument("--disable",      action="store_true",
-                        help="Stop WireGuard on all interfaces")
-    parser.add_argument("--status",       action="store_true",
-                        help="Show WireGuard service and interface status")
-    parser.add_argument("--view-peers",   action="store_true",
-                        help="Show per-peer handshake and traffic stats")
-
-    args = parser.parse_args()
-
-    if not any([args.add_peer, args.manage_peers, args.apply,
-                args.disable, args.status, args.view_peers]):
-        parser.print_help()
-        sys.exit(0)
-
-    dhcp_data = load_dhcp()
-    wg_vlans  = wg_interfaces(dhcp_data)
-    if not wg_vlans:
-        die("No WireGuard interfaces (wg*) found in core.json.")
-    validate_wg_vlans(wg_vlans)
-
-    if args.add_peer:
-        cmd_add_peer(dhcp_data)
-    elif args.manage_peers:
-        cmd_list_peers(dhcp_data)
-    elif args.apply:
-        cmd_apply(dhcp_data)
-    elif args.disable:
-        cmd_disable(dhcp_data)
-    elif args.status:
-        cmd_status(dhcp_data)
-    elif args.view_peers:
-        cmd_logs(dhcp_data)
-
-if __name__ == "__main__":
-    main()