diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver
index eb1c270..b34f9bc 100644
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -10,6 +10,7 @@ pflog_conf:
 network_rc: "homeserver_network.conf"
 rc_conf: "homeserver_rc.conf"
 loader_conf: "homeserver_loader.conf"
+netgraph_config: "setup_netgraph_homeserver"
 cputype: "intel"
 cpu_opt: broadwell
 hwpstate: false
diff --git a/ansible/roles/jail/files/setup_netgraph_homeserver b/ansible/roles/jail/files/setup_netgraph_homeserver
new file mode 100644
index 0000000..1a0cef7
--- /dev/null
+++ b/ansible/roles/jail/files/setup_netgraph_homeserver
@@ -0,0 +1,87 @@
+#!/usr/local/bin/bash
+
+cleanup() {
+    ngctl shutdown host_link2:
+    ngctl shutdown host_uplink0:
+    ngctl shutdown host_bridge0:
+    ngctl shutdown wg_link2:
+    ngctl shutdown wg_uplink0:
+    ngctl shutdown wg_bridge0:
+    ngctl shutdown host_link3:
+    ngctl shutdown host_uplink1:
+    ngctl shutdown host_bridge1:
+}
+
+setup_netgraph_start() {
+    cleanup
+
+    # Create a bridge for jails that only speak wireguard
+    ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook host_uplink0
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer host_uplink0: bridge ether link0
+name host_uplink0:ether host_bridge0
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer host_bridge0: eiface link2 ether
+name host_bridge0:link2 host_link2
+EOF
+
+    ifconfig $(ngctl msg 'host_uplink0:' getifname | grep Args | cut -d '"' -f 2) name host_uplink0 10.193.223.1/24 up
+    ifconfig $(ngctl msg 'host_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name host_link2
+
+    # Create internal bridge for jails that are forced through wireguard
+    ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook wg_uplink0
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer wg_uplink0: bridge ether link0
+name wg_uplink0:ether wg_bridge0
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer wg_bridge0: eiface link2 ether
+name wg_bridge0:link2 wg_link2
+EOF
+
+    ifconfig $(ngctl msg 'wg_uplink0:' getifname | grep Args | cut -d '"' -f 2) name wg_uplink0 10.241.199.1/24 up
+    ifconfig $(ngctl msg 'wg_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name wg_link2
+
+    # Create a bridge for jails given full access to NAT
+    ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook host_uplink1
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer host_uplink1: bridge ether link0
+name host_uplink1:ether host_bridge1
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer host_bridge1: eiface link2 ether
+name host_bridge1:link2 host_link3
+EOF
+
+    ifconfig $(ngctl msg 'host_uplink1:' getifname | grep Args | cut -d '"' -f 2) name host_uplink1 10.213.177.1/24 up
+    ifconfig $(ngctl msg 'host_bridge1:link2' getifname | grep Args | cut -d '"' -f 2) name host_link3
+
+}
+
+setup_netgraph_stop() {
+    cleanup
+}
+
+if [ "$1" = "start" ]; then
+    setup_netgraph_start
+elif [ "$1" = "stop" ]; then
+    setup_netgraph_stop
+else
+    >&2 echo "Unrecognized command"
+fi