diff --git a/hosts/falkenstein/modules/networks/default.nix b/hosts/falkenstein/modules/networks/default.nix
index 6f340d5..a1d140d 100644
--- a/hosts/falkenstein/modules/networks/default.nix
+++ b/hosts/falkenstein/modules/networks/default.nix
@@ -34,9 +34,13 @@
   };
   systemd.network = {
     enable = true;
+    config = {
+      networkConfig = {
+        SpeedMeter = true;
+      };
+    };
     networks."10-loopback" = {
       matchConfig.Name = "lo";
-      linkConfig.RequiredForOnline = false;
     };
     networks."10-wired" = {
       matchConfig.Name = "ens3";
@@ -56,6 +60,8 @@
       wireguardConfig = {
         PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
         ListenPort = 51820;
+        RouteTable = "main";
+        RouteMetric = 30;
       };
       wireguardPeers = [
         {
@@ -72,18 +78,16 @@
       matchConfig.Name = "wg0";
       networkConfig = {
         DNS = "192.168.42.1";
+        DNSSEC = true;
+        BindCarrier = [ "ens3" ];
       };
       addresses = [
         {
           addressConfig = {
-            Address = "192.168.43.4/24";
-            RouteMetric = 30;
+            Address = "192.168.43.4/32";
           };
         }
       ];
-      routes = [
-        { routeConfig = { Gateway = "0.0.0.0"; Destination = "192.168.42.0/24"; Metric = 30; }; }
-      ];
     };
   };
 }
diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index 5a51b68..740818d 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -74,10 +74,14 @@
   };
   systemd.network = {
     enable = true;
-    wait-online.anyInterface = true;
+    wait-online.enable = false;
+    config = {
+      networkConfig = {
+        SpeedMeter = true;
+      };
+    };
     networks."10-loopback" = {
       matchConfig.Name = "lo";
-      linkConfig.RequiredForOnline = false;
     };
     networks."10-wired-default" = {
       matchConfig.Name = "en*";
@@ -107,12 +111,17 @@
       };
       routes = [
         # Route to the Model train network via raspi
-        { routeConfig = { Gateway = "192.168.178.63"; Destination = "192.168.179.0/24"; }; }
+        {
+          routeConfig = {
+            Gateway = "192.168.178.63";
+            GatewayOnLink = true;
+            Destination = "192.168.179.0/24";
+          };
+        }
       ];
     };
     networks."15-wireless-default" = {
       matchConfig.Name = "wlp9s0";
-      linkConfig.RequiredForOnline = false;
       networkConfig = {
         DHCP = "yes";
         IgnoreCarrierLoss = "3s";
@@ -134,13 +143,15 @@
       wireguardConfig = {
         PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
         ListenPort = 51820;
+        RouteTable = "main";
+        RouteMetric = 30;
       };
       wireguardPeers = [
         {
           wireguardPeerConfig = {
             PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
             PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
-            Endpoint = "141.30.227.6:51820";
+            Endpoint = "dorm.vpn.rfive.de:51820";
             AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
           };
         }
@@ -148,21 +159,19 @@
     };
     networks."30-wg0" = {
       matchConfig.Name = "wg0";
+      linkConfig.RequiredForOnline = "carrier";
       networkConfig = {
         DNS = "192.168.42.1";
+        DNSSEC = true;
+        BindCarrier = [ "wlp9s0" "enp0s31f6" ];
       };
       addresses = [
         {
           addressConfig = {
-            Address = "192.168.43.3/24";
-            RouteMetric = 30;
+            Address = "192.168.43.3/32";
           };
         }
       ];
-      routes = [
-        # allowedIPs is somewhat broken
-        { routeConfig = { Gateway = "0.0.0.0"; Destination = "192.168.42.0/24"; Metric = 30; }; }
-      ];
     };
   };
   programs.wireshark = {