diff --git a/.gitignore b/.gitignore
index f4be182..1de0e42 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,5 @@ opennebula-vm-etcd/config-and-secrets.conf
 .vscode
 
 ipxe/
+
+openwrt-*-*.bin
diff --git a/setup-viirb.sh b/setup-viirb.sh
new file mode 100755
index 0000000..79483c6
--- /dev/null
+++ b/setup-viirb.sh
@@ -0,0 +1,213 @@
+#!/bin/sh
+# 2020-06-13, Nico Schottelius
+# See https://ungleich.ch/u/products/viirb-ipv6-box/
+
+if [ $# -ne 4 ]; then
+    echo "$0 interface viirb-id your-dot-cdist"
+    echo "    interface to add the config ip address to"
+    echo "    viirb-id: number in decimal format"
+    echo "    your-dot-cdist: path to YOUR ungleich-dot-cdist repo"
+    echo "    owner-mail-reference: How to identify the owner"
+    echo ""
+    echo "Example to configure viirb02:"
+    echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342'"
+    exit 1
+fi
+
+set -x
+
+set -x
+dev=$1; shift
+id=$1; shift
+dot_cdist=$1; shift
+owner=$1; shift
+
+hex_id=$(printf "%0.2x\n" "$id")
+viirb_hostname=viirb${hex_id}
+
+prefix_base=2a0a:e5c1:3
+my_prefix=${prefix_base}${hex_id}
+my_network=${my_prefix}::/48
+
+my_wireguard_ip=${my_prefix}::42
+my_lan_ip=${my_prefix}:cafe::42
+my_wifi_ip=${my_prefix}:7ea::42
+
+# openwrt
+version=19.07.3
+filename=openwrt-${version}-ramips-mt76x8-vocore2-squashfs-sysupgrade.bin
+
+# IP address for setting it up initially
+viirb_ip=192.168.61.1
+
+# wireguard
+private_key=$(wg genkey)
+private_key=EL76tScnk84v8TGSSD3tPDhUjjYVPrfmNMBE3zbuRXg=
+public_key=$(echo $private_key | wg pubkey)
+
+vpn_endpoint_host=vpn-2a0ae5c1300.ungleich.ch
+vpn_endpoint_pubkey=ft68G2RID7gZ6PXjFCSCOdJ9yspRg+tUw0YrNK9cTxE=
+
+# cdist
+dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files
+peerfile=${dot_cdist_files}/${vpn_endpoint_host}.peer${hex_id}
+vpnconfig=${dot_cdist_files}/${vpn_endpoint_host}
+
+# Configure VPN server / update cdist
+echo Updating VPNserver
+cat <<EOF > ${peerfile}
+# ${viirb_hostname} ${owner}
+[Peer]
+PublicKey = ${public_key}
+AllowedIPs = ${my_network}
+
+EOF
+
+# Generate real config
+cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig}
+cd ${dot_cdist_files}
+git add ${vpn_endpoint_host}
+git commit -m "[vpn] Updated config for peer ${viirb_hostname} ${my_network}"
+git pull
+git push
+
+cdist config -vv -j8 ${vpn_endpoint_host} -c ${dot_cdist}
+
+exit 0
+
+# System
+cat <<EOF | ssh -t "root@${viirb_ip}"
+set -x
+
+# Setup lan to also retrieve an ip address via dhcp
+
+# This stays in the final setup
+uci set network.lanv4=interface
+uci set network.lanv4.proto='dhcp'
+uci set network.lanv4.ifname='br-lan'
+
+# This is temporary
+uci set network.lanv4temp=interface
+uci set network.lanv4temp.proto='static'
+uci set network.lanv4temp.ifname='br-lan'
+uci set network.lanv4temp.ipaddr='192.168.61.1'
+uci set network.lanv4temp.netmask='255.255.255.0'
+
+uci commit network
+/etc/init.d/network restart
+
+# update the sources
+opkg update
+opkg install wireguard
+
+# DNS upstream over VPN gives DNS64
+#uci set dhcp.@dnsmasq[0].server='2a0a:e5c0:a::a' '2a0a:e5c0:2:a::a'
+
+# wifi ip address
+uci set network.wifi=interface
+uci set network.wifi.proto='static'
+uci set network.wifi.ip6addr='${my_wifi_ip}/64'
+
+# Wifi configuration
+uci set wireless.radio0=wifi-device
+uci set wireless.radio0.type='mac80211'
+uci set wireless.radio0.hwmode='11g'
+uci set wireless.radio0.path='platform/10300000.wmac'
+uci set wireless.radio0.htmode='HT40'
+uci set wireless.radio0.country='CH'
+uci set wireless.radio0.channel='6'
+
+uci set wireless.default_radio0=wifi-iface
+uci set wireless.default_radio0.device='radio0'
+uci set wireless.default_radio0.mode='ap'
+uci set wireless.default_radio0.encryption='psk2'
+uci set wireless.default_radio0.key='iloveipv6'
+uci set wireless.default_radio0.ssid='IPv6 everywhere ${viirb_hostname}'
+uci set wireless.default_radio0.network='wifi'
+
+# Wifi / Router advertisements
+uci set dhcp.wifi=dhcp
+uci set dhcp.wifi.interface='wifi'
+uci set dhcp.wifi.ra='server'
+uci set dhcp.wifi.dynamicdhcp='0'
+
+
+# VPN / Wireguard
+uci set network.wg0=interface
+uci set network.wg0.proto='wireguard'
+uci set network.wg0.private_key='${private_key}'
+uci set network.wg0.listen_port='51820'
+uci set network.wg0.addresses='${my_wireguard_ip}/64'
+
+uci add network wireguard_wg0
+uci set network.@wireguard_wg0[0]=wireguard_wg0
+uci set network.@wireguard_wg0[0].persistent_keepalive='25'
+uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
+uci set network.@wireguard_wg0[0].description='ungleich IPv6VPN.ch'
+uci set network.@wireguard_wg0[0].allowed_ips='::/0'
+uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
+uci set network.@wireguard_wg0[0].endpoint_port='51820'
+uci set network.@wireguard_wg0[0].route_allowed_ips='1'
+
+uci set system.@system[0].hostname="${viirb_hostname}"
+
+uci commit
+
+# Firewall configuration
+
+# Remove temporary IP
+
+# Reboot
+
+# Ensure VPN works
+
+# Remove our ssh keys!
+
+#
+
+EOF
+
+
+exit 0
+
+
+# We delete so that we can run idempotent
+sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true
+sudo ip addr add 192.168.61.2/24 dev "$dev"
+
+# don't care about other/old known_host entries
+ssh-keygen  -R 192.168.61.1
+
+ping -c2 ${viirb_ip}
+if [ $? -ne 0 ]; then
+    echo "Cannot reach any VIIRB - exiting"
+    exit 1
+fi
+
+set -e
+
+
+# Don't re-download if we already have it
+wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt76x8/${filename}
+scp ${filename} root@${viirb_ip}:/tmp
+ssh root@${viirb_ip} "sysupgrade /tmp/*.bin"
+
+wait=0
+found=""
+
+while [ $wait -lt 180 ]; do
+    ping -c1 ${viirb_ip} >/dev/null
+
+    if [ $? -eq 0 ]; then
+        found=yes
+        # wait for ssh to come up
+        sleep 10
+    fi
+done
+
+if [ ! "$found" ]; then
+    echo "Did not find updated viirb - debug / restart it"
+    exit 1
+fi
+
+exit 0