diff --git a/machines/porthos/services.nix b/machines/porthos/services.nix
index ee38894..9bc99e7 100644
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@@ -103,6 +103,7 @@ in
     # Simple, in-kernel VPN
     wireguard = {
       enable = true;
+      startAtBoot = true; # Server must be started to ensure clients can connect
     };
   };
 
diff --git a/services/wireguard.nix b/services/wireguard.nix
index f7615a2..ef75f2e 100644
--- a/services/wireguard.nix
+++ b/services/wireguard.nix
@@ -24,6 +24,11 @@ in
   options.my.services.wireguard = with lib; {
     enable = mkEnableOption "Wireguard VPN service";
 
+    startAtBoot = mkEnableOption ''
+      Should the VPN service be started at boot. Must be true for the server to
+      work reliably.
+    '';
+
     iface = mkOption {
       type = types.str;
       default = "wg";
@@ -162,4 +167,9 @@ in
 
     firewall.allowedUDPPorts = [ cfg.port ];
   };
+
+  # Do not start the service by making it not wanted by any unit
+  config.systemd.services.wg-quick-wg = lib.mkIf (!cfg.startAtBoot) {
+    wantedBy = lib.mkForce [ ];
+  };
 }