diff --git a/nixos/hosts/canigou/data.secret.nix b/nixos/hosts/canigou/data.secret.nix
index 468c5f4..5c95ed5 100644
Binary files a/nixos/hosts/canigou/data.secret.nix and b/nixos/hosts/canigou/data.secret.nix differ
diff --git a/nixos/hosts/canigou/services/wireguard.nix b/nixos/hosts/canigou/services/wireguard.nix
index 0b6dfcf..10b0add 100644
--- a/nixos/hosts/canigou/services/wireguard.nix
+++ b/nixos/hosts/canigou/services/wireguard.nix
@@ -1,7 +1,8 @@
 { config, pkgs, ... }:
 
 let
-  port = 51820;
+  canigouData = import ../data.secret.nix;
+  port = canigouData.wireguardPort;
 in
 {
   # enable NAT
@@ -45,13 +46,13 @@ in
           publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg=";
           # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
           allowedIPs = [ "10.100.0.2/32" ];
-          persistentKeepalive = 25;
+          persistentKeepalive = 15;
         }
         {
           # Asus
           publicKey = "mzVH0N3q7UE/XjMwgRks+D8KFuIj91VkOK2ytgjsnkw=";
           allowedIPs = [ "10.100.0.3/32" ];
-          persistentKeepalive = 25;
+          persistentKeepalive = 15;
         }
       ];
     };
diff --git a/nixos/modules/wireguard-client.nix b/nixos/modules/wireguard-client.nix
index afdb0af..c8bb44c 100644
--- a/nixos/modules/wireguard-client.nix
+++ b/nixos/modules/wireguard-client.nix
@@ -3,9 +3,10 @@
 let
   cfg = config.local.wireguard;
 
-  port = 51820;
+  canigouData = import ../hosts/canigou/data.secret.nix;
 
-  serverAddr = (import ../hosts/canigou/data.secret.nix).addr;
+  serverAddr = canigouData.addr;
+  serverPort = canigouData.wireguardPort;
 
   # Run `ip route` to show gateway
   defaultGateway = "192.168.0.1";
@@ -25,7 +26,7 @@ in
 
   config = lib.mkIf cfg.enable {
     networking.firewall = {
-      allowedUDPPorts = [ port ]; # Clients and peers can use the same port, see listenport
+      allowedUDPPorts = [ serverPort ]; # Clients and peers can use the same port, see listenport
     };
     # Enable WireGuard
     networking.wireguard.interfaces = {
@@ -33,7 +34,7 @@ in
       wg0 = {
         # Determines the IP address and subnet of the client's end of the tunnel interface.
         ips = [ cfg.ip ];
-        listenPort = port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+        listenPort = serverPort; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
         # Path to the private key file.
         privateKeyFile = cfg.privateKeyFile;
@@ -56,12 +57,10 @@ in
             # allowedIPs = [ "192.168.0.0/24" ];
 
             # Set this to the server IP and port.
-            endpoint = "${serverAddr}:${toString port}";
+            endpoint = "${serverAddr}:${toString serverPort}";
 
             # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-            persistentKeepalive = 25;
-
-            dynamicEndpointRefreshRestartSeconds = 5;
+            persistentKeepalive = 15;
           }
         ];
       };