diff --git a/.gitignore b/.gitignore
index 695571b..348325a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -49,3 +49,4 @@ vault-keys.json
 nomad_bootstrap.json
 consul_values.yml
 vault_hashi_vault_values.yml
+vault_*.yml
diff --git a/ansible_playbooks/setup-cluster.yml b/ansible_playbooks/setup-cluster.yml
index d9fe9f4..b611fb9 100644
--- a/ansible_playbooks/setup-cluster.yml
+++ b/ansible_playbooks/setup-cluster.yml
@@ -225,6 +225,8 @@
         fstype: nfs4
       loop: "{{ shared_nfs_mounts + (nfs_mounts | default([])) }}"
 
+- import_playbook: wesher.yml
+
 - name: Build Nomad cluster
   hosts: nomad_instances
   any_errors_fatal: true
@@ -332,6 +334,9 @@
           - name: loopback
             interface: lo
             reserved_ports: "22"
+          - name: wesher
+            interface: wgoverlay
+            reserved_ports: "22"
 
         # Enable ACLs
         nomad_acl_enabled: true
diff --git a/ansible_playbooks/vars/wesher_vars.yml b/ansible_playbooks/vars/wesher_vars.yml
new file mode 100644
index 0000000..9c47583
--- /dev/null
+++ b/ansible_playbooks/vars/wesher_vars.yml
@@ -0,0 +1,2 @@
+---
+wesher_key: "{{ vault_wesher_key }}"
diff --git a/ansible_playbooks/wesher.yml b/ansible_playbooks/wesher.yml
new file mode 100644
index 0000000..1dce859
--- /dev/null
+++ b/ansible_playbooks/wesher.yml
@@ -0,0 +1,50 @@
+- name: Create overlay network
+  hosts: nomad_instances
+  become: true
+  vars_files:
+    - vars/wesher_vars.yml
+  vars:
+    wesher_key: "{{ wesher_key }}"
+    wesher_version: v0.2.6
+    wesher_arch_map:
+      x86_64: amd64
+      armv7l: arm
+      aarch64: arm64
+    wesher_arch: "{{ wesher_arch_map[ansible_architecture] }}"
+    # wesher_sha256_map:
+    #   x86_64: 8c551ca211d7809246444765b5552a8d1742420c64eff5677d1e27a34c72aeef
+    #   armv7l: 97f5bbf2b00b8b11a4ca224540bf9c1affdb15432c3b6ad8da4c1a7b6175eb5d
+    #   aarch64: 507c6397d67ea90bddb3e1c06ec9d8e38d4342ed6f0f6b47855fecc9f1d6fae0
+    # wesher_checksum: sha256:{{ wesher_sha256_map[ansible_architecture] }}
+    wesher_checksum: sha256:https://github.com/costela/wesher/releases/download/{{ wesher_version }}/wesher.sha256sums
+
+  tasks:
+    - name: Download wesher
+      get_url:
+        url: https://github.com/costela/wesher/releases/download/{{ wesher_version }}/wesher-{{ wesher_arch }}
+        dest: /usr/local/sbin/wesher
+        checksum: "{{ wesher_checksum }}"
+        owner: root
+        mode: "0755"
+
+    - name: Install systemd unit
+      get_url:
+        url: https://github.com/costela/wesher/raw/{{ wesher_version }}/dist/wesher.service
+        dest: /etc/systemd/system/wesher.service
+
+    - name: Write wesher config
+      lineinfile:
+        path: /etc/default/wesher
+        create: true
+        regexp: "^{{ item.split('=')[0] }}"
+        line: "{{ item }}"
+      loop:
+        - WESHER_CLUSTER_KEY={{ wesher_key }}
+        - WESHER_JOIN={% for host in ansible_play_hosts %}{{ hostvars[host].ansible_default_ipv4.address }}{% if not loop.last %},{% endif %}{% endfor %}
+
+    - name: Start wesher
+      systemd:
+        name: wesher.service
+        daemon_reload: true
+        state: started
+        enabled: true