diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c02ff80d4..9fba1812b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,20 +42,10 @@ jobs:
       - name: Run Tests and Upload Coverage Report
         run: mix coveralls.github --umbrella
 
-  functional-test:
+  build:
     needs: unit-integration-test
     runs-on: ubuntu-18.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Functional Test
-        run: |
-          # Dummy for now
-          echo 'Tests completed!'
-
-  build:
-    needs: functional-test
-    runs-on: ubuntu-18.04
-    if: github.ref == 'ref/head/master' || contains(github.ref, 'refs/tags/')
+    if: github.ref == 'refs/head/master' || contains(github.ref, 'refs/tags/')
     steps:
       - uses: actions/checkout@v2
       - name: Build packages
@@ -77,12 +67,28 @@ jobs:
       - name: Rename Built Artifacts
         run: |
           version="${{ steps.version.outputs.version }}"
-
           cid=$(docker create fireguard:latest)
           filename="fireguard_${version}-1_amd64.deb"
           echo "Extracting built debian package from container ${cid} to filename ${filename}"
-
           docker cp ${cid}:/build/pkg/debian.deb ./${filename}
+      - uses: actions/upload-artifact@v2
+        with:
+          name: fireguard-deb
+          path: "fireguard*.deb"
+
+  functional-test:
+    needs: build
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/download-artifact@v2
+        with:
+          name: fireguard-deb
+      - name: Test Install package
+        run: |
+          apt update
+          apt install -y postgresql wireguard iptables net-tools
+          dpkg -i fireguard*.deb
+
   publish:
     needs: build
     runs-on: ubuntu-18.04
diff --git a/config/dev.exs b/config/dev.exs
index 23fd9a774..800ad5279 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -72,7 +72,6 @@ config :fg_http, FgHttpWeb.Endpoint,
   ]
 
 config :fg_vpn,
-  privkey: "mFZhBZIQATDzM+Mr671uiryJfSzKQhEA2RYg6JaWiGc=",
   pubkey: "JId8GN8iPmdQXOLSdcsSkaW4i60e1/rpHB/03rsaKBk="
 
 # Do not include metadata nor timestamps in development logs
diff --git a/config/releases.exs b/config/releases.exs
index a37f8e150..b606d8561 100644
--- a/config/releases.exs
+++ b/config/releases.exs
@@ -35,6 +35,9 @@ listen_port =
 
 listen_host = json_config["listen_host"] || System.get_env("LISTEN_HOST") || "localhost"
 
+config :fg_vpn,
+  pubkey: json_config["pubkey"]
+
 config :fg_http, FgHttp.Repo,
   # ssl: true,
   url: database_url,
diff --git a/pkg/debian/DEBIAN/control b/pkg/debian/DEBIAN/control
index 37a0be9cf..f79454f28 100644
--- a/pkg/debian/DEBIAN/control
+++ b/pkg/debian/DEBIAN/control
@@ -2,7 +2,7 @@ Package: fireguard
 Version: 0.1.7-1
 Architecture: amd64
 Maintainer: CloudFire, LLC <dpkg@cloudfire.network>
-Depends: systemd (>= 245.4-4ubuntu3.3), openssl (>= 1.1.1f-1ubuntu2), wireguard (>= 1.0.20200319-1ubuntu1), postgresql-12 (>= 12.4-0ubuntu0.20.04.1), iptables (>= 1.8.4-3ubuntu2)
+Depends: net-tools (>= 1.60+git20180626.aebd88e-1ubuntu1), systemd (>= 245.4-4ubuntu3.3), openssl (>= 1.1.1f-1ubuntu2), wireguard (>= 1.0.20200319-1ubuntu1), postgresql-12 (>= 12.4-0ubuntu0.20.04.1), iptables (>= 1.8.4-3ubuntu2)
 Section: net
 Priority: optional
 Homepage: https://cloudfire.network
diff --git a/pkg/debian/DEBIAN/postinst b/pkg/debian/DEBIAN/postinst
index ca8de9709..f61c0b3ff 100755
--- a/pkg/debian/DEBIAN/postinst
+++ b/pkg/debian/DEBIAN/postinst
@@ -15,28 +15,48 @@ else
   useradd --system fireguard
 fi
 
-touch /opt/fireguard/config.yml
-chown -R fireguard:root /opt/fireguard
-chmod 0600 /opt/fireguard/config.yml
-
+# Generate app secrets
 live_view_signing_salt="$(openssl rand -base64 24)"
 secret_key_base="$(openssl rand -base64 48)"
 db_user=fireguard
 db_password="$(openssl rand -base64 8)"
 
+# Setup DB
 sudo -i -u postgres psql -c "CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';" || true
 sudo -i -u postgres psql -c "CREATE DATABASE fireguard;" || true
 sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE fireguard to ${db_user};" || true
 
+# Generate WireGuard priv/pubkeys
+privkey=$(wg genkey)
+pubkey=$(echo ${privkey} | wg pubkey)
+
+# Write FireGuard config file
+touch /opt/fireguard/config.yml
+chown -R fireguard:root /opt/fireguard
+chmod 0600 /opt/fireguard/config.yml
 cat <<EOT >> /opt/fireguard/config.json
 {
   "live_view_signing_salt": "${live_view_signing_salt}",
   "secret_key_base": "${secret_key_base}",
   "database_url": "ecto://${db_user}:${db_password}@localhost/fireguard",
+  "pubkey": "${pubkey}",
   "listen_port": 4000,
   "listen_host": "localhost"
 }
 EOT
 
+# Grab default route interface
+default_int=$(route | grep '^default' | grep -o '[^ ]*$')
+
+# Write WireGuard config file
+cat <<EOT >> /etc/wireguard/wg-fireguard.conf
+[Interface]
+ListenPort = 51820
+PrivateKey = ${privkey}
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ${default_int} -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ${default_int} -j MASQUERADE
+
+EOT
+
 systemctl enable fireguard
 systemctl start fireguard