diff --git a/scaleway/deployments/cilium.yaml b/scaleway/deployments/cilium.yaml
index 40722ce..d2d6683 100644
--- a/scaleway/deployments/cilium.yaml
+++ b/scaleway/deployments/cilium.yaml
@@ -21,7 +21,11 @@ healthChecking: true
 
 tunnel: "vxlan"
 autoDirectNodeRoutes: false
-# devices: [eth0]
+devices: [eth0,eth1]
+
+encryption:
+  enabled: true
+  type: wireguard
 
 cni:
   install: true
diff --git a/scaleway/deployments/cilium_result.yaml b/scaleway/deployments/cilium_result.yaml
index b7b07aa..c69bc60 100644
--- a/scaleway/deployments/cilium_result.yaml
+++ b/scaleway/deployments/cilium_result.yaml
@@ -132,6 +132,7 @@ data:
   enable-ipv4-masquerade: "true"
   enable-ipv6-masquerade: "true"
   enable-bpf-masquerade: "false"
+  enable-wireguard: "true"
 
   enable-xt-socket-fallback: "true"
   install-iptables-rules: "true"
@@ -141,6 +142,9 @@ data:
   enable-bandwidth-manager: "false"
   enable-local-redirect-policy: "true"
   enable-host-firewall: "true"
+  # List of devices used to attach bpf_host.o (implements BPF NodePort,
+  # host-firewall and BPF masquerading)
+  devices: "eth0 eth1"
 
   kube-proxy-replacement:  "strict"
   kube-proxy-replacement-healthz-bind-address: ""
diff --git a/scaleway/templates/controlplane.yaml.tpl b/scaleway/templates/controlplane.yaml.tpl
index 27a662f..efc36a4 100644
--- a/scaleway/templates/controlplane.yaml.tpl
+++ b/scaleway/templates/controlplane.yaml.tpl
@@ -34,7 +34,7 @@ machine:
       - 1.1.1.1
       - 8.8.8.8
     kubespan:
-      enabled: true
+      enabled: false
       allowDownPeerBypass: true
   install:
     wipe: false
diff --git a/scaleway/templates/web.yaml.tpl b/scaleway/templates/web.yaml.tpl
index ef62207..6462a66 100644
--- a/scaleway/templates/web.yaml.tpl
+++ b/scaleway/templates/web.yaml.tpl
@@ -30,7 +30,7 @@ machine:
           - 169.254.2.53/32
           - fd00::169:254:2:53/128
     kubespan:
-      enabled: true
+      enabled: false
       allowDownPeerBypass: true
   install:
     wipe: true