diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index be6e4c8..7560593 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -98,6 +98,22 @@
   - `opt3` = IoT (vlan02, 10.4.20.0/24)
   - `opt4` = Guest (vlan03, 10.4.30.0/24)
 
+### WireGuard VPN Setup
+- **WireGuard configured** on OPNsense (built into 25.7 core)
+  - Server: wg0, port 51820, tunnel 10.10.10.1/24
+  - Allows remote access to all internal subnets
+  - Firewall rule added for WireGuard interface
+
+- **AT&T IP Passthrough configured**:
+  - Mode: DHCPS-fixed
+  - MAC: bc:24:11:cb:12:82 (OPNsense WAN)
+  - OPNsense now receives public IP directly (99.74.188.161)
+  - Required for both WireGuard and Traefik to work properly
+
+- **Plugins installed**:
+  - os-qemu-guest-agent (for Proxmox integration)
+  - os-tailscale (backup VPN, not yet configured)
+
 ### Verified Working
 - All VLANs (10, 20, 30) receiving DHCP from OPNsense
 - LAN (10.4.2.0/24) receiving DHCP from OPNsense