diff --git a/freebsd/freebsd-secure.sh b/freebsd/freebsd-secure.sh
new file mode 100644
index 0000000..3d71f13
--- /dev/null
+++ b/freebsd/freebsd-secure.sh
@@ -0,0 +1,115 @@
+#!/bin/sh
+set -e
+. ./variables
+
+
+# --- Pre-flight package installation ---
+echo "Installing dependencies... Please stay for a second, you will confirm the install"
+pkg update
+pkg install sudo wireguard-tools
+
+
+# --- User setup ---
+echo "Setting up user..."
+
+pw useradd -n "$USERNAME" -m -s /usr/local/bin/bash -w no
+
+
+# --- WireGuard setup ---
+echo "Configuring WireGuard..."
+
+WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
+WG_LISTEN_PORT=$(jot -r 1 49152 65535)
+WG_LOCAL_PRIVKEY=$(wg genkey)
+WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey)
+
+mkdir -p /usr/local/etc/wireguard
+
+cat <<EOF > /usr/local/etc/wireguard/vmh-ssh-vpn.conf
+[Interface]
+ListenPort = $WG_LISTEN_PORT
+PrivateKey = $WG_LOCAL_PRIVKEY
+Address = $WG_SUBNET::1/64
+
+[Peer]
+PublicKey = $WIREGUARD_PUBKEY
+AllowedIPs = $WG_SUBNET::2/128
+EOF
+
+chmod 600 /usr/local/etc/wireguard/vmh-ssh-vpn.conf
+
+sysrc wireguard_enable="YES"
+sysrc wireguard_interfaces="vmh-ssh-vpn"
+
+service wireguard start vmh-ssh-vpn
+
+
+# --- SSH setup ---
+echo "Configuring ssh..."
+
+mkdir -p /home/"$USERNAME"/.ssh
+echo "$MY_SSH_KEY" > /home/"$USERNAME"/.ssh/authorized_keys
+
+chmod 700 /home/"$USERNAME"/.ssh
+chmod 600 /home/"$USERNAME"/.ssh/authorized_keys
+chown -R "$USERNAME":"$USERNAME" /home/"$USERNAME"/.ssh
+
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
+
+set_sshd_config() {
+    local key="$1"
+    local value="$2"
+    if grep -q "^${key}" /etc/ssh/sshd_config; then
+        # Replace existing line
+        sed -i '' "s/^${key}.*/${key} ${value}/" /etc/ssh/sshd_config
+    else
+        # Add new line if not found
+        echo "${key} ${value}" >> /etc/ssh/sshd_config
+    fi
+}
+
+sed -i '' '/^ListenAddress/d' /etc/ssh/sshd_config
+echo "ListenAddress $WG_SUBNET::1" >> /etc/ssh/sshd_config
+
+set_sshd_config "X11Forwarding" "no"
+set_sshd_config "PasswordAuthentication" "no"
+set_sshd_config "PubkeyAuthentication" "yes"
+set_sshd_config "PermitRootLogin" "no"
+
+service sshd restart
+
+
+# --- Sudo configuration ---
+echo "Configuring sudo..."
+
+mkdir -p /etc/sudoers.d
+cat <<EOF > /etc/sudoers.d/99-vmh-newuser
+$USERNAME    ALL=(ALL:ALL)   NOPASSWD:ALL
+EOF
+
+chmod 0440 /etc/sudoers.d/99-vmh-newuser
+
+
+# --- Final Instructions ---
+echo
+echo "BEFORE DISCONNECTING, FOLLOW THE FOLLOWING STEPS"
+echo "You won't be able to reconnect if you don't."
+echo
+echo "1. Install the WireGuard config (fill in the gaps)"
+echo
+echo "[Interface]"
+echo "PrivateKey = ..."
+echo "Address = $WG_SUBNET::2/64"
+echo "[Peer]"
+echo "Endpoint = ...:$WG_LISTEN_PORT"
+echo "PublicKey = $WG_LOCAL_PUBKEY"
+echo "AllowedIPs = $WG_SUBNET::1/128"
+echo
+echo "2. Use this command to connect"
+echo
+echo "ssh $USERNAME@$WG_SUBNET::1"
+echo
+echo "NOTICE:"
+echo "If you need to change the port or other VPN settings, do it NOW. Edit /usr/local/etc/wireguard/vmh-ssh-vpn.conf"
+
+    
\ No newline at end of file