diff --git a/modules/system/vpn-confinement.nix b/modules/system/vpn-confinement.nix
new file mode 100644
index 0000000..597760b
--- /dev/null
+++ b/modules/system/vpn-confinement.nix
@@ -0,0 +1,69 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.system.vpn-confinement;
+in
+{
+  options.modules.system.vpn-confinement = {
+    enable = lib.mkEnableOption "enables vpn-confinement";
+  
+    # toggle for mullvad mexico w/ openvpn
+    vpncon_mex = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "enable pia vpn to mexico using openvpn";
+    };
+    
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # Define VPN network namespace
+    vpnNamespaces.wgmex = {
+      enable = true;
+      wireguardConfigFile = config.sops.secrets."vpncon_mex_config".path;
+      accessibleFrom = [
+        "10.0.0.0/8"
+      ];
+      portMappings = [
+        { from = 7000; to = 7200; }
+      ];
+      openVPNPorts = [{
+        port = 60729;
+        protocol = "both";
+      }];
+    };
+
+    # Addd systemd service to VPN network namespace
+    systemd.services.transmission.vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+
+    # secrets only if VPN is enabled
+    sops.secrets = {
+      "vpncon_mex_config" = { owner = "root"; group = "root"; }
+    };
+ 
+  }
+
+
+    vpnNamespaces.<name> = { # The name is limited to 7 characters
+      enable = true;
+      wireguardConfigFile = config.sops.secrets."vpncon_mex_config".path;
+      accessibleFrom = [
+        "<ip or subnet>"
+      ];
+      portMappings = [{
+          from = <port on host>;
+          to = <port in VPN network namespace>;
+          protocol = "<transport protocol>"; # protocol = "tcp"(default), "udp", or "both"
+      }];
+      openVPNPorts = [{
+        port = <port to access through VPN interface>;
+        protocol = "<transport protocol>"; # protocol = "tcp"(default), "udp", or "both"
+      }];
+    };
+
+ };
+}