diff --git a/.gitlab-ci/packet.yml b/.gitlab-ci/packet.yml
index b149b927e57b1fd1942f00f5f8f8f5605fddc15b..5d93876183160f6e7f1f6520dbeea61b775bb7fa 100644
--- a/.gitlab-ci/packet.yml
+++ b/.gitlab-ci/packet.yml
@@ -201,6 +201,14 @@ packet_centos7-weave-upgrade-ha:
     UPGRADE_TEST: basic
     MITOGEN_ENABLE: "false"
 
+# Calico HA Wireguard
+packet_ubuntu20-calico-ha-wireguard:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
+  variables:
+    MITOGEN_ENABLE: "true"
+
 packet_debian9-calico-upgrade:
   stage: deploy-part3
   extends: .packet_pr
diff --git a/docs/calico.md b/docs/calico.md
index 13c1856c75bcdfd405c07d265ad8f26b94f92033..3858ad6ea1cda301e8a84e49ec2b31f39172104d 100644
--- a/docs/calico.md
+++ b/docs/calico.md
@@ -330,3 +330,23 @@ tc exec bpf debug
 ```
 
 Please see [Calico eBPF troubleshooting guide](https://docs.projectcalico.org/maintenance/troubleshoot/troubleshoot-ebpf#ebpf-program-debug-logs).
+
+## Wireguard Encryption
+
+Calico supports using Wireguard for encryption. Please see the docs on [encryptiong cluster pod traffic](https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic).
+
+To enable wireguard support:
+
+```yaml
+calico_wireguard_enabled: true
+```
+
+The following OSes will require enabling the EPEL repo in order to bring in wireguard tools:
+
+* CentOS 7 & 8
+* AlmaLinux 8
+* Amazon Linux 2
+
+```yaml
+epel_enabled: true
+```
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml
index 84f24b414b830b9bc14cb919d79117bae4f2a617..86a11bf1adf413b1a88f2f6f1648421e11836ab9 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml
@@ -100,3 +100,6 @@
 # If you want use the default route interface when you use multiple interface with dynamique route (iproute2)
 # see https://docs.projectcalico.org/reference/node/configuration : FELIX_DEVICEROUTESOURCEADDRESS
 # calico_use_default_route_src_ipaddr: false
+
+# Enable calico traffic encryption with wireguard
+# calico_wireguard_enabled: false
diff --git a/roles/bootstrap-os/tasks/bootstrap-amazon.yml b/roles/bootstrap-os/tasks/bootstrap-amazon.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2b4d665d3bc48b6db73a08a048d16c7382f1a1b5
--- /dev/null
+++ b/roles/bootstrap-os/tasks/bootstrap-amazon.yml
@@ -0,0 +1,13 @@
+---
+- name: Enable EPEL repo for Amazon Linux
+  yum_repository:
+    name: epel
+    file: epel
+    description: Extra Packages for Enterprise Linux 7 - $basearch
+    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
+    gpgcheck: yes
+    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+    skip_if_unavailable: yes
+    enabled: yes
+    repo_gpgcheck: no
+  when: epel_enabled
diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml
index 5016b96c84ef98eb8247361ce935c467eba7fce7..0403e166fa218a46c22e2d912703a21026414c56 100644
--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@@ -9,6 +9,9 @@
 - include_tasks: bootstrap-centos.yml
   when: '''ID="centos"'' in os_release.stdout_lines or ''ID="ol"'' in os_release.stdout_lines or ''ID="almalinux"'' in os_release.stdout_lines'
 
+- include_tasks: bootstrap-amazon.yml
+  when: '''ID="amzn"'' in os_release.stdout_lines'
+
 - include_tasks: bootstrap-redhat.yml
   when: '''ID="rhel"'' in os_release.stdout_lines'
 
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index c95833f1b93507b314a6cc7a1e233311790a6e9d..ac1229c02f7bc6240f321584c6915c3c00af0385 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -80,6 +80,11 @@ calico_iptables_lock_timeout_secs: 10
 # Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND)
 calico_iptables_backend: "Legacy"
 
+# Calico Wireguard support
+calico_wireguard_enabled: false
+calico_wireguard_packages: []
+calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-{{ ansible_distribution_major_version }}-$basearch/
+
 # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of:
 # * can-reach=DESTINATION
 # * interface=INTERFACE-REGEX
diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml
index 4c196acc5abb6b74109720a2c89f650426e8c936..41ae4134b37f2361f63bd8f68a9bcfe11cd59267 100644
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -1,4 +1,14 @@
 ---
+- name: Calico | Install Wireguard packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ calico_wireguard_packages }}"
+  register: calico_package_install
+  until: calico_package_install is succeeded
+  retries: 4
+  when: calico_wireguard_enabled
+
 - name: Calico | Copy calicoctl binary from download dir
   copy:
     src: "{{ local_release_dir }}/calicoctl"
@@ -148,6 +158,7 @@
           "bpfLogLevel": "{{ calico_bpf_log_level }}",
           "bpfEnabled": {{ calico_bpf_enabled | bool }},
           "bpfExternalServiceMode": "{{ calico_bpf_service_mode }}",
+          "wireguardEnabled": {{ calico_wireguard_enabled | bool }},
           "logSeverityScreen": "{{ calico_felix_log_severity_screen }}" }}
   when:
     - inventory_hostname == groups['kube_control_plane'][0]
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index 94c57e9ec8d2255739494e8a51e860746b547c43..df58120361d5254cbea03d7fb598e29261a3e5e1 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -3,4 +3,6 @@
 
 - import_tasks: pre.yml
 
+- import_tasks: repos.yml
+
 - include_tasks: install.yml
diff --git a/roles/network_plugin/calico/tasks/pre.yml b/roles/network_plugin/calico/tasks/pre.yml
index e3ca15065d52311492554dd9daf405e80584b735..e274808b6ac353417b0d1ada76fc80a6dc8fb230 100644
--- a/roles/network_plugin/calico/tasks/pre.yml
+++ b/roles/network_plugin/calico/tasks/pre.yml
@@ -25,3 +25,20 @@
   delegate_to: "{{ groups['kube_control_plane'][0] }}"
   when:
   - "cloud_provider is defined"
+
+- name: Calico | Gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+  - files:
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+    - "{{ ansible_distribution|lower }}.yml"
+    - "{{ ansible_os_family|lower }}-{{ ansible_architecture }}.yml"
+    - "{{ ansible_os_family|lower }}.yml"
+    - defaults.yml
+    paths:
+    - ../vars
+    skip: true
+  tags:
+  - facts
diff --git a/roles/network_plugin/calico/tasks/repos.yml b/roles/network_plugin/calico/tasks/repos.yml
new file mode 100644
index 0000000000000000000000000000000000000000..41cbf7d0b76d0c0871858cb14442466af35368b3
--- /dev/null
+++ b/roles/network_plugin/calico/tasks/repos.yml
@@ -0,0 +1,20 @@
+---
+- name: Calico | Add wireguard yum repo
+  when:
+    - calico_wireguard_enabled
+  block:
+
+    - name: Calico | Add wireguard yum repo
+      yum_repository:
+        name: copr:copr.fedorainfracloud.org:jdoss:wireguard
+        file: _copr:copr.fedorainfracloud.org:jdoss:wireguard
+        description: Copr repo for wireguard owned by jdoss
+        baseurl: "{{ calico_wireguard_repo }}"
+        gpgcheck: yes
+        gpgkey: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg
+        skip_if_unavailable: yes
+        enabled: yes
+        repo_gpgcheck: no
+      when:
+        - ansible_os_family in ['RedHat']
+        - ansible_distribution not in ['Fedora']
diff --git a/roles/network_plugin/calico/vars/amazon.yml b/roles/network_plugin/calico/vars/amazon.yml
new file mode 100644
index 0000000000000000000000000000000000000000..83efdcdb0844707cd06d3fee505ad322bd5f94c3
--- /dev/null
+++ b/roles/network_plugin/calico/vars/amazon.yml
@@ -0,0 +1,5 @@
+---
+calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-7-$basearch/
+calico_wireguard_packages:
+  - wireguard-dkms
+  - wireguard-tools
diff --git a/roles/network_plugin/calico/vars/debian.yml b/roles/network_plugin/calico/vars/debian.yml
new file mode 100644
index 0000000000000000000000000000000000000000..baf603cfd9cfd6181c87330b8bfb590b0cdf3372
--- /dev/null
+++ b/roles/network_plugin/calico/vars/debian.yml
@@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard
diff --git a/roles/network_plugin/calico/vars/fedora.yml b/roles/network_plugin/calico/vars/fedora.yml
new file mode 100644
index 0000000000000000000000000000000000000000..43df5457a39d83e530c8373acbd6c969e159a70f
--- /dev/null
+++ b/roles/network_plugin/calico/vars/fedora.yml
@@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard-tools
diff --git a/roles/network_plugin/calico/vars/opensuse.yml b/roles/network_plugin/calico/vars/opensuse.yml
new file mode 100644
index 0000000000000000000000000000000000000000..43df5457a39d83e530c8373acbd6c969e159a70f
--- /dev/null
+++ b/roles/network_plugin/calico/vars/opensuse.yml
@@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard-tools
diff --git a/roles/network_plugin/calico/vars/redhat.yml b/roles/network_plugin/calico/vars/redhat.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a83a8a5fed89d41a5cd1ce7d5ba8905ab8fbf612
--- /dev/null
+++ b/roles/network_plugin/calico/vars/redhat.yml
@@ -0,0 +1,4 @@
+---
+calico_wireguard_packages:
+  - wireguard-dkms
+  - wireguard-tools
diff --git a/tests/files/packet_ubuntu20-calico-ha-wireguard.yml b/tests/files/packet_ubuntu20-calico-ha-wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..71fc6e7c3317da22ccb8bf80aee0e8506a3f75e7
--- /dev/null
+++ b/tests/files/packet_ubuntu20-calico-ha-wireguard.yml
@@ -0,0 +1,18 @@
+---
+# Instance settings
+cloud_image: ubuntu-2004
+mode: ha
+vm_memory: 1600Mi
+
+# Kubespray settings
+kube_network_plugin: calico
+deploy_netchecker: true
+
+calico_wireguard_enabled: true
+
+# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
+kube_proxy_mode: iptables
+# KVM kernel used by packet instances is missing the dummy.ko kernel module so it cannot enable nodelocaldns
+enable_nodelocaldns: false
+
+auto_renew_certificates: true