diff --git a/human-script.md b/human-script.md
index 76fea4f..eb003fe 100644
--- a/human-script.md
+++ b/human-script.md
@@ -168,6 +168,9 @@ Follow this to deploy the entire data infra.
       - Protocol: Any
       - Action: Allow
       - Priority: 1000
+- Finally, you need to attach each NSG to the related subnet
+  - Visit the virtual network page and look for the subnets list
+  - For each subnet, select its NSG and attach it
 
 ### 2.3 Private DNS Zone
 
@@ -200,27 +203,110 @@ Follow this to deploy the entire data infra.
 
 - The first VM we must deploy is a jumphost, since that will be our door to all other services inside the virtual network.
 - Create the VM
-    - Basic settings
-        - Name it: `jumphost`
-        - Use Ubuntu Server 22.04
-        - Use Size: `Standard_B1s`
-        - Use username: `azureuser`
-        - Use the SSH Key: `superhog-data-<your-env>-general-ssh`
-        - Select the option `None` for Public inbound ports.
-    - Disk settings
-        - Defaults are pretty much fine. This barely needs any disk.
-    - Networking
-        - Attach to the virtual network `superhog-data-vnet-<your-env>`
-        - Attach to the subnet `jumphost-subnet`
-        - Attach the public ip `superhog-data-jumphost-ip-<your-env>`
-CONTINUE HEEEEERE
+  - Basic settings
+    - Name it: `jumphost`
+    - Use Ubuntu Server 22.04
+    - Use Size: `Standard_B1s`
+    - Use username: `azureuser`
+    - Use the SSH Key: `superhog-data-<your-env>-general-ssh`
+    - Select the option `None` for Public inbound ports.
+  - Disk settings
+    - Defaults are fine. This barely needs any disk.
+  - Networking
+    - Attach to the virtual network `superhog-data-vnet-<your-env>`
+    - Attach to the subnet `jumphost-subnet`
+    - Attach the public ip `superhog-data-jumphost-ip-<your-env>`
+    - For setting `NIC network security group` select option `None`
+  - Management settings
+    - Defaults are fine.
+  - Monitoring
+    - Defaults are fine.
+  - Advanced
+    - Defaults are fine.
+  - Add tags:
+    - `team: data`
+    - `environment: <your-env>`
+    - `project: network`
 
 ### 3.2 Configure a VPN Server
 
+- The jumphost we just created is not accessible via SSH from WAN due to the NSG set in the jumphost subnet.
+- To make it so, you should temporarily create a new rule like this in the NSG `superhog-data-nsg-jumphost-<your-env>`.
+  - Name: AllowSSHInboundTemporarily
+  - Source: your IP.
+  - Source port ranges: *
+  - Destination: the addresss range for the `jumphost-subnet`. In this example, `10.69.0.0/29`.
+  - Destination port ranges: 22
+  - Protocol: TCP
+  - Action: Allow
+  - Priority: 110
+- Connect through SSH
+- We will now set up a VPN server and client with Wireguard
+  - Run the following script (requires `sudo`) to install wireguard and configure it
+  - *Note: the IPs chosen for the VPN can absolutely be changed. Just make sure they are consistent across the server and client configurations of the VPN.* 
+
+  ```bash
+  echo "Installing Wireguard."
+  apt update
+  apt install wireguard -y
+  echo "Wireguard installed."
+
+  echo "Creating keys."
+  SERVER_PRIVATE_KEY=$(wg genkey)
+  SERVER_PUBLIC_KEY=$(echo "$SERVER_PRIVATE_KEY" | wg pubkey)
+
+  CLIENT_PRIVATE_KEY=$(wg genkey)
+  CLIENT_PUBLIC_KEY=$(echo "$CLIENT_PRIVATE_KEY" | wg pubkey)
+  echo "Keys created."
+
+  echo "Writing server config file."
+  touch /etc/wireguard/wg0.conf
+  cat > /etc/wireguard/wg0.conf << EOL
+  [Interface]
+  PrivateKey = ${SERVER_PRIVATE_KEY}
+  Address = 192.168.69.1/32
+  ListenPort = 52420
+
+  # IP forwarding
+  PreUp = sysctl -w net.ipv4.ip_forward=1
+  # IP masquerading
+  PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
+  PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
+  PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
+  PostDOwn = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
+
+  [Peer]
+  PublicKey = ${CLIENT_PUBLIC_KEY}
+  AllowedIPs = 192.168.70.1/32
+
+  EOL
+  echo "Server config file written."
+
+  echo "Configuration for client, copy paste in your machine."
+  cat << EOF
+  [Interface]
+  # Jumphost VPN
+  PrivateKey = ${CLIENT_PRIVATE_KEY}
+  Address = 192.168.70.1/32
+  # Uncomment when DNS Server is ready DNS = 192.168.69.1
+
+  [Peer]
+  PublicKey = ${SERVER_PUBLIC_KEY}
+  AllowedIPs = 192.168.69.1/32
+  Endpoint = <fill-public-ip-here>:52420
+
+  EOF
+
+  echo "Finished."
+  ```
+  - CONTINUE HERE, INSTRUCTIONS ON HOW TO RAISE WG DAEMONS AND TEST
+
 ### 3.3 Configure a DNS Server
 
 ### 3.4 Harden the VM
 
+- First, remove the AllowSSHInboundTemporarily rule that you added
+
 ## 4. DWH
 
 ## 5. Airbyte