diff --git a/TODO.md b/TODO.md
index 2d63732..8627c2e 100644
--- a/TODO.md
+++ b/TODO.md
@@ -52,15 +52,6 @@
         - https://ampache.org/
 - replace nextcloud with seafile
 
-### VPN container
-- use wireguard for vpn
-    - https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
-    - https://github.com/pia-foss/manual-connections
-    - port forwarding for vpn
-        - transmission using forwarded port
-    - https://www.wireguard.com/netns/
-    - one way firewall for vpn container
-
 ### Networking
 - tailscale for p2p connections
     - remove all use of zerotier
diff --git a/common/network/pia-wireguard.nix b/common/network/pia-wireguard.nix
index 022ee88..7bac779 100644
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -6,6 +6,16 @@
 #   https://github.com/pia-foss/manual-connections
 #   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
 
+# TODO turn on firewall for VPN interface
+# TODO handle potential errors (or at least print status, success, and failures to the console)
+# TODO handle 2 month limit for port
+# TODO handle VPN container with different name
+# TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
+# TODO add some variance to the port forward timer
+# TODO allow not forwarding a port
+# TODO implement this module such that the wireguard VPN doesn't have to live in a container
+# TODO look at wg-gen script for example of looking up a random server in a region and connect to that (user should not need to specify IP addr)
+
 with builtins;
 
 let
@@ -223,12 +233,6 @@ in {
       timerConfig.OnCalendar = "*:0/10"; # 10 minutes
     };
 
-    # TODO enable firewall on the PIA interface
-    # TODO handle errors
-    # TODO handle 2 month limit for port
-    # TODO print status, success, and failures to the console
-    # TODO handle VPN container with different name
-
     age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
   };
 }
\ No newline at end of file