diff --git a/includes/wireguard.php b/includes/wireguard.php
index 00b4e962..c7f56cdd 100644
--- a/includes/wireguard.php
+++ b/includes/wireguard.php
@@ -34,7 +34,10 @@ function DisplayWireGuardConfig()
     $wg_srvport = ($conf['ListenPort'] == '') ? getDefaultNetValue('wireguard','server','ListenPort') : $conf['ListenPort'];
     $wg_srvipaddress = ($conf['Address'] == '') ? getDefaultNetValue('wireguard','server','Address') : $conf['Address'];
     $wg_srvdns = ($conf['DNS'] == '') ? getDefaultNetValue('wireguard','server','DNS') : $conf['DNS'];
-    $wg_peerpubkey = $conf['PublicKey'];
+    $wg_peerpubkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return);
+    if (sizeof($conf) >0) {
+        $wg_senabled = true;
+    }
 
     // todo: iterate multiple peer configs
     exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $preturn);
@@ -64,6 +67,7 @@ function DisplayWireGuardConfig()
             "wg_srvport",
             "wg_srvipaddress",
             "wg_srvdns",
+            "wg_senabled",
             "wg_penabled",
             "wg_pipaddress",
             "wg_plistenport",
@@ -86,102 +90,120 @@ function SaveWireGuardConfig($status)
     // Set defaults
     $good_input = true;
     $peer_id = 1;
-    // Validate input
-    if (isset($_POST['wg_srvport'])) {
-        if (strlen($_POST['wg_srvport']) > 5 || !is_numeric($_POST['wg_srvport'])) {
-            $status->addMessage('Invalid value for server local port', 'danger');
-            $good_input = false;
+    // Validate server input
+    if ($_POST['wg_senabled'] == 1) {
+        if (isset($_POST['wg_srvport'])) {
+            if (strlen($_POST['wg_srvport']) > 5 || !is_numeric($_POST['wg_srvport'])) {
+                $status->addMessage('Invalid value for server local port', 'danger');
+                $good_input = false;
+            }
+        }
+        if (isset($_POST['wg_plistenport'])) {
+            if (strlen($_POST['wg_plistenport']) > 5 || !is_numeric($_POST['wg_plistenport'])) {
+                $status->addMessage('Invalid value for peer local port', 'danger');
+                $good_input = false;
+            }
+        }
+        if (isset($_POST['wg_srvipaddress'])) {
+            if (!validateCidr($_POST['wg_srvipaddress'])) {
+                $status->addMessage('Invalid value for server IP address', 'danger');
+                $good_input = false;
+            }
+        }
+        if (isset($_POST['wg_srvdns'])) {
+            if (!filter_var($_POST['wg_srvdns'],FILTER_VALIDATE_IP)) {
+                $status->addMessage('Invalid value for DNS', 'danger');
+                $good_input = false;
+            }
         }
     }
-    if (isset($_POST['wg_plistenport'])) {
-        if (strlen($_POST['wg_plistenport']) > 5 || !is_numeric($_POST['wg_plistenport'])) {
-            $status->addMessage('Invalid value for peer local port', 'danger');
-            $good_input = false;
+    // Validate peer input
+    if ($_POST['wg_penabled'] == 1) {
+        if (isset($_POST['wg_pipaddress'])) {
+            if (!validateCidr($_POST['wg_pipaddress'])) {
+                $status->addMessage('Invalid value for peer IP address', 'danger');
+                $good_input = false;
+            }
         }
-    }
-    if (isset($_POST['wg_srvipaddress'])) {
-        if (!validateCidr($_POST['wg_srvipaddress'])) {
-            $status->addMessage('Invalid value for server IP address', 'danger');
-            $good_input = false;
+        if (isset($_POST['wg_pendpoint']) && strlen(trim($_POST['wg_pendpoint']) >0 )) {
+            $wg_pendpoint_seg = substr($_POST['wg_pendpoint'],0,strpos($_POST['wg_pendpoint'],':'));
+            if (!filter_var($wg_pendpoint_seg,FILTER_VALIDATE_IP)) {
+                $status->addMessage('Invalid value for endpoint address', 'danger');
+                $good_input = false;
+            }
         }
-    }
-    if (isset($_POST['wg_pipaddress'])) {
-        if (!validateCidr($_POST['wg_pipaddress'])) {
-            $status->addMessage('Invalid value for peer IP address', 'danger');
-            $good_input = false;
+        if (isset($_POST['wg_pallowedips']) && strlen(trim($_POST['wg_pallowedips']) >0)) {
+            if (!validateCidr($_POST['wg_pallowedips'])) {
+                $status->addMessage('Invalid value for allowed IPs', 'danger');
+                $good_input = false;
+            }
         }
-    }
-    if (isset($_POST['wg_srvdns'])) {
-        if (!filter_var($_POST['wg_srvdns'],FILTER_VALIDATE_IP)) {
-            $status->addMessage('Invalid value for DNS', 'danger');
-            $good_input = false;
-        }
-    }
-    if (isset($_POST['wg_pendpoint']) && strlen(trim($_POST['wg_pendpoint']) >0 )) {
-        $wg_pendpoint_seg = substr($_POST['wg_pendpoint'],0,strpos($_POST['wg_pendpoint'],':'));
-        if (!filter_var($wg_pendpoint_seg,FILTER_VALIDATE_IP)) {
-            $status->addMessage('Invalid value for endpoint address', 'danger');
-            $good_input = false;
-        }
-    }
-    if (isset($_POST['wg_pallowedips']) && strlen(trim($_POST['wg_pallowedips']) >0)) {
-        if (!validateCidr($_POST['wg_pallowedips'])) {
-            $status->addMessage('Invalid value for allowed IPs', 'danger');
-            $good_input = false;
-        }
-    }
-    if (isset($_POST['wg_pkeepalive']) && strlen(trim($_POST['wg_pkeepalive']) >0 )) {
-        if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) {
-            $status->addMessage('Invalid value for persistent keepalive', 'danger');
-            $good_input = false;
+        if (isset($_POST['wg_pkeepalive']) && strlen(trim($_POST['wg_pkeepalive']) >0 )) {
+            if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) {
+                $status->addMessage('Invalid value for persistent keepalive', 'danger');
+                $good_input = false;
+            }
         }
     }
     // Save settings
     if ($good_input) {
-        // fetch private keys from filesytem
-        $wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
-        $wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
-
         // server (wg0.conf)
-        $config[] = '[Interface]';
-        $config[] = 'Address = '.$_POST['wg_srvipaddress'];
-        $config[] = 'ListenPort = '.$_POST['wg_srvport'];
-        $config[] = 'DNS = '.$_POST['wg_srvdns'];
-        $config[] = 'PrivateKey = '.$wg_srvprivkey;
-        $config[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp');
-        $config[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown');
-        $config[] = '';
-        $config[] = '[Peer]';
-        $config[] = 'PublicKey = '.$_POST['wg-peer'];
-        $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
-        if ($_POST['wg_pkeepalive'] !== '') {
-            $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
+        if ($_POST['wg_senabled'] == 1) {
+            // fetch server private key from filesytem
+            $wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
+            $config[] = '[Interface]';
+            $config[] = 'Address = '.$_POST['wg_srvipaddress'];
+            $config[] = 'ListenPort = '.$_POST['wg_srvport'];
+            $config[] = 'DNS = '.$_POST['wg_srvdns'];
+            $config[] = 'PrivateKey = '.$wg_srvprivkey;
+            $config[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp');
+            $config[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown');
+            $config[] = '';
+            $config[] = '[Peer]';
+            $config[] = 'PublicKey = '.$_POST['wg-peer'];
+            $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
+            if ($_POST['wg_pkeepalive'] !== '') {
+                $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
+            }
+            $config[] = '';
+            $config = join(PHP_EOL, $config);
+
+            file_put_contents("/tmp/wgdata", $config);
+            system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return);
+        } else {
+            # remove selected conf + keys
+            system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
+            system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-public.key', $return);
+            system('sudo rm '. RASPI_WIREGUARD_CONFIG, $return);
         }
-        $config[] = '';
-        $config = join(PHP_EOL, $config);
-
-        file_put_contents("/tmp/wgdata", $config);
-        system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return);
-
         // client1 (client.conf)
-        $config = [];
-        $config[] = '[Interface]';
-        $config[] = 'Address = '.trim($_POST['wg_pipaddress']);
-        $config[] = 'PrivateKey = '.$wg_peerprivkey;
-        $config[] = 'ListenPort = '.$_POST['wg_plistenport'];
-        $config[] = '';
-        $config[] = '[Peer]';
-        $config[] = 'PublicKey = '.$_POST['wg-server'];
-        $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
-        $config[] = 'Endpoint = '.$_POST['wg_pendpoint'];
-        if ($_POST['wg_pkeepalive'] !== '') {
-            $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
-        }
-        $config[] = '';
-        $config = join(PHP_EOL, $config);
+        if ($_POST['wg_penabled'] == 1) {
+            // fetch peer private key from filesystem 
+            $wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
+            $config = [];
+            $config[] = '[Interface]';
+            $config[] = 'Address = '.trim($_POST['wg_pipaddress']);
+            $config[] = 'PrivateKey = '.$wg_peerprivkey;
+            $config[] = 'ListenPort = '.$_POST['wg_plistenport'];
+            $config[] = '';
+            $config[] = '[Peer]';
+            $config[] = 'PublicKey = '.$_POST['wg-server'];
+            $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
+            $config[] = 'Endpoint = '.$_POST['wg_pendpoint'];
+            if ($_POST['wg_pkeepalive'] !== '') {
+                $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
+            }
+            $config[] = '';
+            $config = join(PHP_EOL, $config);
 
-        file_put_contents("/tmp/wgdata", $config);
-        system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_PATH.'client.conf', $return);
+            file_put_contents("/tmp/wgdata", $config);
+            system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_PATH.'client.conf', $return);
+        } else {
+             # remove selected conf + keys
+            system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
+            system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return);
+            system('sudo rm '. RASPI_WIREGUARD_PATH.'client.conf', $return);
+        }
 
         // handle log option
         if ($_POST['wg_log'] == "1") {
diff --git a/installers/raspap.sudoers b/installers/raspap.sudoers
index 9aded5a3..18e4ddf8 100644
--- a/installers/raspap.sudoers
+++ b/installers/raspap.sudoers
@@ -50,4 +50,6 @@ www-data ALL=(ALL) NOPASSWD:/bin/systemctl * wg-quick@wg0
 www-data ALL=(ALL) NOPASSWD:/usr/bin/wg
 www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/*.conf
 www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/wg-*.key
+www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/*.conf
+www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/wg-*.key
 
diff --git a/templates/wg/general.php b/templates/wg/general.php
index b3235e88..06d09811 100644
--- a/templates/wg/general.php
+++ b/templates/wg/general.php
@@ -4,13 +4,13 @@
     <div class="col-md-6">
       <h4 class="mt-3"><?php echo _("Tunnel settings"); ?></h4>
         <div class="input-group">
-          <input type="hidden" name="tunnel-enable" value="0">
           <div class="custom-control custom-switch">
-            <input class="custom-control-input" id="tunnel-enable" type="checkbox" name="tunnel-enable" value="1" <?php echo $enabled ? ' checked="checked"' : "" ?> aria-describedby="tunnel-description">
-          <label class="custom-control-label" for="tunnel-enable"><?php echo _("Enable tunnel") ?></label>
+            <input class="custom-control-input" id="server_enabled" type="checkbox" name="wg_senabled" value="1" <?php echo $wg_senabled ? ' checked="checked"' : "" ?> aria-describedby="server-description">
+          <label class="custom-control-label" for="server_enabled"><?php echo _("Enable server") ?></label>
         </div>
         <p id="wg-description">
           <small><?php echo _("Enable this option to encrypt traffic by creating a tunnel between RaspAP and configured peers.") ?></small>
+          <small><?php echo _("This option adds <code>wg0.conf</code> to the WireGuard configuration.") ?></small>
         </p>
         </div>
 
diff --git a/templates/wg/peers.php b/templates/wg/peers.php
index 0d29b429..319cc0f9 100644
--- a/templates/wg/peers.php
+++ b/templates/wg/peers.php
@@ -4,12 +4,15 @@
     <div class="col-md-6">
       <h4 class="mt-3"><?php echo _("Peer"); ?></h4>
         <div class="input-group">
-          <input type="hidden" name="endpoint-enable" value="0">
           <input type="hidden" name="peer_id" value="1">
           <div class="custom-control custom-switch">
-            <input class="custom-control-input" id="endpoint_enable" type="checkbox" name="endpoint-enable" value="1" <?php echo $enabled ? ' checked="checked"' : "" ?> aria-describedby="endpoint-description">
-          <label class="custom-control-label" for="endpoint_enable"><?php echo _("Enable endpoint") ?></label>
+            <input class="custom-control-input" id="peer_enabled" type="checkbox" name="wg_penabled" value="1" <?php echo $wg_penabled ? ' checked="checked"' : "" ?> aria-describedby="endpoint-description">
+          <label class="custom-control-label" for="peer_enabled"><?php echo _("Enable peer") ?></label>
         </div>
+        <p id="wg-description">
+          <small><?php echo _("Enable this option to encrypt traffic by creating a tunnel between RaspAP and this peer.") ?></small>
+          <small><?php echo _("This option adds <code>client.conf</code> to the WireGuard configuration.") ?></small>
+        </p>
      </div>
 
       <div class="row">