diff --git a/actions/wireguard b/actions/wireguard
index 1231bf1c8..9770b207a 100755
--- a/actions/wireguard
+++ b/actions/wireguard
@@ -106,15 +106,20 @@ def _generate_key_pair():
 
 def subcommand_setup(_):
     """Setup WireGuard."""
-    # TODO: make idempotent
+    # Create interface.
+    try:
+        subprocess.run(['ip', 'link', 'show', SERVER_INTERFACE],
+                       stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
+                       check=True)
+    except subprocess.CalledProcessError:
+        subprocess.run(
+            ['ip', 'link', 'add', 'dev', SERVER_INTERFACE, 'type',
+             'wireguard'], check=True)
 
-    # create interface
-    subprocess.run(
-        ['ip', 'link', 'add', 'dev', SERVER_INTERFACE, 'type', 'wireguard'],
-        check=True)
-
-    _generate_key_pair()
+    if not (PUBLIC_KEY_PATH.exists() and PRIVATE_KEY_PATH.exists()):
+        _generate_key_pair()
 
+    # Configure interface.
     subprocess.run(
         ['wg', 'set', SERVER_INTERFACE, 'listen-port', '51820', 'private-key',
          str(PRIVATE_KEY_PATH)], check=True)