diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix
index c231464..3708de1 100644
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@@ -62,7 +62,7 @@
 
     serverConfig.BitTorrent = {
       Session = {
-        GlobalUPSpeedLimit = 1500; # 1.500 MiB/s
+        GlobalUPSpeedLimit = 0; # unlimited upload
         GlobalDLSpeedLimit = 500; # 500 KiB/s
 
         IgnoreLimitsOnLAN = true;
diff --git a/services/wg.nix b/services/wg.nix
index 83ef5a3..ce95ed9 100644
--- a/services/wg.nix
+++ b/services/wg.nix
@@ -1,4 +1,9 @@
-{ pkgs, service_configs, ... }:
+{
+  pkgs,
+  service_configs,
+  eth_interface,
+  ...
+}:
 {
   # network namespace that is proxied through mullvad
   vpnNamespaces.wg = {
@@ -8,4 +13,49 @@
       # "192.168.0.0/24"
     ];
   };
+
+  environment.systemPackages = with pkgs; [
+    # used to monitor bandwidth usage
+    nload
+  ];
+
+  networking.firewall.extraCommands = ''
+    # Exempt local traffic from marking
+    iptables -t mangle -A POSTROUTING -s ${service_configs.https.wg_ip}/24 -d 192.168.1.0/24 -j RETURN
+
+    # Mark all other traffic from the VPN namespace
+    iptables -t mangle -A POSTROUTING -s ${service_configs.https.wg_ip}/24 -j MARK --set-mark 1
+  '';
+
+  systemd.services."traffic-shaping" =
+    let
+      upload_pipe = 20;
+      high_prio = 18;
+      low_prio = 2;
+    in
+    {
+      description = "Apply QoS to prioritize non-VPN traffic";
+      after = [
+        "network.target"
+        "vpn-wg.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.writeShellScript "tc-setup" ''
+          # Add HTB qdisc to physical interface
+          ${pkgs.iproute2}/bin/tc qdisc add dev ${eth_interface} root handle 1: htb default 10
+
+          # Define classes:
+          # - Class 1:10 (high priority, unmarked)
+          # - Class 1:20 (low priority, marked VPN traffic)
+          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1: classid 1:1 htb rate ${builtins.toString upload_pipe}mbit ceil ${builtins.toString upload_pipe}mbit
+          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1:1 classid 1:10 htb rate ${builtins.toString high_prio}mbit ceil ${builtins.toString upload_pipe}mbit prio 1
+          ${pkgs.iproute2}/bin/tc class add dev ${eth_interface} parent 1:1 classid 1:20 htb rate ${builtins.toString low_prio}mbit ceil ${builtins.toString upload_pipe}mbit prio 2
+
+          # Direct marked packets to low-priority class
+          ${pkgs.iproute2}/bin/tc filter add dev ${eth_interface} parent 1: protocol ip prio 1 handle 1 fw flowid 1:20
+        '';
+      };
+    };
 }