diff --git a/pkg/cluster/machine_rings.go b/pkg/cluster/machine_rings.go
index f6135d6..a2f608b 100644
--- a/pkg/cluster/machine_rings.go
+++ b/pkg/cluster/machine_rings.go
@@ -118,21 +118,31 @@ func (m *Machine) tryApplyWireguardConfig(ring int) error {
 	}
 }
 
-func (m *Machine) applyWireguardConfig(ring int, wg *wireguard.Config) error {
+func (m *Machine) applyWireguardConfigNode(ring int, wg *wireguard.Config) error {
 	addr := wg.GetAddress()
-	zoneID, nodeID, ok := Rings[ring].Decode(addr)
-	if !ok {
-		return fmt.Errorf("%s: invalid address", addr)
-	}
+	if !core.IsZero(addr) {
+		zoneID, nodeID, ok := Rings[ring].Decode(addr)
+		if !ok {
+			return fmt.Errorf("%s: invalid address", addr)
+		}
 
-	if err := m.applyZoneNodeID(zoneID, nodeID); err != nil {
-		return core.Wrap(err, "%s: invalid address", addr)
+		if err := m.applyZoneNodeID(zoneID, nodeID); err != nil {
+			return core.Wrap(err, "%s: invalid address", addr)
+		}
 	}
 
 	if err := m.applyWireguardInterfaceConfig(ring, wg.Interface); err != nil {
 		return core.Wrap(err, "interface")
 	}
 
+	return nil
+}
+
+func (m *Machine) applyWireguardConfig(ring int, wg *wireguard.Config) error {
+	if err := m.applyWireguardConfigNode(ring, wg); err != nil {
+		return err
+	}
+
 	for _, peer := range wg.Peer {
 		err := m.applyWireguardPeerConfig(ring, peer)
 		switch {
diff --git a/pkg/wireguard/config.go b/pkg/wireguard/config.go
index ccdb531..9309bd5 100644
--- a/pkg/wireguard/config.go
+++ b/pkg/wireguard/config.go
@@ -175,10 +175,12 @@ func (p interfaceConfig) Export() (InterfaceConfig, error) {
 		ListenPort: p.ListenPort,
 	}
 
-	out.PrivateKey, err = PrivateKeyFromBase64(p.PrivateKey)
-	if err != nil {
-		err = core.Wrap(err, "PrivateKey")
-		return InterfaceConfig{}, err
+	if p.PrivateKey != "" {
+		out.PrivateKey, err = PrivateKeyFromBase64(p.PrivateKey)
+		if err != nil {
+			err = core.Wrap(err, "PrivateKey")
+			return InterfaceConfig{}, err
+		}
 	}
 
 	return out, nil