diff --git a/pkg/zones/errors.go b/pkg/zones/errors.go
index 58781cf..6fd068f 100644
--- a/pkg/zones/errors.go
+++ b/pkg/zones/errors.go
@@ -5,4 +5,12 @@ import "errors"
 var (
 	// ErrInvalidName indicates the name isn't valid
 	ErrInvalidName = errors.New("invalid name")
+
+	// ErrUnknownNode indicates there is a reference to a node
+	// we don't have on the tree
+	ErrUnknownNode = errors.New("node does not exist")
+
+	// ErrInvalidNode indicates the nodes can't be used for
+	// the intended purpose
+	ErrInvalidNode = errors.New("invalid node")
 )
diff --git a/pkg/zones/machine_rings.go b/pkg/zones/machine_rings.go
index 9e774e4..a0bb9b8 100644
--- a/pkg/zones/machine_rings.go
+++ b/pkg/zones/machine_rings.go
@@ -183,8 +183,10 @@ func (m *Machine) applyWireguardPeerConfig(ring int, pc wireguard.PeerConfig) er
 	switch {
 	case !found:
 		// unknown
+		return core.Wrap(ErrUnknownNode, pc.Endpoint.Host)
 	case ring == 1 && m.zone != peer.zone:
 		// invalid zone
+		return core.Wrap(ErrInvalidNode, peer.Name)
 	default:
 		// apply RingInfo
 		ri := &RingInfo{
@@ -197,8 +199,6 @@ func (m *Machine) applyWireguardPeerConfig(ring int, pc wireguard.PeerConfig) er
 
 		return peer.applyRingInfo(ring, ri)
 	}
-
-	return fmt.Errorf("%q: invalid peer endpoint", pc.Endpoint.Host)
 }
 
 func (m *Machine) applyZoneNodeID(zoneID, nodeID int) error {