diff --git a/actions/release-migrations/v11-01-yaml-hosts.sh b/actions/release-migrations/v11-01-yaml-hosts.sh
old mode 100644
new mode 100755
index 08946338b6b73a099411f126e1154da8478f582c..d25ce91113459b62f83a154dc6183375532940f4
--- a/actions/release-migrations/v11-01-yaml-hosts.sh
+++ b/actions/release-migrations/v11-01-yaml-hosts.sh
@@ -6,5 +6,10 @@ actions_dir="$(dirname "$0")/.."
 # shellcheck source=actions/lib.sh
 . "$actions_dir/lib.sh"
 
-notef "Removing obsolete state files..."
-run git rm -rf "$terraform_state_dir/rendered"
+if [ "${tf_usage:-true}" == 'true' ]; then
+    notef "Removing obsolete state files..."
+    run git rm -rf "$terraform_state_dir/rendered"
+
+    notef "Running Terraform stage to create output files"
+    run "$actions_dir/apply-terraform.sh"
+fi
diff --git a/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst b/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst
index 1e7b03759357c5f998713a6366729228687a114a..5a9096c862e21f3706a250f6d1bb9428c7d56948 100644
--- a/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst
+++ b/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst
@@ -260,6 +260,11 @@ If source-nat'ing is disabled, the frontend nodes will be configured to act as g
 for the Kubernetes nodes. They will propagate routes via BGP overwriting the default routes of
 Kubernetes nodes such that **all** traffic is routed via the VIP by default.
 
+.. important:: Administrative Traffic
+
+  Traffic sent via Wireguard is still SNAT'ed as otherwise
+  freshly provisioned nodes can't be administered.
+
 .. warning:: Implications when running on OpenStack
 
   Disabling source-nat'ing has some implications:
diff --git a/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml b/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml
index b594e2d468629938ba96b33cce0386eea91e1452..f6a488421eb64095c6ab22360d22a9d61395d364 100644
--- a/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml
+++ b/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml
@@ -1,12 +1,12 @@
 ---
-- name: Connect to Kubernetes nodes
+- name: Connect to Frontend nodes
   import_playbook: "{{ ansible_k8s_core_dir }}/connect-to-nodes.yaml"
   vars:
-    target_hosts: masters:frontend
+    target_hosts: frontend
 
 - name: Fail if node got not bootstrapped once, yet
   any_errors_fatal: true
-  hosts: masters:frontend
+  hosts: frontend
   tasks:
   - name: Fail if node got not bootstrapped once, yet
     when: not ansible_local['bootstrap']['bootstrapped'] | default(False) | bool
diff --git a/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2 b/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2
index 76083cf89580d23d95360e6d1ce3ef62ea1ef701..9953cb2502d55318c241dafa83b2b62bb5d450bb 100644
--- a/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2
+++ b/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2
@@ -16,6 +16,26 @@ function filter_organization() {
     return false;
 }
 
+
+{% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %}
+protocol static {
+    table master;
+    # Add routes to basically route everything via the VIP
+    route 0.0.0.0/1 via {{ networking_fixed_ip }};
+    route 128.0.0.0/1 via {{ networking_fixed_ip }};
+}
+
+# A function used to export the above routes to peers
+function filter_default_overwrite() {
+    if (net = 0.0.0.0/1) || (net = 128.0.0.0/1) then {
+        bgp_local_pref = 200;  # Set local preference to override default route on peers
+        bgp_next_hop = {{ networking_fixed_ip }};
+        return true;
+    }
+    return false;
+}
+{% endif %}
+
 filter k8s_worker {
 {% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %}
     if filter_default_overwrite() then accept;
diff --git a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml b/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml
index 7f49a5e6bf95eb5217ecfaa7727f19799e50a830..83b3c72c8155f8a437abc91f935bc91f947dd5f3 100644
--- a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml
+++ b/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml
@@ -86,22 +86,12 @@
     notify:
     - restart ch-k8s-lbaas-agent
 
-  - name: Setup no-SNAT configuration
-    template:
-      src: bird.no-snat.conf.j2
-      dest: /etc/bird.d/01-no-snat.conf
-      owner: root
-      group: bird
-      mode: "u=rw,g=r,o-rwx"
-    notify: restart bird
-    when: openstack_enabled and ipv4_enabled and not ch_k8s_lbaas_enable_snat
-
-  - name: Remove no-SNAT configuration
+  # Migration task, remove me with TAROOK v12
+  - name: Remove legacy no-SNAT configuration
     file:
       state: absent
       path: "/etc/bird.d/01-no-snat.conf"
     notify: restart bird
-    when: openstack_enabled and ipv4_enabled and ch_k8s_lbaas_enable_snat
 
   - name: Start service
     systemd:
diff --git a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/templates/bird.no-snat.conf.j2 b/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/templates/bird.no-snat.conf.j2
deleted file mode 100644
index 70747673425a08a981b3cf05bf97e8b1d953a7db..0000000000000000000000000000000000000000
--- a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/templates/bird.no-snat.conf.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-protocol static {
-    table master;
-    # Add routes to basically route everything via the VIP
-    route 0.0.0.0/1 via {{ networking_fixed_ip }};
-    route 128.0.0.0/1 via {{ networking_fixed_ip }};
-}
-
-# A function used to export the above routes to peers
-function filter_default_overwrite() {
-    if (net = 0.0.0.0/1) || (net = 128.0.0.0/1) then {
-        bgp_local_pref = 200;  # Set local preference to override default route on peers
-        bgp_next_hop = {{ networking_fixed_ip }};
-        return true;
-    }
-    return false;
-}
diff --git a/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2 b/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2
index dbad0abaa1e1aacc3e732ef031d12bd5777ff7df..333263ef0c5aaf25c488dbdb24f0fe4fa19c4c68 100644
--- a/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2
+++ b/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2
@@ -166,9 +166,23 @@ include "/etc/nft.d/*.conf"
 include "/var/lib/ch-k8s-lbaas-agent/nftables/*.conf"
 
 table ip nat {
+{% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %}
+    set wg_iifnames {
+        type ifname;
+        elements = {
+            {% for ep in wg_endpoints %}
+            {% if ep.enabled %}
+            wg{{ ep.id }},
+            {% endif %}
+            {% endfor %}
+        }
+    }
+{% endif %}
+
     chain postrouting {
 {% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %}
         ip saddr {{ priv_ip_cidr }} masquerade comment "Only SNAT internal traffic";
+        iifname @wg_iifnames oifname $wan ip daddr {{ priv_ip_cidr }} masquerade comment "SNAT incoming Wireguard traffic"
 {% else %}
         fib saddr type != local masquerade comment "SNAT all traffic";
 {% endif %}
diff --git a/nix/yk8s/infra.nix b/nix/yk8s/infra.nix
index eb60117bbe91eaea2c860278dc4255915201e65c..54757fe08cf86e2dfe672ebc310888bbf6854ba5 100644
--- a/nix/yk8s/infra.nix
+++ b/nix/yk8s/infra.nix
@@ -158,9 +158,14 @@ in {
         '';
         default = null;
         apply = v:
-          if v == null && config.yk8s.terraform.enabled
-          then builtins.trace "INFO: infra.ansible_hosts is not yet set. Terraform stage needs to be run first." v
-          else applyGroupSubmoduleAttrs v;
+          if config.yk8s.terraform.enabled
+          then
+            (
+              if v == null
+              then builtins.trace "INFO: infra.ansible_hosts is not yet set. Terraform stage needs to be run first." v
+              else applyGroupSubmoduleAttrs v
+            )
+          else v;
         type = types.nullOr (types.submodule {
           freeformType = types.attrsOf groupSubmodule;
           options = {
@@ -306,8 +311,8 @@ in {
       message = "config.yk8s.infra.hosts_file must not be set if config.yk8s.infra.ansible_hosts is used (which implicitly happens through Terraform).";
     }
     {
-      assertion = ! config.yk8s.terraform.enabled -> (cfg.ansible_hosts == null && cfg.hosts_file == null);
-      message = "One of config.yk8s.infra.hosts_file and config.yk8s.infra.ansible_hosts must be set";
+      assertion = ! config.yk8s.terraform.enabled -> ((cfg.ansible_hosts == null && cfg.hosts_file != null) || (cfg.ansible_hosts != null && cfg.hosts_file == null));
+      message = "Either config.yk8s.infra.hosts_file or config.yk8s.infra.ansible_hosts must be set";
     }
     {
       assertion =
diff --git a/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix b/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
index 28e9dce9e0d641d0abde679d1e41d06895dc9c62..ebbcf87e16e21a0643e2dcef464a9a160046facd 100644
--- a/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+++ b/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
@@ -145,6 +145,11 @@ in {
       for the Kubernetes nodes. They will propagate routes via BGP overwriting the default routes of
       Kubernetes nodes such that **all** traffic is routed via the VIP by default.
 
+      .. important:: Administrative Traffic
+
+        Traffic sent via Wireguard is still SNAT'ed as otherwise
+        freshly provisioned nodes can't be administered.
+
       .. warning:: Implications when running on OpenStack
 
         Disabling source-nat'ing has some implications:
diff --git a/version b/version
index 071973805f533cf9fde064908d0c37d4bcce20c0..a1ea332d2835ac2a6b96f97dfedc59309f1459a0 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-11.0.1
+11.0.2