diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 368d89e2e32..62ff708d244 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -27,18 +27,6 @@ let
         description = "Base64 private key generated by wg genkey.";
       };
 
-      presharedKey = mkOption {
-        default = null;
-        example = "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I=";
-        type = with types; nullOr str;
-        description = ''
-          base64 preshared key generated by wg genpsk. Optional,
-          and may be omitted. This option adds an additional layer of
-          symmetric-key cryptography to be mixed into the already existing
-          public-key  cryptography, for post-quantum resistance.
-        '';
-      };
-
       listenPort = mkOption {
         default = null;
         type = with types; nullOr int;
@@ -98,6 +86,18 @@ let
         description = "The base64 public key the peer.";
       };
 
+      presharedKey = mkOption {
+        default = null;
+        example = "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I=";
+        type = with types; nullOr str;
+        description = ''
+          base64 preshared key generated by wg genpsk. Optional,
+          and may be omitted. This option adds an additional layer of
+          symmetric-key cryptography to be mixed into the already existing
+          public-key cryptography, for post-quantum resistance.
+        '';
+      };
+
       allowedIPs = mkOption {
         example = [ "10.192.122.3/32" "10.192.124.1/24" ];
         type = with types; listOf str;
@@ -137,12 +137,12 @@ let
   generateConf = name: values: pkgs.writeText "wireguard-${name}.conf" ''
     [Interface]
     PrivateKey = ${values.privateKey}
-    ${optionalString (values.presharedKey != null) "PresharedKey = ${values.presharedKey}"}
     ${optionalString (values.listenPort != null)   "ListenPort = ${toString values.listenPort}"}
 
     ${concatStringsSep "\n\n" (map (peer: ''
     [Peer]
     PublicKey = ${peer.publicKey}
+    ${optionalString (peer.presharedKey != null) "PresharedKey = ${peer.presharedKey}"}
     ${optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep ", " peer.allowedIPs}"}
     ${optionalString (peer.endpoint != null) "Endpoint = ${peer.endpoint}"}
     ${optionalString (peer.persistentKeepalive != null) "PersistentKeepalive = ${toString peer.persistentKeepalive}"}
diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index fbff511db7c..10c84948a49 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -6,11 +6,11 @@ assert kernel != null -> stdenv.lib.versionAtLeast kernel.version "3.10";
 let
   name = "wireguard-${version}";
 
-  version = "0.0.20170421";
+  version = "0.0.20170517";
 
   src = fetchurl {
     url    = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${version}.tar.xz";
-    sha256 = "03c82af774224cd171d000ee4a519b5e474cc6842ac04967773cf77b26750000";
+    sha256 = "7303e973654a3585039f4789e89a562f807f0d6010c7787b9b69ca72aa7a6908";
   };
 
   meta = with stdenv.lib; {