diff --git a/ansible/roles/kedge_tunnel/defaults/main.yml b/ansible/roles/kedge_tunnel/defaults/main.yml
new file mode 100644
index 0000000..58f46a5
--- /dev/null
+++ b/ansible/roles/kedge_tunnel/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+kedge_tunnel_site_id: ""
+kedge_tunnel_entity_id: ""
+kedge_tunnel_vni: ""
+kedge_tunnel_wireguard_interface: wg-substrate
+kedge_tunnel_namespace: kedge-system
diff --git a/ansible/roles/kedge_tunnel/tasks/main.yml b/ansible/roles/kedge_tunnel/tasks/main.yml
new file mode 100644
index 0000000..049c8ec
--- /dev/null
+++ b/ansible/roles/kedge_tunnel/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+# Map WireGuard tunnel to Kedge governed overlay.
+# Creates a KedgeTunnel CR that binds the WireGuard interface to a VNI.
+
+- name: Ensure kubectl is available
+  ansible.builtin.command: kubectl version --client
+  changed_when: false
+
+- name: Deploy KedgeTunnel manifest
+  ansible.builtin.template:
+    src: kedge-tunnel.yml.j2
+    dest: "/tmp/kedge-tunnel-{{ kedge_tunnel_site_id }}.yml"
+    mode: "0644"
+
+- name: Apply KedgeTunnel CR
+  ansible.builtin.command: >
+    kubectl apply -f /tmp/kedge-tunnel-{{ kedge_tunnel_site_id }}.yml
+  changed_when: true
+
+- name: Clean up temporary manifest
+  ansible.builtin.file:
+    path: "/tmp/kedge-tunnel-{{ kedge_tunnel_site_id }}.yml"
+    state: absent
diff --git a/ansible/roles/kedge_tunnel/templates/kedge-tunnel.yml.j2 b/ansible/roles/kedge_tunnel/templates/kedge-tunnel.yml.j2
new file mode 100644
index 0000000..c346963
--- /dev/null
+++ b/ansible/roles/kedge_tunnel/templates/kedge-tunnel.yml.j2
@@ -0,0 +1,15 @@
+apiVersion: kedge.guildhouse.dev/v1alpha1
+kind: KedgeTunnel
+metadata:
+  name: "tunnel-{{ kedge_tunnel_site_id }}"
+  namespace: "{{ kedge_tunnel_namespace }}"
+  labels:
+    guildhouse.dev/entity: "{{ kedge_tunnel_entity_id }}"
+    guildhouse.dev/site: "{{ kedge_tunnel_site_id }}"
+spec:
+  wireguardInterface: "{{ kedge_tunnel_wireguard_interface }}"
+  vni: {{ kedge_tunnel_vni }}
+  mode: overlay
+  governance:
+    entityId: "{{ kedge_tunnel_entity_id }}"
+    siteId: "{{ kedge_tunnel_site_id }}"