diff --git a/doc/release-notes/rl-2511.section.md b/doc/release-notes/rl-2511.section.md
index fe665e3a7026..9efc0c54c3a9 100644
--- a/doc/release-notes/rl-2511.section.md
+++ b/doc/release-notes/rl-2511.section.md
@@ -172,6 +172,8 @@
 
 - `vmware-horizon-client` was renamed to `omnissa-horizon-client`, following [VMware's sale of their end-user business to Omnissa](https://www.omnissa.com/insights/introducing-omnissa-the-former-vmware-end-user-computing-business/). The binary has been renamed from `vmware-view` to `horizon-client`.
 
+- `yggdrasil-jumper` has been updated to v0.4, changing traversal protocol. See [release notes](https://github.com/one-d-wide/yggdrasil-jumper/releases/tag/v0.4.0).
+
 - `neovimUtils.makeNeovimConfig` now uses `customLuaRC` parameter instead of accepting `luaRcContent`. The old usage is deprecated but still works with a warning.
 
 - `python3Packages.pyocr` no longer supports `cuneiform` on Linux by default. It is still possible to enable it using `withCuneiformSupport` override.
diff --git a/nixos/modules/services/networking/yggdrasil-jumper.nix b/nixos/modules/services/networking/yggdrasil-jumper.nix
index 195d1329ae4b..96d38864875b 100644
--- a/nixos/modules/services/networking/yggdrasil-jumper.nix
+++ b/nixos/modules/services/networking/yggdrasil-jumper.nix
@@ -10,11 +10,14 @@ let
     escapeShellArgs
     filter
     hasPrefix
+    makeBinPath
     mapAttrsToList
     mkEnableOption
     mkIf
     mkOption
     mkPackageOption
+    optional
+    optionals
     ;
   format = pkgs.formats.toml { };
 in
@@ -55,14 +58,23 @@ in
           '';
         };
 
+        detectWireguard = mkOption {
+          type = bool;
+          default = true;
+          description = ''
+            Control whether `settings.wireguard = true` should automatically
+            provide CAP_NET_ADMIN capability and make the necessary packages
+            available to Yggdrasil Jumper service.
+          '';
+        };
+
         settings = mkOption {
           type = format.type;
           default = { };
           example = {
             listen_port = 9999;
-            whitelist = [
-              "<IPv6 address of a remote node>"
-            ];
+            whitelist = [ "<IPv6 address of a remote node>" ];
+            wireguard = true;
           };
           description = ''
             Configuration for Yggdrasil Jumper as a Nix attribute set.
@@ -114,10 +126,22 @@ in
     let
       cfg = config.services.yggdrasil-jumper;
 
+      wg = cfg.detectWireguard && (cfg.settings ? wireguard) && cfg.settings.wireguard;
+      wgExtraPkgs = optionals wg (
+        with pkgs;
+        [
+          iproute2
+          iptables
+          wireguard-tools
+          conntrack-tools
+        ]
+      );
+
       # Generate, concatenate and validate config file
       jumperSettings = format.generate "yggdrasil-jumper-settings" cfg.settings;
       jumperExtraConfig = pkgs.writeText "yggdrasil-jumper-extra-config" cfg.extraConfig;
       jumperConfig = pkgs.runCommand "yggdrasil-jumper-config" { } ''
+        export PATH="${makeBinPath wgExtraPkgs}:$PATH"
         cat ${jumperSettings} ${jumperExtraConfig} \
           | tee $out \
           | ${cfg.package}/bin/yggdrasil-jumper --validate --config -
@@ -158,6 +182,7 @@ in
         unitConfig.BindsTo = [ "yggdrasil.service" ];
         wantedBy = [ "multi-user.target" ];
 
+        path = wgExtraPkgs;
         serviceConfig = {
           User = "yggdrasil";
           DynamicUser = true;
@@ -179,9 +204,16 @@ in
           MemoryDenyWriteExecute = true;
           ProtectControlGroups = true;
           ProtectHome = "tmpfs";
-          RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+          RestrictAddressFamilies = [
+            "AF_UNIX"
+            "AF_INET"
+            "AF_INET6"
+          ]
+          ++ optional wg "AF_NETLINK";
           RestrictNamespaces = true;
           RestrictRealtime = true;
+          AmbientCapabilities = optional wg "CAP_NET_ADMIN";
+          CapabilityBoundingSet = optional wg "CAP_NET_ADMIN";
           SystemCallArchitectures = "native";
           SystemCallFilter = [
             "@system-service"
diff --git a/pkgs/by-name/yg/yggdrasil-jumper/package.nix b/pkgs/by-name/yg/yggdrasil-jumper/package.nix
index b4a86fabeb91..7c0620a1032f 100644
--- a/pkgs/by-name/yg/yggdrasil-jumper/package.nix
+++ b/pkgs/by-name/yg/yggdrasil-jumper/package.nix
@@ -7,16 +7,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "yggdrasil-jumper";
-  version = "0.3.1";
+  version = "0.4.1";
 
   src = fetchFromGitHub {
     owner = "one-d-wide";
     repo = "yggdrasil-jumper";
     rev = "refs/tags/v${version}";
-    hash = "sha256-Op3KBJ911AjB7BIJuV4xR8KHMxBtQj7hf++tC1g7SlM=";
+    hash = "sha256-e/QTLWqRlEFMl3keQMeJaxfVJh28W/WbuUsmEAaLAf4=";
   };
 
-  cargoHash = "sha256-EbG83rGlUbiJC1qm9H1+YrCFSq23kSDeW7KMHP8Wee8=";
+  cargoHash = "sha256-aWDeRcOV/5x0BB0aunp52en9hIuPrYr+pNgLCjiscaE=";
 
   passthru.updateScript = nix-update-script { };