diff --git a/_src/nebuchadnezzar/ca.md b/_src/nebuchadnezzar/ca.md
index 27b8df4..d3f2917 100644
--- a/_src/nebuchadnezzar/ca.md
+++ b/_src/nebuchadnezzar/ca.md
@@ -5,6 +5,10 @@ layout: base.njk
 
 # {{title}}
 
+Importing GF4's CA certificate is required to use matrix and recommended for https, imap, etc.  
+
+## What is this?
+
 When you visit `mybank.com` over HTTPS, your connection is encrypted *and* reliable.  **Encryption** means the data is scrambled so it can't be "wiretapped".  **Reliability** means you can trust that the data was sent from the real `mybank.com`.  
 
 - `.com` is the **Top Level Domain (TLD)**.  The TLD could be `.org` or whatever.  
@@ -21,10 +25,14 @@ This reliability is part of **Transport Layer Security (TLS)**.  This example us
 
 GF4 uses the unofficial `.gf4` TLD.  Neither your OS nor browser have a CA certificate for this TLD: you have to import it.  If possible, import it into both OS and browser.  On mobile devices it's only availale at the OS level, at least that's how it is on android.  
 
-For all of these instructions, you'll need to download the certificate from [https://www.gf4.pw/ca.crt](https://www.gf4.pw/ca.crt).  
+When you import a CA certificate, your platform may display very serious warnings about the security implications of importing untrusted CA certs.  If you read the previous section, this should make some sense.  When you import GF4's certificate, it gives GF4 the power to sign server certs that your browser will trust.  So for example, GF4 *could*  impersonate `mybank.com` and your browser would show the lock symbol for a reliable connection.  GF4 would never do such a thing, but your browser and OS don't know that.  
+
+---
 
 **TODO**: Split these into seperate pages
 
+For all of these instructions, you'll need to download the certificate from [https://www.gf4.pw/ca.crt](https://www.gf4.pw/ca.crt).  
+
 ### Linux
 
 ### Debian/Ubuntu
diff --git a/_src/nebuchadnezzar/wg.md b/_src/nebuchadnezzar/wg.md
index 1b2b03f..5f12ecf 100644
--- a/_src/nebuchadnezzar/wg.md
+++ b/_src/nebuchadnezzar/wg.md
@@ -5,7 +5,20 @@ layout: base.njk
 
 # {{title}}
 
-**TODO**: Explanation of VPNs
+To access GF4's private services, you'll need to connect your device to our VPN.  You can connect as many devices as you want (using the wireguard dashboard), but if you're reading this page, you are probably connecting your first device.  
+
+## But what is it
+
+**TODO**: Explanation of VPNs, assuming the reader has been bombarded by ads for NordVPN and thinks they know what a VPN is.  
+
+### Is this safe?
+
+**TODO**: Explain why this is safe: 
+
+ - Modern OSs pack sane default firewalls
+ - Invite-only means network participants are generally trustworthy
+
+## Joining the network
 
 Follow the directions for your respective platform.  Report any issues to [ki9@gf4.pw](mailto:ki9@gf4.pw).