diff --git a/internal/configuration/sources/env/wireguard.go b/internal/configuration/sources/env/wireguard.go
index 9818574b1..a8ae7c97d 100644
--- a/internal/configuration/sources/env/wireguard.go
+++ b/internal/configuration/sources/env/wireguard.go
@@ -2,6 +2,7 @@ package env
 
 import (
 	"fmt"
+	"net"
 	"os"
 	"strings"
 
@@ -16,9 +17,30 @@ func (s *Source) readWireguard() (wireguard settings.Wireguard, err error) {
 	wireguard.PreSharedKey = envToStringPtr("WIREGUARD_PRESHARED_KEY")
 	_, wireguard.Interface = s.getEnvWithRetro("VPN_INTERFACE", "WIREGUARD_INTERFACE")
 	wireguard.Implementation = os.Getenv("WIREGUARD_IMPLEMENTATION")
-	wireguard.Addresses, err = readWireguardAddresses(s.getEnvWithRetro("WIREGUARD_ADDRESSES", "WIREGUARD_ADDRESS"))
+	wireguard.Addresses, err = s.readWireguardAddresses()
 	if err != nil {
 		return wireguard, err // already wrapped
 	}
 	return wireguard, nil
 }
+
+func (s *Source) readWireguardAddresses() (addresses []net.IPNet, err error) {
+	key, addressesCSV := s.getEnvWithRetro("WIREGUARD_ADDRESSES", "WIREGUARD_ADDRESS")
+	if addressesCSV == "" {
+		return nil, nil
+	}
+
+	addressStrings := strings.Split(addressesCSV, ",")
+	addresses = make([]net.IPNet, len(addressStrings))
+	for i, addressString := range addressStrings {
+		addressString = strings.TrimSpace(addressString)
+		ip, ipNet, err := net.ParseCIDR(addressString)
+		if err != nil {
+			return nil, fmt.Errorf("environment variable %s: %w", key, err)
+		}
+		ipNet.IP = ip
+		addresses[i] = *ipNet
+	}
+
+	return addresses, nil
+}
diff --git a/internal/configuration/sources/secrets/helpers.go b/internal/configuration/sources/secrets/helpers.go
index d2a623398..e8af3a3ee 100644
--- a/internal/configuration/sources/secrets/helpers.go
+++ b/internal/configuration/sources/secrets/helpers.go
@@ -2,8 +2,8 @@ package secrets
 
 import (
 	"fmt"
-	"os"
 	"net"
+	"os"
 	"strings"
 
 	"github.com/qdm12/gluetun/internal/configuration/sources/files"
@@ -45,25 +45,25 @@ func readPEMSecretFile(secretPathEnvKey, defaultSecretPath string) (
 		return nil, fmt.Errorf("extracting base64 encoded data from PEM content: %w", err)
 	}
 
-	func readWireguardAddresses(addressesCSV string) (addresses []net.IPNet, err error) {
-		if addressesCSV == "" {
-			return nil, nil
-		}
-	
-		key, addressStrings := strings.Split(addressesCSV, ",")
-		addresses = make([]net.IPNet, len(addressStrings))
-		for i, addressString := range addressStrings {
-			addressString = strings.TrimSpace(addressString)
-			ip, ipNet, err := net.ParseCIDR(addressString)
-			if err != nil {
-				return nil, fmt.Errorf("environment variable %s: %w", key, err)
-			}
-			ipNet.IP = ip
-			addresses[i] = *ipNet
+	return &base64Data, nil
+}
+
+func parseAddresses(addressesCSV string) (addresses []net.IPNet, err error) {
+	if addressesCSV == "" {
+		return nil, nil
+	}
+
+	addressStrings := strings.Split(addressesCSV, ",")
+	addresses = make([]net.IPNet, len(addressStrings))
+	for i, addressString := range addressStrings {
+		addressString = strings.TrimSpace(addressString)
+		ip, ipNet, err := net.ParseCIDR(addressString)
+		if err != nil {
+			return nil, fmt.Errorf("parsing address %q: %w", addressString, err)
 		}
-	
-		return addresses, nil
+		ipNet.IP = ip
+		addresses[i] = *ipNet
 	}
 
-	return &base64Data, nil
+	return addresses, nil
 }
diff --git a/internal/configuration/sources/secrets/vpn.go b/internal/configuration/sources/secrets/vpn.go
index bf3acc959..53ad3a2e2 100644
--- a/internal/configuration/sources/secrets/vpn.go
+++ b/internal/configuration/sources/secrets/vpn.go
@@ -14,7 +14,7 @@ func readVPN() (vpn settings.VPN, err error) {
 
 	vpn.Wireguard, err = readWireguard()
 	if err != nil {
-		return vpn, fmt.Errorf("cannot read Wireguard settings: %w", err)
+		return vpn, fmt.Errorf("reading Wireguard settings: %w", err)
 	}
 
 	return vpn, nil
diff --git a/internal/configuration/sources/secrets/wireguard.go b/internal/configuration/sources/secrets/wireguard.go
index e7995dc5a..abddbd309 100644
--- a/internal/configuration/sources/secrets/wireguard.go
+++ b/internal/configuration/sources/secrets/wireguard.go
@@ -8,12 +8,12 @@ import (
 
 func readWireguard() (
 	wireguard settings.Wireguard, err error) {
-		wireguard.PrivateKey, err = readSecretFileAsStringPtr(
+	wireguard.PrivateKey, err = readSecretFileAsStringPtr(
 		"WIREGUARD_PRIVATE_KEY_SECRETFILE",
 		"/run/secrets/wireguard_private_key",
 	)
 	if err != nil {
-		return wireguard, fmt.Errorf("cannot read Wireguard private key file: %w", err)
+		return wireguard, fmt.Errorf("reading private key file: %w", err)
 	}
 
 	wireguard.PreSharedKey, err = readSecretFileAsStringPtr(
@@ -21,15 +21,20 @@ func readWireguard() (
 		"/run/secrets/wireguard_preshared_key",
 	)
 	if err != nil {
-		return wireguard, fmt.Errorf("cannot read Wireguard preshared key file: %w", err)
+		return wireguard, fmt.Errorf("reading preshared key file: %w", err)
 	}
 
-	wireguard.Addresses, err = readWireguardAddresses(readSecretFileAsStringPtr(
+	wireguardAddressesCSV, err := readSecretFileAsStringPtr(
 		"WIREGUARD_ADDRESSES_SECRETFILE",
 		"/run/secrets/wireguard_addresses",
-	))
+	)
 	if err != nil {
-		return wireguard, fmt.Errorf("cannot read Wireguard addresses file: %w", err)
+		return wireguard, fmt.Errorf("reading addresses file: %w", err)
+	} else if wireguardAddressesCSV != nil {
+		wireguard.Addresses, err = parseAddresses(*wireguardAddressesCSV)
+		if err != nil {
+			return wireguard, fmt.Errorf("parsing addresses: %w", err)
+		}
 	}
 
 	return wireguard, nil