diff --git a/flake.nix b/flake.nix
index e2399b9..6ed6050 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,7 @@
       null = import ./tests/null.nix checkArgs;
       simple = import ./tests/simple.nix checkArgs;
       mesh = import ./tests/mesh.nix checkArgs;
+      ring = import ./tests/ring.nix checkArgs;
     });
   };
 }
diff --git a/tests/acls/ring.nix b/tests/acls/ring.nix
new file mode 100644
index 0000000..2ca597b
--- /dev/null
+++ b/tests/acls/ring.nix
@@ -0,0 +1,103 @@
+{
+  version = "v1";
+  subnets = [
+    {
+      name = "ring";
+      endpoints = [
+        {
+          # No match mean match any
+          port = 51820;
+        }
+      ];
+    }
+  ];
+  groups = [
+    # groups field is expected, but can be empty
+  ];
+  peers = [
+    {
+      name = "node1";
+      subnets = {
+        ring = {
+          listenPort = 51820;
+          # empty ipAddresses will auto generate an IPv6 address
+        };
+      };
+      publicKey = "kdyzqV8cBQtDYeW6R1vUug0Oe+KaytHHDS7JoCp/kTE=";
+      privateKey = "MIELhEc0I7BseAanhk/+LlY/+Yf7GK232vKWITExnEI=";  # path is relative to the machine
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node1";
+        }
+      ];
+    }
+    {
+      name = "node2";
+      subnets = {
+        ring = {
+          listenPort = 51820;
+        };
+      };
+      publicKey = "ztdAXTspQEZUNpxUbUdAhhRWbiL3YYWKSK0ZGdcsMHE=";
+      privateKey = "yG4mJiduoAvzhUJMslRbZwOp1gowSfC+wgY8B/Mul1M=";
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node2";
+        }
+      ];
+    }
+    {
+      name = "node3";
+      subnets = {
+        ring = {
+          listenPort = 51820;
+          # empty ipAddresses will auto generate an IPv6 address
+        };
+      };
+      publicKey = "43tP6JgckdTFrnbYuy8a42jdNt3+wwVcb4+ae5U4ez4=";
+      privateKey = "yPcTvQOK9eVXQjLNapOsv2iAkbOeSzCCxlrWPMe1o0g=";  # path is relative to the machine
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node3";
+        }
+      ];
+    }
+    {
+      name = "node4";
+      subnets = {
+        ring = {
+          listenPort = 51820;
+        };
+      };
+      publicKey = "g6+Tq9aeVfm5CXPIwZDqoTxGmsQ/TlLtxcxVn2aSiVA=";
+      privateKey = "CLREBQ+oGXsGxhlQc3ufSoBd7MNFoM6KmMnNyuQ9S0E=";
+      endpoints = [
+        {
+          # no match can be any
+          ip = "node4";
+        }
+      ];
+    }
+  ];
+  connections = [
+    {
+      a = [{type= "peer"; rule = "is"; value = "node1";}];
+      b = [{type= "peer"; rule = "is"; value = "node2";}];
+    }
+    {
+      a = [{type= "peer"; rule = "is"; value = "node2";}];
+      b = [{type= "peer"; rule = "is"; value = "node3";}];
+    }
+    {
+      a = [{type= "peer"; rule = "is"; value = "node3";}];
+      b = [{type= "peer"; rule = "is"; value = "node4";}];
+    }
+    {
+      a = [{type= "peer"; rule = "is"; value = "node4";}];
+      b = [{type= "peer"; rule = "is"; value = "node1";}];
+    }
+  ];
+}
\ No newline at end of file
diff --git a/tests/ring.nix b/tests/ring.nix
new file mode 100644
index 0000000..85114c2
--- /dev/null
+++ b/tests/ring.nix
@@ -0,0 +1,83 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+(import ./lib.nix)
+{
+  name = "ring connection";
+  nodes = {
+    # `self` here is set by using specialArgs in `lib.nix`
+    node1 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        aclConfig = import ./acls/ring.nix;
+      };
+      networking.firewall.enable = false;
+    };
+    
+    node2 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        keyProviders = ["acl"];
+        aclConfig = import ./acls/ring.nix;
+      };
+      networking.firewall.enable = false;
+    };
+    
+    node3 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        keyProviders = ["acl"];
+        peerName = "node3";
+        aclConfig = import ./acls/ring.nix;
+      };
+      networking.firewall.enable = false;
+    };
+    
+    node4 = { self, pkgs, ... }: {
+      virtualisation.vlans = [ 1 ];
+      imports = [ self.nixosModules.default ];      
+      wirenix = {
+        enable = true;
+        keyProviders = ["acl"];
+        peerName = "node4";
+        aclConfig = import ./acls/ring.nix;
+      };
+      networking.firewall.enable = false;
+    };
+  };
+  # This is the test code that will check if our service is running correctly:
+  testScript = ''
+    start_all()
+    nodes = {
+      "node1": node1,
+      "node2": node2,
+      "node3": node3,
+      "node4": node4
+    }
+    connections = {
+      "node1": ["node2", "node4"],
+      "node2": ["node3", "node1"],
+      "node3": ["node4", "node2"],
+      "node4": ["node1", "node3"]
+    }
+    for local_name, local_node in nodes.items():
+      for remote_name in connections[local_name]:
+        local_node.wait_for_unit(f"wireguard-ring-peer-{remote_name}")
+    for local_name, local_node in nodes.items():
+      local_node.succeed("wg show >&2")
+      for remote_name in set(nodes.keys()) - set([local_name]):
+        local_node.succeed(f"ping -c 1 {remote_name} >&2")
+        if remote_name in connections[local_name]:
+          local_node.succeed(f"ping -c 1 {remote_name}.ring >&2")
+        else:
+          local_node.fail(f"ping -c 1 -W 1 {remote_name}.ring")
+  '';
+}
\ No newline at end of file