diff --git a/add.go b/add.go
index 7170637..f36fa32 100644
--- a/add.go
+++ b/add.go
@@ -8,7 +8,6 @@ func Add(hostname string, owner string, description string) { //, publicKey stri
 	conf := MustLoadDsnetConfig()
 
 	privateKey := GenerateJSONPrivateKey()
-	presharedKey := GenerateJSONKey()
 	publicKey := privateKey.PublicKey()
 
 	IP := conf.MustAllocateIP()
@@ -18,7 +17,8 @@ func Add(hostname string, owner string, description string) { //, publicKey stri
 		Hostname:     hostname,
 		Description:  description,
 		PublicKey:    publicKey,
-		PresharedKey: presharedKey,
+		PrivateKey:   privateKey,  // omitted from server config JSON!
+		PresharedKey: GenerateJSONKey(),
 		AllowedIPs: []JSONIPNet{
 			JSONIPNet{
 				IPNet: net.IPNet{
@@ -33,10 +33,10 @@ func Add(hostname string, owner string, description string) { //, publicKey stri
 	conf.MustSave()
 }
 
-func GetPeerWgQuickConf(peer PeerConfig, privKey JSONKey) string {
+func GetPeerWgQuickConf(peer PeerConfig) string {
 	return `[Interface]
 Address = 10.50.60.2/24
-PrivateKey=REDACTED
+PrivateKey={{
 DNS = 8.8.8.8
 
 [Peer]
diff --git a/init.go b/init.go
index f1edabe..cc3b6f7 100644
--- a/init.go
+++ b/init.go
@@ -46,6 +46,7 @@ func getRandomNetwork() JSONIPNet {
 	}
 }
 
+// TODO support IPv6
 func getExternalIP() net.IP {
 	conn, _ := net.Dial("udp", "8.8.8.8:80")
 	defer conn.Close()
@@ -53,6 +54,10 @@ func getExternalIP() net.IP {
 	localAddr := conn.LocalAddr().String()
 	IP := net.ParseIP(strings.Split(localAddr, ":")[0])
 
+	if !(IP[0] == 10 || (IP[0] == 172 && IP[1] >= 16 && IP[1] <= 31) || (IP[0] == 192 && IP[1] == 168)) {
+		// not private, so public
+		return IP
+	}
 	// TODO detect private IP and use icanhazip.com instead
-	return IP
+	return net.IP{}
 }
diff --git a/types.go b/types.go
index 5e0244e..736806e 100644
--- a/types.go
+++ b/types.go
@@ -20,6 +20,7 @@ type PeerConfig struct {
 	Description string `validate:"required,gte=1,lte=255"`
 
 	PublicKey    JSONKey `validate:"required,len=44"`
+	PrivateKey   JSONKey `json:"-"`  // omitted from config!
 	PresharedKey JSONKey `validate:"required,len=44"`
 	// TODO endpoint support
 	//Endpoint     net.UDPAddr `validate:"required,udp4_addr"`
diff --git a/util.go b/util.go
index 19a137b..2aab3c1 100644
--- a/util.go
+++ b/util.go
@@ -19,7 +19,7 @@ func MustPromptString(prompt string, required bool) string {
 	var err error
 
 	for text == "" {
-		fmt.Printf("%s: ", prompt)
+		fmt.Fprintf(os.Stderr, "%s: ", prompt)
 		text, err = reader.ReadString('\n')
 		check(err)
 		text = strings.TrimSpace(text)