diff --git a/PORT-ALLOCATION b/PORT-ALLOCATION
index e1907af..e86c41d 100644
--- a/PORT-ALLOCATION
+++ b/PORT-ALLOCATION
@@ -41,6 +41,7 @@ Internal ports: 7500-7600
 	    unbound:    7583
 	HAProxy PROM:   7581
 	Promtail:       7590
+	vtun:           7591
 
 Public ports:
 	SSH:            22
diff --git a/config/haproxy/APKBUILD b/config/haproxy/APKBUILD
index 03a76c3..0ab4aee 100644
--- a/config/haproxy/APKBUILD
+++ b/config/haproxy/APKBUILD
@@ -3,7 +3,7 @@
 
 . ../APKBUILD-config.template
 
-pkgver=2022.03.25.02
+pkgver=2022.03.26.02
 pkgrel=0
 depends="redxen-secret-letsencrypt-full redxen-data-haproxy-errorpages"
 checkdepends="haproxy"
@@ -15,5 +15,5 @@ check() {
 }
 
 sha512sums="
-5fe08e3ba3317fe09e8408141d567758f5fddb1c67233042a5eb02d4a0f2fd96e8945588c22ef371da31f7b0c88e580bb398083c85a939a313ea1f88422d8cac  main.cfg
+45bd2aa36469225968df94843d4548064f601ebc7d353fed75d8e50cd1eb0edad12e9ba07e1d05cd88ce2597cb4d411585a613f349ceb08fb5061e30cc6be97b  main.cfg
 "
diff --git a/config/haproxy/main.cfg b/config/haproxy/main.cfg
index 7161dce..d37fc5d 100644
--- a/config/haproxy/main.cfg
+++ b/config/haproxy/main.cfg
@@ -84,6 +84,7 @@ frontend http
 	acl btdaemon  hdr_beg(host) -i     seed.redxen
 	acl packs     hdr_beg(host) -i packages.redxen
 	acl cal       hdr_beg(host) -i      cal.redxen
+	acl wssproxy  hdr_beg(host) -i wssproxy.redxen
 	acl monerod   hdr_beg(host) -i  monerod.redxen
 
 	redirect location https://en.uncyclopedia.co/wiki/South_Africa code 302 if fedi
@@ -97,6 +98,7 @@ frontend http
 	use_backend backend-btdaemon     if btdaemon
 	use_backend backend-packages     if packs
 	use_backend backend-radicale     if cal
+	use_backend backend-wssproxy     if wssproxy
 	#use_backend backend-monerod     if monerod
 
 backend backend-home
@@ -138,6 +140,11 @@ backend backend-radicale
 	http-check send hdr Host cal.redxen.eu
 	http-check expect status 401
 
+backend backend-wssproxy
+	server-template wssproxy 1 _wssproxy._tcp.routinginfo.internal
+	option httpchk HEAD / HTTP/1.1
+	http-check send hdr Host wss-proxy.redxen.eu
+
 #backend backend-monerod
 #	server-template monerod 1 _monerod._tcp.routinginfo.internal
 #	option httpchk POST /json_rpc HTTP/1.1
diff --git a/config/nftables/APKBUILD b/config/nftables/APKBUILD
index 3497fb0..8b70f0f 100644
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@@ -3,13 +3,14 @@
 
 . ../APKBUILD-config.template
 
-pkgver=2022.03.23.01
+pkgver=2022.03.26.01
 pkgrel=0
 options="!check" # check requires root?
 
 subpackages="
 	$pkgname-base
 	$pkgname-openssh
+	$pkgname-vtun
 	$pkgname-haproxy:_defmodule
 	$pkgname-murmur:_defmodule
 	$pkgname-dovecot:_defmodule
@@ -51,6 +52,12 @@ openssh() {
 	_module "$_modname"
 }
 
+vtun() {
+	_modname="${subpkgname##$pkgname-}"
+	install_if="$pkgname redxen-openrc-$_modname"
+	_module "$_modname"
+}
+
 _defmodule() {
 	_modname="${subpkgname##$pkgname-}"
 	install_if="$pkgname redxen-config-$_modname"
diff --git a/config/nftables/nft/inet/redxenfirewall/filter/forward/vtun b/config/nftables/nft/inet/redxenfirewall/filter/forward/vtun
new file mode 100644
index 0000000..617dd10
--- /dev/null
+++ b/config/nftables/nft/inet/redxenfirewall/filter/forward/vtun
@@ -0,0 +1,2 @@
+ip saddr 172.24.0.0/24 oifname "eth0" counter accept;
+iifname "eth0" ip daddr 172.24.0.0/24 counter accept;
diff --git a/config/nftables/nft/inet/redxenfirewall/nat/postrouting/vtun b/config/nftables/nft/inet/redxenfirewall/nat/postrouting/vtun
new file mode 100644
index 0000000..6cdefd4
--- /dev/null
+++ b/config/nftables/nft/inet/redxenfirewall/nat/postrouting/vtun
@@ -0,0 +1 @@
+oifname "eth0" ip  saddr 172.24.0.0/24      counter masquerade; # SNAT MASQUERADE v4
diff --git a/data/bindzone/APKBUILD b/data/bindzone/APKBUILD
index 792fb2e..dea0662 100644
--- a/data/bindzone/APKBUILD
+++ b/data/bindzone/APKBUILD
@@ -3,7 +3,7 @@
 
 . ../APKBUILD-data.template
 
-pkgver=2022.03.25.01
+pkgver=2022.03.26.01
 pkgrel=0
 checkdepends="bind-tools"
 makedepends="
@@ -69,6 +69,6 @@ internal() {
 }
 
 sha512sums="
-23f72394a1508eeb9a828451da79b9c5a6daffe59a2966c1507eb0e98aff17cbb4db838d0357135108bc926b24f132b629c64f1b487c84fa222106baaba486a5  redxen.eu
-3f441f898f605366c0e411c13c5357000d4fbc1ef8e3d7c0aad51b5723df224fa413491e6cd741381fcb384697f1f37ca55bea64f8978fd47a30fec511faf72d  internal
+5f9d73185620ca3cb066137c5c92f942190f7c215fee0d255f079664e72554a06b8f0420d67b0fb8bb37ffd57a501b64d9a47e038a8f0e2245149e6b1c2d3346  redxen.eu
+983b02166c5dd2fbb804916806b4bf8d7e2b0a9c8fb571d52802569804d6ecf74b8b3f88ee61b43bd653db71781d87e9066a4c6ee46224ddf759e290287c372d  internal
 "
diff --git a/data/bindzone/internal b/data/bindzone/internal
index f3fec4e..43d6d40 100644
--- a/data/bindzone/internal
+++ b/data/bindzone/internal
@@ -45,6 +45,7 @@ _root._tcp.routinginfo                                  SRV    0 5 7575 12180710
 _packages._tcp.routinginfo                              SRV    0 5 7574 12180710.fsn1-dc14.hetzner
 _seedown._tcp.routinginfo                               SRV    0 5 7576 12180710.fsn1-dc14.hetzner
 _radicale._tcp.routinginfo                              SRV    0 5 7578 12180710.fsn1-dc14.hetzner
+_wssproxy._tcp.routinginfo                              SRV    0 5 7591 12180621.nbg1-dc3.hetzner
 
 postgresql.routinginfo                                  CNAME  12180625.nbg1-dc3.hetzner
 redis.routinginfo                                       CNAME  12180625.nbg1-dc3.hetzner
diff --git a/data/bindzone/redxen.eu b/data/bindzone/redxen.eu
index bf2664a..03a8148 100644
--- a/data/bindzone/redxen.eu
+++ b/data/bindzone/redxen.eu
@@ -64,6 +64,7 @@ sd                                                      CNAME   @
 packages                                                CNAME   @
 seed                                                    CNAME   @
 cal                                                     CNAME   @
+wssproxy                                                CNAME   @
 
 ; Wireguard
 wireguard                                               CNAME   12180621.nbg1-dc3.hetzner
diff --git a/openrc/vtun/APKBUILD b/openrc/vtun/APKBUILD
new file mode 100644
index 0000000..f809ff4
--- /dev/null
+++ b/openrc/vtun/APKBUILD
@@ -0,0 +1,31 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-openrc.template
+
+pkgver=2022.03.26.02
+pkgrel=0
+source="$source secret"
+depends="openrc $_rx_pkgname"
+
+prepare() {
+	default_prepare
+	cp conffile conffile-mod
+}
+
+build() {
+	. secret
+	rx_replace "VTUN_KEY" "${VTUN_KEY:?'Missing VTUN key'}" "conffile-mod"
+}
+
+package() {
+	rx_openrc_runlevel_add
+	rx_openrc_runfile_install
+	rx_openrc_conffile_install "conffile-mod"
+}
+
+sha512sums="
+65ef90c9ff340770755c63cf786474c95c5e3fde1bb4811b2730926a3bbe8cae763cfc03e07b2cbe627c254f0a695c5ea03ffe7d1c545b8b6df7efe8dbb48a2c  runfile
+8ef6c3f8679e97906ced5b2bc3faa8dd992ccbe0d46ab9f0f351c56f977bc912c2aec5afe4c481e5f03c721bc55e1e83801f0a60a5e2ac7c5c3ad8caf04cf68c  conffile
+5e2c06013faae6cfcc9cc1e24545a2d2aafadcf513227bb69ef6f5249b3a00ec4f8ba6740399b3681dedac8490f2c6f262c2fc812ab0be3c4c0e15841da68c9f  secret
+"
diff --git a/openrc/vtun/conffile b/openrc/vtun/conffile
new file mode 100644
index 0000000..ae11c3a
--- /dev/null
+++ b/openrc/vtun/conffile
@@ -0,0 +1 @@
+command_args="-S -d 127.0.0.1:53 -obfs -l :7591 -k 'VTUN_KEY' -path /freedom -p ws -c 172.24.0.1/24"
diff --git a/openrc/vtun/runfile b/openrc/vtun/runfile
new file mode 100644
index 0000000..92a90ee
--- /dev/null
+++ b/openrc/vtun/runfile
@@ -0,0 +1,14 @@
+#!/sbin/openrc-run
+supervisor=supervise-daemon
+
+command="/usr/bin/vtun"
+command_background="yes"
+
+depend() {
+	need net
+	after firewall
+}
+
+start_pre() {
+	modprobe tun
+}
diff --git a/openrc/vtun/secret b/openrc/vtun/secret
new file mode 100644
index 0000000..02863d6
--- /dev/null
+++ b/openrc/vtun/secret
@@ -0,0 +1 @@
+VTUN_KEY="2FEmRf4ABK7hOvfR"