diff --git a/data/vpn-ca-bundle.crt b/data/vpn-ca-bundle.crt
new file mode 100644
index 0000000..81e9212
--- /dev/null
+++ b/data/vpn-ca-bundle.crt
@@ -0,0 +1,54 @@
+-----BEGIN CERTIFICATE-----
+MIIElzCCAv+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
+QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x
+OTA4MTcxMzQ3NThaFw0zOTA4MTcxMzQ3NThaMDoxGDAWBgNVBAoMD1BSSVZBVEVW
+T0lELk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkq
+hkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA24YctyMKaCy4gYaWw5O28GW45OML8PAC
+DZjeV6fksrI2VlaYYQgQgRrSpFc/f5PL/vl+tlqUmMkVgwkHfA1E0HDS5yl4/13J
+nbkbvhLpaXB7ex0kox17dY7c/ZQuN4/DQHh6R5TT9pCKJBPc7za4GnDuv/s6ww/3
+Vn4ath3m8WfaPpIXd1/HG3z9Dz3hmH0fww9vsiDXhGxHzZjxjiNaeM9EMh2297E3
+yA8wZ4gwCB3wuMKUS/tSJgLOGcRaZgAc+cUIUK6lHqLN8JP7ACpkf1czfEGSTksu
+RFNNW2XihXdcE+zh5925buLGpNOQzNwmzdQLrzGPm/IHRluqA361IfqUmR3Oxxr6
+vxVG2E9spbRodSKR5884Cg18frAnWk+2HPvW9bsxJpd/GX4sLgjwKDZ43eZ0HoBW
+kzfmowJidMB710O5MQOr7Urzl3Qef735Vbc8siKk0gwZasQap59APk5meDtIX7yP
+BkwiSUpCR6ynsUck7FliJ2wt022REFcDAgMBAAGjgacwgaQwHwYDVR0jBBgwFoAU
+8LCS6AW2IgDn+b4+nfst+CiFO88wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAcYwHQYDVR0OBBYEFPCwkugFtiIA5/m+Pp37LfgohTvPMEEGCCsGAQUFBwEB
+BDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1jYS5wcml2YXRldm9pZC5uZXQv
+Y2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAFpue77wmQIF7WMVdrmAmB2fBJSTH
+qoRTcP5enPIVoS5fi/bhMeIW4iADKRtCo9YezLqAPWoQ+UzDOObmAa3yx/pfJqhV
+wMt7E2FvQXkef9v9wcsXSSNE4SWD4UefDBFiTtGcNR4SVAqWAJF4Yym6kjE0OLs7
+it4kpvQBC9uxTcBHHIWMhJ85hZbMbTQ1GG1iluhxJFOpl2Zm7GBax2E3a+Fs/msx
+yUIGe7ugVKiWX2Cx4e/kEmWogGESeNVEXYnDPxztr+mu5rbzRNU32FzWRlxG1qg3
+e77KjTrHC63w230t/Pw7wuYQJzX25bkqIaQat9Xfw/ODtZqrStVwJAooD8z5zpYG
+ul9ndmXfM6okRy7eJoSF1nijHNo9p4k+IsAu8j2UShjfTglBTjWA6ZHWuji4AArw
+qCdKu2v/DqnGhNAt6zRTmOMW7tct/VBwJtpDdB4IzG+EvH6JdIxQpDew5LuPwbk5
+c7VzeA8sxGbslFyLO3Oa1Yy87uQSes+uBHhq
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEnDCCAwSgAwIBAgIBHzANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
+QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y
+MDA0MjcxMjI3MDBaFw00MDA0MjcxMjI3MDBaMD8xGDAWBgNVBAoMD1BSSVZBVEVW
+T0lELk5FVDEjMCEGA1UEAwwaUHJpdmF0ZSBWb2lkIFZQTiBBdXRob3JpdHkwggGi
+MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCv/EZR+YWCMwrfb5gMyFe/257a
+rIrClOz8omD1qmKEk/oj7mKqROV20LBELMV52tAXJOVEIUSDi9OhQ8qryWZyRGa9
+4iQ9DvzlP8BER2NP2xjuT8NRMo7yzl2ge0PlLD6si8N1rkXKlfrvKkFEgqlPNnl0
+AScM0SfSkG7y1g+bnsfF2uSj/p3i+FO0zoEIfBC8oKWgcmmV7p/HCdCjVEY7CBfR
+KR6gbRxK+hxSsH8SfCV/MZev9jFCV+vWO5YvATGCrZjqVaaPp34fBGWSLLzQ3yLj
+2OvVD8fgxyKPdNHgao7PmTh5QrzrXpichjSxUvGbm/Hz+xhr3uW+sTnCtXogchHm
+0+CAhmNdfCr4ctR7WcY146YUhVcO+T/If7KgMhQBejkGqOBuRgrxLQ2xHL6G9oQx
+278b/BIDl1jWvZccmhpanDa8Mc9JWINd5enOiBN+J+i6YDnnuG3ociTu7nJs3mPo
+HJfOgKqTV0SkdrCeunKpjuBi5M46pK5XuvzJgFsCAwEAAaOBpzCBpDAfBgNVHSME
+GDAWgBTwsJLoBbYiAOf5vj6d+y34KIU7zzAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
+DwEB/wQEAwIBxjAdBgNVHQ4EFgQUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
+BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
+Lm5ldC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBgQB+jXOnP4BO69Z1+/S42/O6
+hjjs7kxtYTRNfDKONhB3MD2pSxn2qiwRiH+jL1LJZEmkFkqWV05jMpn8qBeA+yXf
+WUbF5Iiupb5IfF8GXqXkFeDIP4kiVCY7/XHF5JrjCBT0csaiI9fNiDDBseRoU/b4
+LWAGGlgvE7jnQpgVu4/7/MW1yNw2JgetoZFGSNh12AVe1UWjy1DmLHCkWAbjWka+
+iArEtm0EZ1Ypjy0l9A/sCZLmhWtYJrjHNiETvzRlv8UNjUg1Lv7IxWQI7TvZJp7T
+DBghFt/i6w/fdOc5r73lZT3/PDGLO9/NpbQVzT8LiJkwlF5uJB3avdlb3pMWjqPy
+1ty2mbX9eNKZUeEAGb4crEGlWIcLqnr0aFtaISlOB2dmOonMo26uCXNtLG61Yw9I
+MhHsvnmrPXU9rjuHUtBt9HgEO7RwXZYEehuf8pz8Ur11S7x/7PxOypv4KBUBusDe
++hLcS5acpktYNkr2IiZ3NXDihVN65hxzMM6rUb6Sojc=
+-----END CERTIFICATE-----
diff --git a/data/vpn-host-VEGAS.crt b/data/vpn-host-VEGAS.crt
new file mode 100644
index 0000000..43a11e4
--- /dev/null
+++ b/data/vpn-host-VEGAS.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFaDCCA9CgAwIBAgIBIjANBgkqhkiG9w0BAQsFADA/MRgwFgYDVQQKDA9QUklW
+QVRFVk9JRC5ORVQxIzAhBgNVBAMMGlByaXZhdGUgVm9pZCBWUE4gQXV0aG9yaXR5
+MB4XDTIwMDQyNzEzMDYxNloXDTIyMDQyODEzMDYxNlowODEYMBYGA1UECgwPUFJJ
+VkFURVZPSUQuTkVUMRwwGgYDVQQDDBN2cG4ucHJpdmF0ZXZvaWQubmV0MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3BQDphcpY+Qrrfc//QinB8/Qux5
+fJCDMgnIeFsk/S/Ow2R/FDbcJpHw74vt06eVqvtnOAIE5e95sCgpeOKl0MDiRSyJ
+qt+4X8SAYkLXGk7zx60Z5iynmfdZpikwc6P6GYNBoExVMh6+lcJRuAFcrbR/Fu4K
+tFAFSJVhtDq0v+ceiawa80nQuecECUo9/dwfOcrFrXHYRKn3oSv6wMt8zp8EMUuj
+hWZ/97u17ZvsBIUFFs7tk9KgMbPsSYoM64L+uHVynzaPC3rp4BMTyaESx4ifgort
+VtkbBDH79DBwcjnr+jFSJWfJcA1J2XAtiu9hUoscygxVLsZXnENYobSOFwIDAQAB
+o4IB9DCCAfAwHwYDVR0jBBgwFoAUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
+BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
+Lm5ldC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwegYDVR0fBHMwcTBvoDegNYYzaHR0cDovL2lwYS1jYS5wcml2
+YXRldm9pZC5uZXQvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQK
+DAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQW
+BBRA1NlyyOaU/BqBqaIcZVi1/ziGYDCBvwYDVR0RBIG3MIG0oEYGCisGAQQBgjcU
+AgOgOAw2dnBuaG9zdC92ZWdhcy5iYWNrYm9uZS5wcml2YXRldm9pZC5uZXRAUFJJ
+VkFURVZPSUQuTkVUoFUGBisGAQUCAqBLMEmgERsPUFJJVkFURVZPSUQuTkVUoTQw
+MqADAgEBoSswKRsHdnBuaG9zdBsedmVnYXMuYmFja2JvbmUucHJpdmF0ZXZvaWQu
+bmV0ghN2cG4ucHJpdmF0ZXZvaWQubmV0MA0GCSqGSIb3DQEBCwUAA4IBgQBpYdmX
+dxZTV1/iBcVQl3W93ted08jpvpLdRvDX2qcB6c9L2CB7UZ5UDBYgfU9XZetaYg6E
+Wje4VIq+Kwd+69bv0HIbGKb+6i2yfw3Yx8yvWOse79JqW5OvJ96fDiOYfEuDxbOH
+79hKfJ/F5HAToSXW+XWpdNQDDlfWFgippZqqcXZUkOujhwMubYGMXAgXwe9oulgp
+wmjzqH95eajOLItYFF4/v1L5CArzYBV6JBcY2TWZRyuAo6Kw94ve9zCfnQvxzLaj
+nSc98u0sj6bmYCHGLJNER4W+85UlZu3uZRo0GPqmfz/CWwDjI2ODQxJQcQ7KFVbH
+y8qEtddkRBd4cb4Fr9Ag2HJc1zm4I7vG6+Rx6fP6oAltpYK7GOUrkQ13R6PXOpZr
+M9j3Qmm5JK/DsGltNwo0sCX9OzdCOql/ZNoQ1wK1dFqaLl25HkpI6I0xw2lvgQDi
+qDXn5eY8Ip0gZ2Wbeyc6ssoE54T3Ta1fpD3wOHSTLK5MjeL3a0zURvzNf2o=
+-----END CERTIFICATE-----
diff --git a/hosts/VEGAS/services/openvpn/default.nix b/hosts/VEGAS/services/openvpn/default.nix
new file mode 100644
index 0000000..493878d
--- /dev/null
+++ b/hosts/VEGAS/services/openvpn/default.nix
@@ -0,0 +1,73 @@
+{ config, hosts, lib, pkgs, tools, ... }:
+let
+  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (interfaces) vstub;
+  inherit (config.networking) hostName;
+
+  sharedConfig = pkgs.writeText "openvpn-shared.conf" ''
+    port 51194
+    float
+    mssfix 1340
+
+    topology subnet
+    client-to-client
+    persist-key
+    persist-tun
+
+    # vpn supernet
+    push "route 10.100.0.0 255.255.0.0"
+    # internal services supernet
+    push "route 10.10.0.0 255.255.0.0"
+    # host machine virtual stub
+    push "route ${vstub.addr} 255.255.255.255"
+
+    # dns config
+    push "dhcp-option DOMAIN vpn.${tools.meta.domain}"
+    push "dhcp-option DNS ${vstub.addr}"
+
+    ca ${../../../../data/vpn-ca-bundle.crt}
+    cert ${../../../../data + "/vpn-host-${hostName}.crt"}
+    key ${config.age.secrets.vpn-host-key.path}
+    dh ${config.security.dhparams.params.vpn.path}
+  '';
+in
+{
+  age.secrets.vpn-host-key = {
+    file = ../../../../secrets + "/vpn-host-key-${hostName}.age";
+    mode = "0400";
+  };
+  security.dhparams.params.vpn.bits = 4096;
+  networking.firewall = {
+    allowedTCPPorts = [ 51194 ];
+    allowedUDPPorts = [ 51194 ];
+  };
+  networking.nat.internalInterfaces = [
+    "tun-storm"
+    "tun-cyclone"
+  ];
+
+  services.openvpn.servers = {
+    storm = {
+      autoStart = true;
+      config = ''
+        proto udp4
+        dev tun-storm
+        server 10.100.0.0 255.255.255.0
+        config ${sharedConfig}
+      '';
+    };
+    cyclone = {
+      autoStart = true;
+      config = ''
+        proto tcp4
+        dev tun-cyclone
+        server 10.100.1.0 255.255.255.0
+        config ${sharedConfig}
+      '';
+    };
+  };
+  systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {
+    wants = [ "dhparams-gen-vpn.service" ];
+    after = [ "dhparams-gen-vpn.service" ];
+  });
+}
diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix
index caed3dc..d5640dc 100644
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@@ -32,6 +32,7 @@
       ./services/nix/binary-cache.nix
       ./services/nix/nar-serve.nix
       ./services/object-storage
+      ./services/openvpn
       ./services/warehouse
       ./services/websites
     ]
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4e2c4c9..3ec735a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,4 +22,5 @@ in with hosts;
   "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
 }
diff --git a/secrets/vpn-host-key-VEGAS.age b/secrets/vpn-host-key-VEGAS.age
new file mode 100644
index 0000000..2f66890
Binary files /dev/null and b/secrets/vpn-host-key-VEGAS.age differ