diff --git a/cluster/services/ways/default.nix b/cluster/services/ways/default.nix
index eb4f3c1..013d697 100644
--- a/cluster/services/ways/default.nix
+++ b/cluster/services/ways/default.nix
@@ -11,6 +11,9 @@
   };
 
   dns.records = lib.mapAttrs'
-    (_: cfg: lib.nameValuePair cfg.dnsRecord.name ({ ... }: { imports = [ cfg.dnsRecord.value ]; }))
+    (_: cfg: lib.nameValuePair cfg.dnsRecord.name ({ ... }: {
+      imports = [ cfg.dnsRecord.value ];
+      root = cfg.domainSuffix;
+    }))
     config.ways;
 }
diff --git a/cluster/services/ways/host.nix b/cluster/services/ways/host.nix
index b373bec..007c16a 100644
--- a/cluster/services/ways/host.nix
+++ b/cluster/services/ways/host.nix
@@ -3,6 +3,8 @@
 let
   externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
 
+  internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways;
+
   consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
 in
 
@@ -14,6 +16,7 @@ in
         imports = [
           cfg.extras
           {
+            listenAddresses = lib.mkIf cfg.internal [ config.reflection.interfaces.vstub.addr ];
             forceSSL = true;
             enableACME = !cfg.internal && !cfg.wildcard;
             useACMEHost = lib.mkMerge [
@@ -84,18 +87,34 @@ in
     };
   };
 
-  consul.services.ways-proxy = {
-    unit = "nginx";
-    mode = "external";
-    definition = {
-      name = "ways-proxy";
-      address = config.reflection.interfaces.primary.addrPublic;
-      port = 443;
-      checks = lib.singleton {
-        interval = "60s";
-        tcp = "127.0.0.1:80";
+  consul.services = {
+    ways-proxy = {
+      unit = "nginx";
+      mode = "external";
+      definition = {
+        name = "ways-proxy";
+        address = config.reflection.interfaces.primary.addrPublic;
+        port = 443;
+        checks = lib.singleton {
+          interval = "60s";
+          tcp = "127.0.0.1:80";
+        };
+        tags = lib.attrNames externalWays;
+      };
+    };
+    ways-proxy-internal = {
+      unit = "nginx";
+      mode = "external";
+      definition = {
+        name = "ways-proxy-internal";
+        address = config.reflection.interfaces.vstub.addr;
+        port = 443;
+        checks = lib.singleton {
+          interval = "60s";
+          tcp = "127.0.0.1:80";
+        };
+        tags = lib.attrNames internalWays;
       };
-      tags = lib.attrNames externalWays;
     };
   };
 }
diff --git a/cluster/services/ways/options/way.nix b/cluster/services/ways/options/way.nix
index 3772eda..1879f08 100644
--- a/cluster/services/ways/options/way.nix
+++ b/cluster/services/ways/options/way.nix
@@ -29,7 +29,7 @@ with lib;
         description = "DNS record value for this Way.";
         type = types.deferredModule;
         default = {
-          consulService = "${name}.ways-proxy";
+          consulService = "${name}.${if config.internal then "ways-proxy-internal" else "ways-proxy"}";
           rewrite.type = lib.mkIf config.wildcard "regex";
         };
       };