diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index 30091e5f..8d82c04d 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -71,7 +71,7 @@ let
             whitelistPwd
           ;
           netDev = if sandbox.net == "vpn" then
-            vpn.bridgeDevice
+            vpn.name
           else
             sandbox.net;
           dns = if sandbox.net == "vpn" then
diff --git a/pkgs/additional/sanebox/sanebox b/pkgs/additional/sanebox/sanebox
index fed00c3e..2ed22e11 100755
--- a/pkgs/additional/sanebox/sanebox
+++ b/pkgs/additional/sanebox/sanebox
@@ -574,7 +574,9 @@ firejailIngestPath() {
   esac
 }
 firejailIngestNetDev() {
-  firejailFlags+=("--net=$1")
+  # XXX: to use a VPN tunnel named `vpn-xyz`, we keep around and link it to a bridge `br-vpn-xyz` externally.
+  # firejail can then spawn a veth from this bridge and namespace it that way.
+  firejailFlags+=("--net=br-$1")
 }
 firejailIngestDns() {
   firejailFlags+=("--dns=$1")