diff --git a/TODO.md b/TODO.md
index 2cc46f7a..205d1aff 100644
--- a/TODO.md
+++ b/TODO.md
@@ -5,7 +5,6 @@
   - or try dnsmasq?
 - trust-dns: can't recursively resolve api.mangadex.org
   - and *sometimes* apple.com fails
-- sandbox: `ip netns exec ovpns bash`: doesn't work
 - wg-ovpnd-* interfaces don't work, because i use the same keys across all hosts...
   - and if i had them differ and simultaneously online, then i'd exceed the OVPN machine count.
   - i should at least have them be up'd only on-demand.
diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 82054c56..89941ac4 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -569,12 +569,15 @@ in
     ];
     iotop.sandbox.capabilities = [ "net_admin" ];
 
-    # provides `ip`, `routel`, others
-    iproute2.sandbox.method = "landlock";
+    # provides `ip`, `routel`, `bridge`, others.
+    # landlock works fine for most of these, but `ip netns exec` uses namespaces internally,
+    # and that's incompatible with landlock
+    iproute2.sandbox.method = "bwrap";
     iproute2.sandbox.net = "all";
     iproute2.sandbox.capabilities = [ "net_admin" ];
     iproute2.sandbox.extraPaths = [
-      "/run/netns"  # for `ip netns ...` to work
+      "/run/netns"  # for `ip netns ...` to work, but maybe not needed anymore?
+      "/sys/class/net"  # for `ip netns ...` to work
       "/var/run/netns"
     ];