diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 9411b707..84817f71 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -123,9 +123,9 @@ in
     };
 
     "sane-scripts.ip-check".sandbox = {
-      method = "bwrap";
+      method = "landlock";
       wrapperType = "wrappedDerivation";
-      net = "clearnet";
+      net = "all";
     };
 
     "sane-scripts.reclaim-boot-space".sandbox = {
@@ -191,6 +191,13 @@ in
       )
       {}
       (builtins.attrNames config.sane.vpn);
+    "sane-scripts.vpn".sandbox = {
+      method = "landlock";  #< bwrap can't handle `ip link` stuff even with cap_net_admin
+      wrapperType = "wrappedDerivation";
+      net = "all";
+      capabilities = [ "net_admin" ];
+      extraHomePaths = [ ".config/sane-vpn" ];
+    };
 
     "sane-scripts.which".sandbox = {
       method = "bwrap";