diff --git a/config/net.nix b/config/net.nix
index 0e64f927..4f765b59 100644
--- a/config/net.nix
+++ b/config/net.nix
@@ -39,6 +39,34 @@
     ];
   };
 
+  systemd.services.wg0veth = {
+    description = "veth pair to allow communication between host and wg0 netns";
+    after = [ "wireguard-wg0.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+
+      ExecStart = with pkgs; writeScript "wg0veth-start" ''
+        #!${bash}/bin/bash
+        # create veth pair
+        ${iproute2}/bin/ip link add ovpns-veth-a type veth peer name ovpns-veth-b
+        ${iproute2}/bin/ip addr add 10.0.1.5/24 dev ovpns-veth-a
+        ${iproute2}/bin/ip link set ovpns-veth-a up
+        # mv veth-b into the ovpns namespace
+        ${iproute2}/bin/ip link set ovpns-veth-b netns ovpns
+        ${iproute2}/bin/ip -n ovpns addr add 10.0.1.6/24 dev ovpns-veth-b
+        ${iproute2}/bin/ip -n ovpns link set ovpns-veth-b up
+      '';
+
+      ExecStop = with pkgs; writeScript "wg0veth-stop" ''
+        #!${bash}/bin/bash
+        ${iproute2}/bin/ip -n wg0 link del ovpns-veth-b
+        ${iproute2}/bin/ip link del ovpns-veth-a
+      '';
+    };
+  };
+
   # HURRICANE ELECTRIC CONFIG:
   # networking.sits = {
   #   hurricane = {
diff --git a/config/services/jackett.nix b/config/services/jackett.nix
index dace3bdf..84c9edb8 100644
--- a/config/services/jackett.nix
+++ b/config/services/jackett.nix
@@ -3,7 +3,7 @@
 {
   services.jackett.enable = true;
 
-  systemd.services.jackett.after = ["wireguard-wg0.service"];
+  systemd.services.jackett.after = ["wg0veth.service"];
   systemd.services.jackett.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
diff --git a/config/services/nginx.nix b/config/services/nginx.nix
index 9c6f8b90..15790df6 100644
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@@ -94,7 +94,8 @@
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://ovpns.uninsane.org:9091";
+      # proxyPass = "http://ovpns.uninsane.org:9091";
+      proxyPass = "http://10.0.1.6:9091";
     };
   };
 
@@ -102,7 +103,8 @@
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://ovpns.uninsane.org:9117";
+      # proxyPass = "http://ovpns.uninsane.org:9117";
+      proxyPass = "http://10.0.1.6:9117";
     };
   };
 
diff --git a/config/services/postfix.nix b/config/services/postfix.nix
index c81128a5..e4e704dd 100644
--- a/config/services/postfix.nix
+++ b/config/services/postfix.nix
@@ -27,6 +27,7 @@
   # keeping this the same as the hostname seems simplest
   services.opendkim.selector = "mx";
 
+  systemd.services.postfix.after = ["wg0veth.service"];
   systemd.services.postfix.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
diff --git a/config/services/transmission.nix b/config/services/transmission.nix
index 43169b5e..0d66f409 100644
--- a/config/services/transmission.nix
+++ b/config/services/transmission.nix
@@ -28,7 +28,7 @@
   # transmission will by default not allow the world to read its files.
   services.transmission.downloadDirPermissions = "775";
 
-  systemd.services.transmission.after = ["wireguard-wg0.service"];
+  systemd.services.transmission.after = ["wg0veth.service"];
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";