diff --git a/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml b/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml
index 20f84be3c..d5f20b4f4 100644
--- a/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml
@@ -53,3 +53,28 @@ spec:
         key: /cl01tl/tubearchivist/env
         metadataPolicy: None
         property: ELASTIC_PASSWORD
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: tubearchivist-wireguard-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: tubearchivist-wireguard-conf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: private-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: private-key
diff --git a/clusters/cl01tl/applications/tubearchivist/values.yaml b/clusters/cl01tl/applications/tubearchivist/values.yaml
index 10c748a09..868ecf497 100644
--- a/clusters/cl01tl/applications/tubearchivist/values.yaml
+++ b/clusters/cl01tl/applications/tubearchivist/values.yaml
@@ -49,6 +49,44 @@ tubearchivist:
             requests:
               cpu: 10m
               memory: 1Gi
+        gluetun:
+          image:
+            repository: ghcr.io/qdm12/gluetun
+            tag: v3.40.0@sha256:2b42bfa046757145a5155acece417b65b4443c8033fb88661a8e9dcf7fda5a00
+            pullPolicy: IfNotPresent
+          env:
+            - name: VPN_SERVICE_PROVIDER
+              value: protonvpn
+            - name: VPN_TYPE
+              value: wireguard
+            - name: WIREGUARD_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: tubearchivist-wireguard-conf
+                  key: private-key
+            - name: VPN_PORT_FORWARDING
+              value: "on"
+            - name: PORT_FORWARD_ONLY
+              value: "on"
+            - name: FIREWALL_OUTBOUND_SUBNETS
+              value: 192.168.1.0/24,10.244.0.0/16
+            - name: FIREWALL_INPUT_PORTS
+              value: 80,8000
+            - name: DOT
+              value: "off"
+          securityContext:
+            privileged: True
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_MODULE
+          resources:
+            requests:
+              squat.ai/tun: "1"
+              cpu: 10m
+              memory: 128Mi
+            limits:
+              squat.ai/tun: "1"
   serviceAccount:
     create: true
   service: