diff --git a/makefu/2configs/vpn/openvpn-server.nix b/makefu/2configs/vpn/openvpn-server.nix
new file mode 100644
index 000000000..1e7edbf78
--- /dev/null
+++ b/makefu/2configs/vpn/openvpn-server.nix
@@ -0,0 +1,111 @@
+{ config, pkgs, ... }:
+let
+	out-itf = config.makefu.server.primary-itf;
+	# generate via openvpn --genkey --secret static.key
+	client-key = (toString <secrets>) + "/openvpn-laptop.key";
+  # domain = "vpn.euer.krebsco.de";
+  domain = "gum.krebsco.de";
+  dev = "tun0";
+  port = 1194;
+	tcp-port = 3306;
+in {
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  networking.nat = {
+    enable = true;
+    externalInterface = out-itf;
+    internalInterfaces  = [ dev ];
+  };
+  networking.firewall.trustedInterfaces = [ dev ];
+  networking.firewall.allowedUDPPorts = [ port ];
+  environment.systemPackages = [ pkgs.openvpn ];
+  services.openvpn.servers.smartphone.config = ''
+    #user nobody
+    #group nobody
+
+    dev ${dev}
+    proto udp
+    ifconfig 10.8.0.1 10.8.0.2
+    secret ${client-key}
+    port ${toString port}
+    cipher AES-256-CBC
+    comp-lzo
+
+    keepalive 10 60
+    ping-timer-rem
+    persist-tun
+    persist-key
+  '';
+
+  environment.etc."openvpn/smartphone-client.ovpn" = {
+    text = ''
+      client
+      dev tun
+      remote "${domain}"
+      ifconfig 10.8.0.1 10.8.0.2
+      port ${toString port}
+
+      cipher AES-256-CBC
+      comp-lzo
+      keepalive 10 60
+      resolv-retry infinite
+      nobind
+      persist-key
+      persist-tun
+
+      secret [inline]
+
+    '';
+    mode = "700";
+  };
+  system.activationScripts.openvpn-addkey = ''
+    f="/etc/openvpn/smartphone-client.ovpn"
+    if ! grep -q '<secret>' $f; then
+      echo "appending secret key"
+      echo "<secret>" >> $f
+      cat ${client-key} >> $f
+      echo "</secret>" >> $f
+    fi
+  '';
+  #smartphone-tcp.config = ''
+  #  user nobody
+  #  group nobody
+
+  #  dev ${dev}
+  #  proto tcp
+  #  ifconfig 10.8.0.1 10.8.0.3
+  #  secret ${client-key}
+  #  port tcp-port
+  #  comp-lzo
+
+  #  keepalive 10 60
+  #  ping-timer-rem
+  #  persist-tun
+  #  persist-key
+  #'';
+  # TODO: forward via 443
+  # stream {
+  #
+  #   map $ssl_preread_server_name $name {
+  #       vpn1.app.com vpn1_backend;
+  #       vpn2.app.com vpn2_backend;
+  #       https.app.com https_backend;
+  #   }
+  #
+  #   upstream vpn1_backend {
+  #       server 10.0.0.3:443;
+  #   }
+  #
+  #   upstream vpn2_backend {
+  #       server 10.0.0.4:443;
+  #   }
+  #
+  #   upstream https_backend {
+  #       server 10.0.0.5:443;
+  #
+  #   server {
+  #       listen 10.0.0.1:443;
+  #       proxy_pass $name;
+  #       ssl_preread on;
+  #   }
+  # }
+}
diff --git a/makefu/2configs/openvpn/vpngate.nix b/makefu/2configs/vpn/vpngate.nix
similarity index 100%
rename from makefu/2configs/openvpn/vpngate.nix
rename to makefu/2configs/vpn/vpngate.nix