diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix
index dc111527..24eb6c94 100644
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@@ -96,6 +96,7 @@
       };
       nextcloud.enable = true;
       syncthing.enable = true;
+      tunnel.enable = true;
     };
   };
 }
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 3c333283..9b03d605 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -10,5 +10,6 @@
     ./nextcloud
     ./nginx
     ./syncthing
+    ./tunnel
   ];
 }
diff --git a/modules/services/tunnel/default.nix b/modules/services/tunnel/default.nix
new file mode 100644
index 00000000..e8de2c5a
--- /dev/null
+++ b/modules/services/tunnel/default.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+
+{
+  options.chvp.services.tunnel.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.tunnel.enable {
+    networking.firewall.trustedInterfaces = [ "br-mailcow" ];
+    systemd.services.tunnel = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      script = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."files/services/tunnel/key".path} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o ControlPath=none -NT -p $SSH_PORT -L 0.0.0.0:9797:$CONN_HOST:$CONN_PORT $USER@$SSH_HOST";
+      serviceConfig = {
+        EnvironmentFile = config.age.secrets."files/services/tunnel/env".path;
+      };
+    };
+
+    age.secrets."files/services/tunnel/key".file = ../../../secrets/files/services/tunnel/key.age;
+    age.secrets."files/services/tunnel/env".file = ../../../secrets/files/services/tunnel/env.age;
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index c51d65e6..d53b2ed7 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -46,6 +46,9 @@ in
 
   "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users;
 
+  "secrets/files/services/tunnel/key.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/files/services/tunnel/env.age".publicKeys = [ lasting-integrity ] ++ users;
+
   "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users;
 
   "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users;
diff --git a/secrets/files/services/tunnel/env.age b/secrets/files/services/tunnel/env.age
new file mode 100644
index 00000000..e9b98c22
--- /dev/null
+++ b/secrets/files/services/tunnel/env.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 yad4VQ 4EZbasW5A0791VTZy5+OBXLVJ+/G5kTRvlnMeg4lSDg
+Aj4iFFHEjEW0SyMrgQTt9hcAed42N/jL60FjARqlHFo
+-> ssh-ed25519 s9rb8g cRHZludrYSvCJy15kHhxUH516CfOtwQ3VEk4FYJdW2U
+NbzPbwg5rkgzVAFeHJqfpFdExIMexIZpdLBZFz1miHE
+-> ssh-ed25519 hKAFvQ rNrDoQWNd76bpvoWFh31ClZQ5VIRAfe2BDEpS/bN0Ug
+6uKJeY1fL3pryI9ynX9dVEXrsLQg+hrBvkz0FY2fOUI
+-> k-grease M=!N`9 6bU
+CtgiHxZfRbY81i9AiltE2ZY0M2xFtIZ7Q7ClL49HU67SimSdJxSLC382I0xk08O9
+3JRWjOQqvRtcSosB
+--- vUl2LYnVGXcLs4jdkc9IDYX7HM78TCPTJ5BCvD6fJ1Q
+PVæë§¤³IªºM„ öÄRyÙPPå±6E^.K¦’k²ÀÚ2%åÇoD€Ÿ:ÕÙ…ÃA£‰û>Ib><æ¥Ö<ÆAæ	ð
+z[!Þ%PØ)«Ð¥ïR-çz$­Üƒ<7´qú:úïÝ‰f¼
\ No newline at end of file
diff --git a/secrets/files/services/tunnel/key.age b/secrets/files/services/tunnel/key.age
new file mode 100644
index 00000000..72f3d0dd
Binary files /dev/null and b/secrets/files/services/tunnel/key.age differ