diff --git a/bundles/openvpn-client/items.py b/bundles/openvpn-client/items.py
index ebb3cac..686632e 100644
--- a/bundles/openvpn-client/items.py
+++ b/bundles/openvpn-client/items.py
@@ -17,5 +17,6 @@ for config in node.metadata.get('openvpn-client', {}).get('configs', set()):
     svc_systemd[f'openvpn-client@{config}'] = {
         'needs': {
             f'file:/etc/openvpn/client/{config}.conf',
+            'pkg_apt:openvpn',
         },
     }
diff --git a/nodes/home/router.py b/nodes/home/router.py
index 564050e..e2706f1 100644
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@@ -7,6 +7,7 @@ nodes['home.router'] = {
         'iptables',
         'netdata',
         'nginx',
+        'openvpn-client',
         'pppd',
         'radvd',
         'vnstat',
@@ -71,6 +72,9 @@ nodes['home.router'] = {
                 # External port 2022 should be home.nas
                 'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
                 'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',
+
+                # use MASQUERADE for tun0 (c3voc)
+                'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',
             ],
         },
         'nameservers': atomic({
@@ -87,6 +91,11 @@ nodes['home.router'] = {
                 'enp1s0.42',
             },
         },
+        'openvpn-client': {
+            'configs': {
+                'c3voc',
+            },
+        },
         'radvd': {
             'integrate-with-pppd': True,
             'interfaces': {