diff --git a/nixarr/openssh/default.nix b/nixarr/openssh/default.nix
index 2d073fa..d857dc6 100644
--- a/nixarr/openssh/default.nix
+++ b/nixarr/openssh/default.nix
@@ -29,8 +29,14 @@ in {
     '';
   };
 
-  config = mkIf cfg.enable {
-    systemd.services.openssh = mkIf (cfg.vpn.enable && config.services.openssh.enable) {
+  config = mkIf (cfg.vpn.enable && config.services.openssh.enable) {
+    util-nixarr.vpnnamespace = {
+      portMappings = builtins.map (x: { From = x; To = x; }) config.services.openssh.ports;
+      openUdpPorts = config.services.openssh.ports;
+      openTcpPorts = config.services.openssh.ports;
+    };
+
+    systemd.services.openssh = {
       bindsTo = [ "netns@wg.service" ];
       requires = [ "network-online.target" ];
       after = [ "wg.service" ];