diff --git a/apps/system/vpn/daemonset.yaml b/apps/system/vpn/daemonset.yaml
index 00a6c19..05e4b0d 100644
--- a/apps/system/vpn/daemonset.yaml
+++ b/apps/system/vpn/daemonset.yaml
@@ -26,6 +26,10 @@ spec:
         - name: vpn-conf
           configMap:
             name: vpn-conf
+        - name: vpn-scripts
+          configMap:
+            name: vpn-scripts
+            defaultMode: 0555
         - name: vpn-creds
           secret:
             secretName: vpn-creds
@@ -41,6 +45,12 @@ spec:
             - /vpn/vpn.conf
             - --auth-user-pass
             - /vpn/creds
+            - --script-security
+            - "2"
+            - --up
+            - /vpn-scripts/up.sh
+            - --down
+            - /vpn-scripts/down.sh
           securityContext:
             privileged: true
             capabilities:
@@ -55,5 +65,8 @@ spec:
               mountPath: /vpn/creds
               subPath: creds
               readOnly: true
+            - name: vpn-scripts
+              mountPath: /vpn-scripts
+              readOnly: true
             - mountPath: /dev/net/tun
               name: dev-net-tun
diff --git a/apps/system/vpn/kustomization.yaml b/apps/system/vpn/kustomization.yaml
index 4dcfdfb..a40bfba 100644
--- a/apps/system/vpn/kustomization.yaml
+++ b/apps/system/vpn/kustomization.yaml
@@ -7,3 +7,7 @@ configMapGenerator:
   - name: vpn-conf
     files:
       - vpn.conf=Fastestvpn_ovpn/UDP_Files/Sweden2-UDP.ovpn
+  - name: vpn-scripts
+    files:
+      - up.sh=scripts/up.sh
+      - down.sh=scripts/down.sh
diff --git a/apps/system/vpn/scripts/down.sh b/apps/system/vpn/scripts/down.sh
new file mode 100644
index 0000000..7471829
--- /dev/null
+++ b/apps/system/vpn/scripts/down.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
+
+sudo ip rule delete from 192.168.1.8/32 table 42
+sudo ip rule delete from 10.244.0.0/16 table 42
+sudo ip rule delete from 192.168.1.8/32 to 10.244.0.0/16 table main
+sudo ip rule delete from 10.244.0.0/16 to 10.244.0.0/16 table main
+sudo ip route flush table 42
+
diff --git a/apps/system/vpn/scripts/up.sh b/apps/system/vpn/scripts/up.sh
new file mode 100755
index 0000000..fe21cd4
--- /dev/null
+++ b/apps/system/vpn/scripts/up.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
+
+ip route add table 42 default via 192.168.1.1
+ip rule add from 192.168.1.8/32 table 42
+ip rule add from 10.244.0.0/16 table 42
+ip rule add from 192.168.1.8/32 to 10.244.0.0/16 table main
+ip rule add from 10.244.0.0/16 to 10.244.0.0/16 table main
\ No newline at end of file