diff --git a/apps/system/vpn/daemonset.yaml b/apps/system/vpn/daemonset.yaml
index 6f2ad9a..24b58e4 100644
--- a/apps/system/vpn/daemonset.yaml
+++ b/apps/system/vpn/daemonset.yaml
@@ -14,6 +14,13 @@ spec:
         name: vpn-client
     spec:
       hostNetwork: true
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: vpn
+                operator: Exists
       volumes:
         - name: vpn-conf
           configMap:
diff --git a/apps/system/vpn/readme.md b/apps/system/vpn/readme.md
index 1712b0a..cb1e07d 100644
--- a/apps/system/vpn/readme.md
+++ b/apps/system/vpn/readme.md
@@ -20,3 +20,15 @@ $ kubectl --context=gullfaxi --namespace vpn \
     create secret generic vpn-creds \
     --from-file=creds=./creds
 ```
+
+To disable:
+
+```bash
+kubectl --context=gullfaxi label nodes gullfaxi vpn-
+```
+
+To enable:
+
+```bash
+kubectl --context=gullfaxi label nodes gullfaxi vpn=""
+```