diff --git a/system/vpn.nix b/system/vpn.nix
index 601c5d5..b75d997 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -15,10 +15,14 @@ in {
     extraUpFlags = [
       "--reset"
       "--accept-routes"
+      "--exit-node-allow-lan-access"
       "--exit-node=de-ber-wg-004.mullvad.ts.net"
     ];
   };
 
+  systemd.services.tailscaled.serviceConfig.Environment =
+    [ "TS_DEBUG_FIREWALL_MODE=auto" ];
+
   # call taiscale up without --auth-key
   systemd.services.tailscaled-autoconnect.script = ''
     status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)