diff --git a/nixos-infect b/nixos-infect
index 2627a56..aea6fa9 100755
--- a/nixos-infect
+++ b/nixos-infect
@@ -20,7 +20,7 @@ makeConf() {
   mkdir /etc/nixos/nextcloud
   mkdir /etc/nixos/resources
   mkdir /etc/nixos/videomeet
-  mkdir /etc/nixos/openconnect
+  mkdir /etc/nixos/vpn
 
   # Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep
   local IFS=$'\n' 
@@ -41,7 +41,7 @@ makeConf() {
     $NIXOS_IMPORT
     ./files.nix
 	./mailserver/system/mailserver.nix
-    ./openconnect/shadowsocks.nix
+    ./vpn/ocserv.nix
     ./api/api.nix
     ./api/api-service.nix
 	./letsencrypt/acme.nix
@@ -58,8 +58,8 @@ makeConf() {
   networking = {
     hostName = "$(hostname)";
     firewall = {
-      allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
-      allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
+      allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 587 8443 ];
+      allowedUDPPorts = lib.mkForce [ 443 ];
     };
   };
   time.timeZone = "Europe/Uzhgorod";
@@ -259,6 +259,10 @@ EOF
         group = "acmerecievers";
         webroot = "/var/lib/acme/acme-challenge";
       };
+      "vpn.$DOMAIN" = {
+        group = "acmerecievers";
+        webroot = "/var/lib/acme/acme-challenge";
+      };
       "git.$DOMAIN" = {
         group = "acmerecievers";
         webroot = "/var/lib/acme/acme-challenge";
@@ -350,6 +354,11 @@ EOF
         enableACME = true;
         forceSSL = true;
       };
+      "vpn.$DOMAIN" = {
+        listen = [{ addr = "0.0.0.0"; port = 8443; ssl = true; }];
+        enableACME = true;
+	    forceSSL = true;
+      };
       "git.$DOMAIN" = {
         enableACME = true;
         forceSSL = true;
@@ -659,19 +668,52 @@ in
 }
 EOF
 
-cat > /etc/nixos/openconnect/shadowsocks.nix << EOF
+cat > /etc/nixos/vpn/ocserv.nix << EOF
 { pkgs, ...}:
 {
-  services = {
-    shadowsocks = {
-      enable = true;
-      localAddress = [ "[::0]" "0.0.0.0" ];
-      port = 8388;
-      passwordFile = "/var/shadowsocks-password";
-      mode = "tcp_and_udp";
-      fastOpen = true;
-      encryptionMethod = "chacha20-ietf-poly1305";
-    };
+  users.groups.ocserv = {
+    members = [ "ocserv" ];
+  };
+  users.users.ocserv = {
+    isNormalUser = false;
+    extraGroups = [ "ocserv" "acmerecievers" ];
+  };
+  services.ocserv = {
+    enable = true;
+    config = ''
+socket-file = /var/run/ocserv-socket
+
+auth = "pam"
+
+tcp-port = 443
+udp-port = 443
+
+server-cert = /var/lib/acme/vpn.$DOMAIN/fullchain.pem
+server-key = /var/lib/acme/vpn.$DOMAIN/key.pem
+
+compression = true
+
+max-clients = 0
+max-same-clients = 6
+
+try-mtu-discovery = true
+
+idle-timeout=1200
+mobile-idle-timeout=2400
+
+default-domain = vpn.$DOMAIN
+
+device = vpn0
+
+ipv4-network = 10.10.10.0
+ipv4-netmask = 255.255.255.0
+
+tunnel-all-dns = true
+dns = 1.1.1.1
+dns = 1.0.0.1
+
+route = default
+    '';
   };
 }
 EOF