diff --git a/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml b/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml
index 955dca68..5c8e3110 100644
--- a/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml
+++ b/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml
@@ -59,11 +59,12 @@ spec:
     routed_namespaces:
       - media
     settings:
+      NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
+      VPN_BLOCK_OTHER_TRAFFIC: true
       VPN_INTERFACE: "tun0"
-      VPN_BLOCK_OTHER_TRAFFIC: false
+      VPN_LOCAL_CIDRS: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
       VPN_TRAFFIC_PORT: "1194"
-      VPN_LOCAL_CIDRS: 10.0.0.0/8 192.168.0.0/16
-      NOT_ROUTED_TO_GATEWAY_CIDRS: 10.0.0.0/8 192.168.0.0/16
+      VXLAN_PORT: 4789
     webhook:
       image:
         repository: ghcr.io/angelnu/gateway-admision-controller
diff --git a/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml b/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml
index df93ae8f..c3c5370a 100644
--- a/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml
+++ b/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml
@@ -4,46 +4,70 @@ kind: CiliumNetworkPolicy
 metadata:
   name: pod-gateway
   labels:
-    app.kubernetes.io/instance: pod-gateway
-    app.kubernetes.io/name: pod-gateway
+    app.kubernetes.io/instance: &instance vpn-gateway
+    app.kubernetes.io/name: &name pod-gateway
 spec:
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/instance: pod-gateway
-      app.kubernetes.io/name: pod-gateway
+      app.kubernetes.io/instance: *instance
+      app.kubernetes.io/name: *name
   egress:
     - toCIDR:
         - 0.0.0.0/0
       toPorts:
+        # - ports:
+        #     - port: "443"
+        #       protocol: TCP
         - ports:
             - port: "1194"
               protocol: UDP
     - toEntities:
         - cluster
 ---
+# vpn-gateway to communicate over the default VXLAN port 4789
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   name: pod-gateway-vxlan
   labels:
-    app.kubernetes.io/instance: pod-gateway
-    app.kubernetes.io/name: pod-gateway
+    app.kubernetes.io/instance: &instance vpn-gateway
+    app.kubernetes.io/name: &name pod-gateway
 spec:
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/instance: pod-gateway
-      app.kubernetes.io/name: pod-gateway
+      app.kubernetes.io/instance: *instance
+      app.kubernetes.io/name: *name
   egress:
     - toPorts:
         - ports:
-            - port: "8472"
+            - port: "4789"
               protocol: UDP
   ingress:
     - toPorts:
         - ports:
-            - port: "8472"
+            - port: "4789"
               protocol: UDP
     - icmps:
         - fields:
             - type: 8
               family: IPv4
+
+---
+# vpn-gateway-pod-gateway webhook receive traffic
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: pod-gateway-webhook
+  labels:
+    app.kubernetes.io/instance: &instance vpn-gateway
+    app.kubernetes.io/name: &name pod-gateway
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: *instance
+      app.kubernetes.io/name: *name
+  ingress:
+    - toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
diff --git a/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml b/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml
index d39cf1ed..0b24cb5a 100644
--- a/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml
+++ b/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml
@@ -4,17 +4,21 @@ metadata:
     name: vpn-gateway-pod-gateway
     namespace: vpn-gateway
 stringData:
-    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:hoiWunzvBg==,iv:UcGbhhAv6bDHroQpYp0rmMbzXKLR7qALIqnUXJdOPr8=,tag:LEIwVrXJHNeeyrZG5ube0Q==,type:str]
-    OPENVPN_USER: ENC[AES256_GCM,data:zjRjHD8K0/26LUKI9pXMRh6L9eUYkIjj,iv:fY8+CJcKTQzga9aCbP8EthvfTEWp3ZAj5rMFLHLYNl0=,tag:CTZnQ9MafvQ1gfPPuQhzdA==,type:str]
-    OPENVPN_PASSWORD: ENC[AES256_GCM,data:JWqgZtLdrIqQ6w0nbBEWi4CeMb255T0x,iv:D5g/MiariqhfCYo2KNfU4LAecRbVoLrpm9h1JeMjNfI=,tag:675f6j2ixMIPhTh6yf39Rw==,type:str]
-    SERVER_COUNTRIES: ENC[AES256_GCM,data:xzRCdgLG,iv:yDGgyhpTI0bel96RaX3qXtZxQ4CVbn07s5h3ASViG1I=,tag:jagvwK/nIwteIQ/8zToRVg==,type:str]
-    SERVER_CATEGORIES: ENC[AES256_GCM,data:NYBo,iv:7RTXG1fjIqzt05E8iBikIFjKtXB9SGQRJDw2d4/5yfc=,tag:mI3mhWYkTHCxOXG/z0wDzw==,type:str]
-    VPN_INTERFACE: ENC[AES256_GCM,data:EdtrFg==,iv:PURogGK0muxXphPRjxXNcZqlBhIaDZofYn+epers9qU=,tag:NUF3xRZ8CONYUDqcMbSZ/w==,type:str]
-    FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT: ENC[AES256_GCM,data:iGXh,iv:JyVuTheVa0TXRT3pkgkRc4J9QCspdxv+ICLDnsZ9pZk=,tag:Ic/sjf6y8A4XVGpbRjS0bQ==,type:str]
-    DNS_ADDRESS: ENC[AES256_GCM,data:vZlMG84mwQ==,iv:OxQ5uQCdPZNMO1rxa4trOq6y3mgtq40E+qsKOmmwVzo=,tag:RZzL/LGsTwSvo7C6xmEc/Q==,type:str]
-    FIREWALL: ENC[AES256_GCM,data:XYAg,iv:SJXxy1uH31UQ2ZLNHzTczbqjATe5APE2PofSRqqfKMI=,tag:KTvCtKTX3DkeXKeQnyO+BQ==,type:str]
-    DOT: ENC[AES256_GCM,data:1vC0,iv:5Cdu7PvPeBEJT3LJotjpOn3+L/ju7E4AcFSJ41VISzo=,tag:HADGPbhL1VaC58MkYZTsog==,type:str]
-    FIREWALL_DEBUG: ENC[AES256_GCM,data:b78=,iv:3BMQ0DGNtWp7F1B9OwxyXJovvgno7W9xyDqz8kVq7Ng=,tag:EvReyPJwuYR9VmQy3qLmmw==,type:str]
+    #ENC[AES256_GCM,data:9b2XCi3BFhSAwDzMv7yJlg==,iv:SZZTbshhmldXLwrC1Tv5+Fn0fAALWIhs4YpVPtHz97Y=,tag:xwKkFjFoV0fjsjqX//iIOQ==,type:comment]
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:uGnXdM2UmA==,iv:LvXRUQcsmIY4QFnAnz4xyuYV9DiTk1H+z9GRLhN+qws=,tag:Fev90HR7WzhtUPRoITdlhQ==,type:str]
+    OPENVPN_USER: ENC[AES256_GCM,data:GNWPfy82NNMagpXHSgG1+Vfdlc+K8giz,iv:AdrhDIkuq16hB8LzQ/xSi6sBtAEmgjKnuvnZacDLBOg=,tag:cMoDJi0l+e5JMeeSfmQ8/A==,type:str]
+    OPENVPN_PASSWORD: ENC[AES256_GCM,data:8U1iv0/YGJp7OqbRwIpOdkHaJ3BehLiS,iv:z+qU8njBNknjMqVTTtxE29A4DxS676S8GevR2d96M/c=,tag:OtSh1S3wlxVw9RslDMkDKQ==,type:str]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:5Jzm1bDM,iv:JtSsoc53rsJ2lnr8MKhUteo2vFULz0C4OUnTtwOMQW0=,tag:qk3rtR4Dx5dpueRYfWs3ng==,type:str]
+    SERVER_CATEGORIES: ENC[AES256_GCM,data:dGkg,iv:MCatvlYzGY+gNjd0yQQ9FDkzsi6DCpH4Fl7KVu0Xqus=,tag:YAIkCtZIMygdAyspIVG4HQ==,type:str]
+    VPN_INTERFACE: ENC[AES256_GCM,data:5We6Ag==,iv:7yseYCdwSZJEDgd/ztYeKf8SozgfP+ZHEJpr7q/sPWA=,tag:QBv62YZZ4SGwwtJjy76XDQ==,type:str]
+    #ENC[AES256_GCM,data:4uR2Z+D0H/df,iv:Z4MvyZqtLJjGO75yolAp/RXXad8/+lPnZsRfABMorWQ=,tag:/OKufqevxqcmdWuTfv7GQQ==,type:comment]
+    FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT: ENC[AES256_GCM,data:/fmF,iv:PxRaHhvr+Cy4w/t5CTHXggFNxS5PxcIjDO12Ctc+iCY=,tag:4m9YJblHLh7LlCLDeBcgTQ==,type:str]
+    FIREWALL_DEBUG: ENC[AES256_GCM,data:HLM=,iv:vgYXQzHmpvsdfVPwdkDfmOJ7R4ktFNxXRAtBgHneZC4=,tag:vI80Ceoz/t5TkZ4TIdk3BA==,type:str]
+    #ENC[AES256_GCM,data:UO8bHQ==,iv:/GuvRJP2w/g7vICM1NDZVHTXm+sBo/kkjlevDi7LaYo=,tag:6P1aN6OXi2u2CckEc0+Eww==,type:comment]
+    BLOCK_MALICIOUS: ENC[AES256_GCM,data:wL+d,iv:9hoLzbQi2aNa2zQu9ZB9XzqmqpeDFj82iBTmhi6bfbk=,tag:C2s6RtSC93AROyDNZwKoZw==,type:str]
+    #ENC[AES256_GCM,data:gf8ng5oalgXLqEUNq9EF+DK9VOY=,iv:iMT0FkZ81zJLjwmgv6gaEPcDz5CLCzw4HV8OdrQyK6I=,tag:KHW4EyNAKc2EOfGQdfNncQ==,type:comment]
+    DNS_ADDRESS: ENC[AES256_GCM,data:Mld9rWXi8Dwhck9Ejw==,iv:Jz3TSOyaVNTj8cjZpGXSpaBX2GqrJEYFOTRkrciUQI0=,tag:3yN4Fkcyr98NYRl5+17xXw==,type:str]
+    DNS_UPDATE_PERIOD: ENC[AES256_GCM,data:CR1F,iv:X8m6tpU/h/Gk/D+9F1AES7O0wqEVDLodp/m+4Vu4+wk=,tag:Se8IDRZHJLIbjV6DoqxPIw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,14 +28,14 @@ sops:
         - recipient: age1w02zzfg0y4ast9mgnd9w0yuym0wqx6q967kmrmq355w4cnw0xytq2x369r
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQ3VjZlRqMFVoK3ZYUU9V
-            ZXptS2xDVGE1WkxIZUppQm0zSUFYckliOHkwCjJLR0pKamtocVlKOUhrRmpwcExP
-            ODM3R3RmdGMwNi8rYnNFdnVvRk5ya0EKLS0tIG9na2RzdXhaT2ZkTzJKdTdRajBI
-            VWRteGcvYWJLU2gxblpabC9FZVdEUk0KcAYdtdimc4uIvuZrtap3Yr9A1JREt/+2
-            7vbuA8BxlxYrL+44mdlDRL0wdBpGQTjbC39EudWiTg/jp2kCWAYeYA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQXRPdXN4cGJoS0VSNkNT
+            QVhBcHhEWTJ6YktjZVlhMmxZZ0h2VUNheW1BCnZUL09nSlUwTDBBS3NNRUdYNHBN
+            MHZoQ0dhODBjWUxCUmxPd0NOc0xER3MKLS0tIHBib3dLYUl2N0tpLzF3czNxRXRn
+            NUVGbkY1ZnFMRXZ4em9DckRmTnZvNjQKx/t/uKtGf/7mZMgdFJqVciyr52LQt1b2
+            2edS5U3Bhrv2bkKTbeAtsxkrkMNAFYITLGFD9voIRV2X4fv58+9PZQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-25T18:37:31Z"
-    mac: ENC[AES256_GCM,data:dzQysVjm/03nFZFDgu22BZ6rN7/pFvd1zO2zvmOw86Xh+/l+3eUmpQBIxXeIJPZ5jQpbFxtiy3ThVQp/9kRQ12hKIAeB7farDCEwIA8VO+U9wQcFf1qILj9/yNBNxnqQkDajHcikaMvgfxehxlcPp+iXCysXfZwV1Zaabkd0C1o=,iv:Bs5E8lSdx0jy+LVz+N9WyuAQ5Q5ymQ4k9NBx34N3Q+I=,tag:0+uhn+0CEx1eYCU8nLgXAw==,type:str]
+    lastmodified: "2024-11-23T22:32:21Z"
+    mac: ENC[AES256_GCM,data:LfKSpfwHiQG0SOSA6pMxsVvvR6vRJeV3WZE7LNKlneEk4DCRFnbhK/Z6zLM8e2l2rxcQspOen806Zz35FfTvdwv50QVkgWx0JJDgJW4p2S+8J5BZ7yr3WsKcrHtRQxc5w1q1aoGbj5QGdZh1a9FYnXhLxuLkPNTnHcTn2DoJf6g=,iv:MtwzVY1lrgLt7CI/VXCwk34EXDMnd5hxspkJyzvqByo=,tag:Cd7do3V467dqy6GbYIoTPg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.0