diff --git a/configuration.nix b/configuration.nix
index 4568963..78a2471 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -137,24 +137,27 @@
     after = [ "netns@wg.service" ];
     serviceConfig = {
       Type = "oneshot";
-      RemainAfterExist = true;
+      RemainAfterExit = true;
       ExecStart = with pkgs; writers.writeBash "wg-up" ''
         set -e
         # Create wireguard
         ${iproute}/bin/ip link add wg0 type wireguard
+        # move to wg network namespace
+        ${iproute}/bin/ip link set wg0 netns wg
         # Connect to vpn
-        ${iproute}/bin/ip address add 10.65.64.220/32 dev wg0
-        ${iproute}/bin/ip -6 address add fc00:bbbb:bbbb:bb01::2:40db/128 dev wg0
-        ${wireguard-tools}/bin/wg setconf wg0 /var/wireguard-keys/chief-frog.conf
+        ${iproute}/bin/ip -n wg address add 10.65.64.220/32 dev wg0
+        ${iproute}/bin/ip -n wg -6 address add fc00:bbbb:bbbb:bb01::2:40db/128 dev wg0
+        ${iproute}/bin/ip netns exec wg ${wireguard-tools}/bin/wg setconf wg0 /var/wireguard-keys/chief-frog.conf
         # Open network
-        ${iproute}/bin/ip link set wg0 up
-        ${iproute}/bin/ip route add default dev wg0
-        ${iproute}/bin/ip -6 route add default dev wg0
+        ${iproute}/bin/ip -n wg link set dev lo up
+        ${iproute}/bin/ip -n wg link set wg0 up
+        ${iproute}/bin/ip -n wg route add default dev wg0
+        ${iproute}/bin/ip -n wg -6 route add default dev wg0
       '';
       ExecStop = with pkgs; writers.writeBash "wg-down" ''
-        ${iproute}/bin/ip route del default dev wg0
-        ${iproute}/bin/ip -6 route del default dev wg0 
-        ${iproute}/bin/ip link del wg0
+        ${iproute}/bin/ip -n wg route del default dev wg0
+        ${iproute}/bin/ip -n wg -6 route del default dev wg0
+        ${iproute}/bin/ip -n wg link del wg0
       '';
     };
   };
@@ -167,9 +170,27 @@
     bindsTo = [ "netns@wg.service" ];
     requires = [ "network-online.target" ];
     after = [ "wg.service" ];
-    # serviceConfig = {
-    #   NetworkNamespacePath = "/var/run/netns/wg";
-    # };
+    serviceConfig = {
+      NetworkNamespacePath = "/var/run/netns/wg";
+    };
+  };
+
+  # reverse proxy the aria2 rpc from the `wg` network namespace to a unix domain socket
+  systemd.services."aria2-unix-domain-rpc" = {
+    bindsTo = [ "aria2.service" ];
+    after = [ "aria2.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      NetworkNamespacePath = "/var/run/netns/wg";
+      Type = "simple";
+      User = config.services.caddy.user;
+      Group = config.services.caddy.group;
+      RuntimeDirectory = "aria2";
+      ExecStart = with pkgs; writers.writeBash "aria2-unix-domain-rpc-listener" ''
+        set -e
+        ${socat}/bin/socat UNIX-LISTEN:/run/aria2/rpc.sock,reuseaddr,fork TCP:localhost:6800
+      '';
+    };
   };
   
   systemd.services.dex.serviceConfig = {
@@ -479,7 +500,7 @@
       @connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48
       handle @connected_via_tailscale {
         handle /jsonrpc {
-          reverse_proxy localhost:6800
+          reverse_proxy unix//run/aria2/rpc.sock
         }
         handle_path /ariang* {
           root * ${pkgs.ariang}/share/ariang