diff --git a/sys/machines/hopper/lab/caddy.nix b/sys/machines/hopper/lab/caddy.nix
index 1560b92..066c46e 100644
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@@ -43,6 +43,18 @@ in {
           reverse_proxy localhost:${toString config.services.slskd.settings.web.port}
         '';
       };
+      prometheus = {
+        hostName = "prometheus.hopper.xun.host:80";
+        extraConfig = ''
+          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.prometheus.port}
+        '';
+      };
+      adguard = {
+        hostName = "adguard.hopper.xun.host:80";
+        extraConfig = ''
+          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.adguardhome.port}
+        '';
+      };
       transmission = {
         hostName = "transmission.hopper.xun.host:80";
         extraConfig = ''
diff --git a/sys/machines/hopper/lab/homepage.nix b/sys/machines/hopper/lab/homepage.nix
index 32a6c22..7433254 100644
--- a/sys/machines/hopper/lab/homepage.nix
+++ b/sys/machines/hopper/lab/homepage.nix
@@ -60,13 +60,13 @@ in {
           }
           {
             "adguard home" = {
-              href = "http://${config.networking.hostName}:${toString config.services.adguardhome.port}";
+              href = "http://adguard.hopper.xun.host";
               icon = "adguard-home";
             };
           }
           {
             "prometheus" = {
-              href = "http://${config.networking.hostName}:${toString config.services.prometheus.port}";
+              href = "http://prometheus.hopper.xun.host";
               icon = "prometheus";
             };
           }
diff --git a/sys/machines/hopper/lab/prometheus.nix b/sys/machines/hopper/lab/prometheus.nix
index 04a2f66..3b374f9 100644
--- a/sys/machines/hopper/lab/prometheus.nix
+++ b/sys/machines/hopper/lab/prometheus.nix
@@ -23,7 +23,7 @@
       {
         job_name = "caddy";
         static_configs = lib.singleton {
-          targets = ["192.168.15.1:2019"];
+          targets = ["${config.vpnNamespaces."wg".namespaceAddress}:2019"];
         };
       }
     ];
diff --git a/sys/machines/hopper/lab/vpn-namespace.nix b/sys/machines/hopper/lab/vpn-namespace.nix
index db5bcc7..e600e3c 100644
--- a/sys/machines/hopper/lab/vpn-namespace.nix
+++ b/sys/machines/hopper/lab/vpn-namespace.nix
@@ -3,6 +3,22 @@
   lib,
   ...
 }: {
+  networking.firewall = let
+    allowTcpFromVPNToDefaultPorts = [
+      config.services.prometheus.port
+      config.services.adguardhome.port
+    ];
+  in {
+    extraCommands = builtins.concatStringsSep "\n" (map
+      (port: "iptables -A nixos-fw -p tcp -s ${config.vpnNamespaces."wg".namespaceAddress} --dport ${toString port} -j nixos-fw-accept")
+      allowTcpFromVPNToDefaultPorts);
+    extraStopCommands = builtins.concatStringsSep "\n" (
+      map
+      (port: "iptables -D nixos-fw -p tcp -s ${config.vpnNamespaces."wg".namespaceAddress} --dport ${toString port} -j nixos-fw-accept || true")
+      allowTcpFromVPNToDefaultPorts
+    );
+  };
+
   vpnNamespaces."wg" = {
     enable = true;
     wireguardConfigFile = config.sops.secrets.wireguard.path;