diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix
index 0ea6077..1cc882c 100644
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -91,10 +91,10 @@ in
 
   boot.initrd = {
     availableKernelModules = [ "wireguard" ];
-    postMountCommands = ''
-      ip address flush dev wg-initrd
-      ip link set dev wg-initrd down
-    '';
+    # postMountCommands = ''
+    #   ip address flush dev wg-initrd
+    #   ip link set dev wg-initrd down
+    # '';
     systemd = {
       enable = true;
       network = {
diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix
index 3733df0..8bd01c0 100644
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -45,6 +45,20 @@ in
           initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; 
           enable = true;
           network.enable = true;
+          services."stopInitVpn" = {
+            description = "stop init vpn";
+            wantedBy = [
+              "initrd.target"
+            ];
+            after = [
+              "zfs.target"
+            ];
+            serviceConfig.StandardOutput = "journal+console";
+            script = ''
+              networkctl down wg-initrd
+            '';
+            serviceConfig.Type = "oneshot";
+      };
         };
         network = {
           flushBeforeStage2 = true;