diff --git a/homelab/Caddyfile b/homelab/Caddyfile
index 2cd99b9..9c01f80 100644
--- a/homelab/Caddyfile
+++ b/homelab/Caddyfile
@@ -9,11 +9,11 @@
   }
 }
 
-git.woozle.org {
+http://git.woozle.org {
   reverse_proxy gitea:3000
 }
 
-drive.woozle.org {
+http://drive.woozle.org {
   import restricted-access
 
   # XXX: browsing says method not allowed
@@ -31,7 +31,7 @@ drive.woozle.org {
 }
 
 # XXX: have this use caddy auth
-ancestry.woozle.org {
+http://ancestry.woozle.org {
   reverse_proxy geneweb:2317
 }
 
@@ -40,7 +40,7 @@ ancestry.woozle.org {
 ## handle_path truncates path
 ##
 
-deergrove.woozle.org, sweetums.woozle.org {
+http://deergrove.woozle.org, http://sweetums.lan {
   handle /transmission/* {
     import restricted-access
     reverse_proxy host.docker.internal:9091
diff --git a/homelab/README.md b/homelab/README.md
index 1114396..f1ae4f2 100644
--- a/homelab/README.md
+++ b/homelab/README.md
@@ -3,3 +3,15 @@
 This is the stuff I run on my little Raspberry Pi.
 
 I guess I fiddle around with it pretty frequently.
+
+## Routing
+
+My ISP uses Carrier-Grade NAT,
+which I would have called IP Masquerading.
+
+This means I can't bind ports on a routeable IP.
+So instead what I do is run this SSH connection off to my cloud server,
+listens for incoming connections on port 5800,
+and then have my cloud server proxy stuff to port 5800.
+
+It's a gross kludge but it works well :)
diff --git a/homelab/docker-compose.yaml b/homelab/docker-compose.yaml
index 38f0812..e9cbe5a 100644
--- a/homelab/docker-compose.yaml
+++ b/homelab/docker-compose.yaml
@@ -1,5 +1,25 @@
 version: "3.8"
 services:
+  tunnel:
+    image: lscr.io/linuxserver/openssh-server
+    user: abc
+    entrypoint:
+      - /usr/bin/ssh
+      - -N
+      - -R :5800:caddy:80
+      - core@melville.woozle.org
+    secrets:
+      - source: tunnel
+        target: /config/.ssh/id_rsa
+        uid: "911"
+        gid: "911"
+        mode: 0600
+      - source: known_hosts
+        target: /config/.ssh/known_hosts
+        uid: "911"
+        gid: "911"
+        mode: 0600
+
   caddy:
     image: caddy:2-alpine
     ports:
@@ -225,7 +245,7 @@ configs:
     name: dave.yaml-v3
   Caddyfile:
     file: Caddyfile
-    name: Caddyfile-v67
+    name: Caddyfile-v69
   index.html:
     file: www/index.html
     name: index.html-v32
@@ -243,6 +263,12 @@ secrets:
   simpleauth.key:
     file: secrets/simpleauth.key
     name: simpleauth.key-v1
+  tunnel:
+    file: secrets/tunnel
+    name: tunnel-v1
+  known_hosts:
+    file: secrets/known_hosts
+    name: known_hosts-v1
 
 networks:
   hostnet:
diff --git a/melville/Caddyfile b/melville/Caddyfile
index 152f358..529fdb5 100644
--- a/melville/Caddyfile
+++ b/melville/Caddyfile
@@ -2,10 +2,21 @@
   email neale@woozle.org
 }
 
+(restricted-access) {
+  forward_auth simpleauth:8080 {
+    uri /
+    copy_headers X-Simpleauth-Token
+  }
+}
+
 vail.woozle.org {
   reverse_proxy vail:8080
 }
 
+deergrove.woozle.org, git.woozle.org, ancestry.woozle.org, drive.woozle.org {
+  reverse_proxy host.docker.internal:5800
+}
+
 www.woozle.org, woozle.org {
   root * /srv/www/woozle.org
   file_server
@@ -19,3 +30,4 @@ www.woozle.org, woozle.org {
   }
 }
 
+
diff --git a/melville/docker-compose.yaml b/melville/docker-compose.yaml
index 155d717..d77e661 100644
--- a/melville/docker-compose.yaml
+++ b/melville/docker-compose.yaml
@@ -17,6 +17,8 @@ services:
         source: /srv/www
         target: /srv/www
         read_only: true
+    extra_hosts:
+      - host.docker.internal:host-gateway
     configs:
       - source: Caddyfile
         target: /etc/caddy/Caddyfile
@@ -27,4 +29,4 @@ services:
 configs:
   Caddyfile:
     file: Caddyfile
-    name: Caddyfile-v5
+    name: Caddyfile-v6