diff --git a/Cargo.toml b/Cargo.toml
index f36e55b..e9189af 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "init"
-version = "2.4.2"
+version = "2.4.3"
 edition = "2024"
 
 [profile.release]
diff --git a/src/cmd/init.rs b/src/cmd/init.rs
index ab466d7..84a334c 100644
--- a/src/cmd/init.rs
+++ b/src/cmd/init.rs
@@ -106,6 +106,7 @@ pub async fn run() {
     // Wireguard VPNs
     for (name, conf) in &cfg.vpns {
         retry_or_ignore(async || {
+            info!("starting VPN {name}");
             let dir = "/etc/wireguard";
             fs::create_dir_all(dir).await?;
 
diff --git a/src/cmd/init/bootstrap.rs b/src/cmd/init/bootstrap.rs
index b4821a7..ebdd13d 100644
--- a/src/cmd/init/bootstrap.rs
+++ b/src/cmd/init/bootstrap.rs
@@ -12,7 +12,7 @@ use dkl::{
 };
 
 use super::{exec, mount, retry, retry_or_ignore, try_exec};
-use crate::utils;
+use crate::{fs::walk_dir, utils};
 
 pub async fn bootstrap(cfg: Config) {
     let verifier = retry(async || Verifier::from_config(&cfg)).await;
@@ -20,6 +20,19 @@ pub async fn bootstrap(cfg: Config) {
 
     mount(Some(&bs.dev), "/bootstrap", "ext4", None).await;
 
+    // VPNs
+    for vpn_conf in walk_dir("/bootstrap/vpns").await {
+        if !vpn_conf.ends_with(".conf") {
+            continue;
+        }
+
+        retry_or_ignore(async || {
+            info!("starting VPN from {vpn_conf}");
+            try_exec("wg-quick", &["up", &vpn_conf]).await
+        })
+        .await;
+    }
+
     let boot_version = utils::param("version").unwrap_or("current");
     let base_dir = &format!("/bootstrap/{boot_version}");
 
@@ -55,8 +68,6 @@ pub async fn bootstrap(cfg: Config) {
     apply_groups(&sys_cfg.groups, "/system").await;
     apply_users(&sys_cfg.users, "/system").await;
 
-    // TODO VPNs
-
     mount_filesystems(&sys_cfg.mounts, "/system").await;
 
     retry_or_ignore(async || {