diff --git a/hosts/nas/modules/cyberghost.nix b/hosts/nas/modules/cyberghost.nix
new file mode 100644
index 0000000..cd1f805
--- /dev/null
+++ b/hosts/nas/modules/cyberghost.nix
@@ -0,0 +1,86 @@
+{ config, pkgs, ... }:
+let
+  localNetwork = "10.42.96.0/20";
+in
+{
+  # SOPS secrets for CyberGhost credentials
+  sops.secrets.cyberghost-auth = {
+    mode = "0400";
+    owner = "root";
+  };
+  sops.secrets.cyberghost-ca = {
+    mode = "0400";
+    owner = "root";
+  };
+
+  environment.systemPackages = [ pkgs.openvpn ];
+
+  # OpenVPN client service
+  services.openvpn.servers.cyberghost = {
+    autoStart = true;
+    updateResolvConf = true;
+    config = ''
+      client
+      dev tun
+      proto udp
+      87-1-hu.cg-dialup.net 443
+      resolv-retry infinite
+      nobind
+      persist-key
+      persist-tun
+
+      # Authentication
+      auth-user-pass ${config.sops.secrets.cyberghost-auth.path}
+      ca ${config.sops.secrets.cyberghost-ca.path}
+
+      # Security
+      cipher AES-256-CBC
+      auth SHA256
+      remote-cert-tls server
+
+      # Split tunnel: Don't pull routes from server, we'll set our own
+      route-nopull
+
+      # Route all traffic through VPN except local network
+      route 0.0.0.0 128.0.0.0 vpn_gateway
+      route 128.0.0.0 128.0.0.0 vpn_gateway
+
+      # Keep local network route direct
+      route ${localNetwork} net_gateway
+
+      verb 3
+    '';
+  };
+
+  # Kill switch: Block outgoing traffic if VPN is down
+  networking.firewall = {
+    extraCommands = ''
+      # Allow traffic to local network
+      iptables -A OUTPUT -d ${localNetwork} -j ACCEPT
+
+      # Allow traffic through VPN tunnel
+      iptables -A OUTPUT -o tun+ -j ACCEPT
+
+      # Allow loopback
+      iptables -A OUTPUT -o lo -j ACCEPT
+
+      # Allow established connections (for responses)
+      iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+      # Allow OpenVPN to establish connection (UDP 443)
+      iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
+
+      # Drop all other outgoing internet traffic (kill switch)
+      iptables -A OUTPUT ! -d ${localNetwork} -j DROP
+    '';
+
+    extraStopCommands = ''
+      iptables -D OUTPUT -d ${localNetwork} -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -o tun+ -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -o lo -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -p udp --dport 443 -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT ! -d ${localNetwork} -j DROP 2>/dev/null || true
+    '';
+  };
+}