diff --git a/apps/cistech-tunnel/docker-compose.json b/apps/cistech-tunnel/docker-compose.json
index 60ae4e3..56ca4ad 100755
--- a/apps/cistech-tunnel/docker-compose.json
+++ b/apps/cistech-tunnel/docker-compose.json
@@ -66,6 +66,7 @@
         "NET_ADMIN"
       ],
       "isMain": true,
+      "command": ["/shared/entrypoint.sh"],
       "extraLabels": {
         "runtipi.managed": true
       }
diff --git a/apps/cistech-tunnel/shared/entrypoint.sh b/apps/cistech-tunnel/shared/entrypoint.sh
new file mode 100644
index 0000000..c560f94
--- /dev/null
+++ b/apps/cistech-tunnel/shared/entrypoint.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+# Entrypoint: VNC password setup + DNS fix + start VNC
+
+set -euo pipefail
+
+# Force software rendering (no GPU/OpenGL)
+export QT_QUICK_BACKEND=software
+export LIBGL_ALWAYS_SOFTWARE=1
+export GALLIUM_DRIVER=llvmpipe
+export MESA_GL_VERSION_OVERRIDE=3.3
+
+# Qt/Chromium flags for running as root
+export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu --use-gl=swiftshader"
+export QTWEBENGINE_DISABLE_SANDBOX=1
+
+# Setup TigerVNC password file from env var (passed by runtipi)
+if [ -n "${VNC_PASSWORD:-}" ]; then
+    mkdir -p /root/.vnc
+    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
+    chmod 600 /root/.vnc/passwd
+fi
+
+# DNS fix - unmount Docker's read-only mounts
+cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
+cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
+umount /etc/resolv.conf 2>/dev/null || true
+umount /etc/hosts 2>/dev/null || true
+cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
+cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
+
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "[entrypoint] IP forwarding enabled"
+
+# Generate openconnect-sso config from environment variables
+mkdir -p /root/.config/openconnect-sso
+cat > /root/.config/openconnect-sso/config.toml << EOF
+on_disconnect = ""
+
+[default_profile]
+address = "${VPN_HOST:-}"
+user_group = ""
+name = ""
+
+[credentials]
+username = "${VPN_EMAIL:-}"
+
+[auto_fill_rules]
+[[auto_fill_rules."https://*"]]
+selector = "div[id=passwordError]"
+action = "stop"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[type=email]"
+fill = "username"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[name=passwd]"
+fill = "password"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[data-report-event=Signin_Submit]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "div[data-value=PhoneAppOTP]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "a[id=signInAnotherWay]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[id=idTxtBx_SAOTCC_OTC]"
+fill = "totp"
+EOF
+echo "[entrypoint] openconnect-sso config generated"
+
+# Start VNC server
+exec /shared/startup-vnc.sh
diff --git a/apps/cistech-tunnel/shared/startup-vnc.sh b/apps/cistech-tunnel/shared/startup-vnc.sh
new file mode 100644
index 0000000..4e5a98b
--- /dev/null
+++ b/apps/cistech-tunnel/shared/startup-vnc.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+export HOME='/root'
+export USER='root'
+rm -f /tmp/.P1-lock /tmp/.X11-unix/X1 2>/dev/null || true
+rm -rf /tmp/.X*-lock /tmp/.X14-unix/* 2>/dev/null || true
+echo "Starting TigerVNC server on display :1..."
+vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
+sleep 2
+echo "Starting noVNC on port ${NOVNC_PORT:-6092}..."
+websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6092} localhost:${VNC_PORT:-5901} &
+tail -f /root/.vnc/*.log