diff --git a/apps/cistech-tunnel/docker-compose.yml b/apps/cistech-tunnel/docker-compose.yml
index 47dab93..e4778df 100755
--- a/apps/cistech-tunnel/docker-compose.yml
+++ b/apps/cistech-tunnel/docker-compose.yml
@@ -1,43 +1,34 @@
 services:
-  vpn:
-    build: ./vpn-openconnect-sso
-    container_name: cistech-vpn
-    cap_add:
-      - NET_ADMIN
-    devices:
-      - /dev/net/tun:/dev/net/tun
+  cistech-tunnel:
+    image: cistech-vpn:latest
+    restart: unless-stopped
+    networks:
+      cistech-tunnel_runtipi_network:
+        gw_priority: 0
+      tipi_main_network:
+        gw_priority: 1
     environment:
       OC_URL: ${OC_URL}
       OC_SERVERCERT: ${OC_SERVERCERT}
-      OC_AUTHGROUP: ${OC_AUTHGROUP}
-      OC_INTERFACE: tun0
-      OC_SSO_ARGS: ${OC_SSO_ARGS:- --browser-display-mode shown}
-      VNC_PASSWORD: ${VNC_PASSWORD:-changeme}
-      NOVNC_PORT: ${NOVNC_PORT:-6901}
+      OC_USER: ${OC_USER}
+      VNC_PASSWORD: ${VNC_PASSWORD}
+      NOVNC_PORT: "6902"
     ports:
-      - "${PUBLISH_ADDR:-0.0.0.0}:${NOVNC_PORT:-6901}:${NOVNC_PORT:-6901}"
+      - ${APP_PORT}:6902
     volumes:
-      - vpn_state:/root
-    restart: unless-stopped
-
-  ssh_tunnel:
-    image: alpine:3.20
-    container_name: cistech-ssh-tunnel
-    network_mode: "service:vpn"
-    depends_on:
-      - vpn
-    volumes:
-      - ${SSH_KEY_PATH:-/home/alexz/.ssh/id_ed25519-lenovo}:/root/.ssh/id_ed25519-lenovo:ro
-    command: >
-      sh -lc "apk add --no-cache openssh-client &&
-      exec ssh -N -i /root/.ssh/id_ed25519-lenovo \
-        -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes \
-        -L 0.0.0.0:8090:localhost:8090 \
-        -L 0.0.0.0:2001:localhost:2001 \
-        -L 0.0.0.0:36001:localhost:36001 \
-        -L 0.0.0.0:36000:localhost:36000 \
-        zawa@10.3.1.201"
-    restart: unless-stopped
-
-volumes:
-  vpn_state: {}
+      - ${APP_DATA_DIR}/data:/root
+    labels:
+      generated: true
+      traefik.enable: true
+      traefik.docker.network: runtipi_tipi_main_network
+      traefik.http.middlewares.cistech-tunnel-runtipi-web-redirect.redirectscheme.scheme: https
+      traefik.http.services.cistech-tunnel-runtipi.loadbalancer.server.port: "6902"
+      traefik.http.routers.cistech-tunnel-runtipi-insecure.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.cistech-tunnel-runtipi-insecure.entrypoints: web
+      traefik.http.routers.cistech-tunnel-runtipi-insecure.service: cistech-tunnel-runtipi
+      traefik.http.routers.cistech-tunnel-runtipi-insecure.middlewares: cistech-tunnel-runtipi-web-redirect
+      traefik.http.routers.cistech-tunnel-runtipi.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.cistech-tunnel-runtipi.entrypoints: websecure
+      traefik.http.routers.cistech-tunnel-runtipi.service: cistech-tunnel-runtipi
+      traefik.http.routers.cistech-tunnel-runtipi.tls.certresolver: myresolver
+      runtipi.managed: true
\ No newline at end of file