diff --git a/apps/rego-tunnel/build/Dockerfile b/apps/rego-tunnel/build/Dockerfile
index 8352fa3..33cbeb2 100644
--- a/apps/rego-tunnel/build/Dockerfile
+++ b/apps/rego-tunnel/build/Dockerfile
@@ -2,10 +2,10 @@ FROM ubuntu:24.04
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get install -y     qemu-system-x86     qemu-utils     novnc     websockify     openssh-server     supervisor     iproute2     bridge-utils     iptables     net-tools     && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y qemu-system-x86 qemu-utils novnc websockify openssh-server supervisor iproute2 bridge-utils iptables nano net-tools && rm -rf /var/lib/apt/lists/*
 
 # Setup SSH
-RUN mkdir /var/run/sshd &&     echo 'root:vmpassword' | chpasswd &&     sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+RUN mkdir /var/run/sshd && echo 'root:vmpassword' | chpasswd && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
 
 WORKDIR /vm
 
diff --git a/apps/rego-tunnel/build/start-vm.sh b/apps/rego-tunnel/build/start-vm.sh
index f670e74..c8f3e18 100755
--- a/apps/rego-tunnel/build/start-vm.sh
+++ b/apps/rego-tunnel/build/start-vm.sh
@@ -1,5 +1,36 @@
 #!/bin/bash
+set -euo pipefail
+
+# If provided, extract ssh.zip to /root/.ssh/zip (not baked into the image)
+SSH_ZIP_PATH="/shared/ssh.zip"
+SSH_ZIP_DEST="/root/.ssh/zip"
+
+if [ -f "$SSH_ZIP_PATH" ]; then
+	mkdir -p "$SSH_ZIP_DEST"
+	chmod 700 /root/.ssh
+	chmod 700 "$SSH_ZIP_DEST"
+
+	echo "[rego-tunnel] Extracting $SSH_ZIP_PATH -> $SSH_ZIP_DEST"
+	7z x -y -o"$SSH_ZIP_DEST" "$SSH_ZIP_PATH" >/dev/null
+
+	find "$SSH_ZIP_DEST" -type d -exec chmod 700 {} \;
+	find "$SSH_ZIP_DEST" -type f -exec chmod 600 {} \;
+else
+	echo "[rego-tunnel] No $SSH_ZIP_PATH found; skipping SSH zip extraction"
+fi
+
 # Wait for network setup
 sleep 2
 
-exec qemu-system-x86_64     -enable-kvm     -cpu host     -m ${VM_RAM:-8G}     -smp ${VM_CPUS:-4}     -hda /vm/linux-vm.qcow2     -netdev tap,id=net0,ifname=tap0,script=no,downscript=no     -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56     -vnc :0     -vga virtio     -usb     -device usb-tablet
+exec qemu-system-x86_64 \
+	-enable-kvm \
+	-cpu host \
+	-m ${VM_RAM:-8G} \
+	-smp ${VM_CPUS:-4} \
+	-hda /vm/linux-vm.qcow2 \
+	-netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
+	-device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56 \
+	-vnc :0 \
+	-vga virtio \
+	-usb \
+	-device usb-tablet