diff --git a/machines/hippocampus/servers/public/perfect_pitch.nix b/machines/hippocampus/servers/public/perfect_pitch.nix
index 88879e5..d649349 100644
--- a/machines/hippocampus/servers/public/perfect_pitch.nix
+++ b/machines/hippocampus/servers/public/perfect_pitch.nix
@@ -10,7 +10,7 @@
     };
     script = ''
       exec ${config.systemd.package}/bin/systemd-nspawn --hostname perfectpitch \
-        --resolv-conf=off --system-call-filter="add_key keyctl bpf" --bind /dev/fuse \
+        --resolv-conf=off --system-call-filter="add_key keyctl bpf" --bind /dev/fuse --bind /dev/net/tun \
         -nbD /var/lib/machines/perfectpitch --machine perfectpitch
     '';
     postStart = ''
@@ -22,7 +22,10 @@
       Type = "notify";
       Slice = "machine.slice";
       Delegate = true;
-      DeviceAllow = "/dev/fuse rwm";
+      DeviceAllow = [
+        "/dev/fuse rwm"
+        "/dev/net/tun rwm"
+      ];
     };
   };
   networking.nat = {