diff --git a/compose.yaml b/compose.yaml
index 9eec933..1f37dfd 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -140,10 +140,11 @@ services:
       context: sshtun
       dockerfile: Dockerfile
     restart: always
+    environment:
+      - USE_TUN=${USE_TUN}
     ports:
       - "22222:22"
     expose:
-      - "11111"
       - "11112"
     networks:
       - frontnet
diff --git a/compose.yaml.local b/compose.yaml.local
index fd2ce88..6309a1c 100644
--- a/compose.yaml.local
+++ b/compose.yaml.local
@@ -140,10 +140,11 @@ services:
       context: sshtun
       dockerfile: Dockerfile
     restart: always
+    environment:
+      - USE_TUN=${USE_TUN}
     ports:
       - "22222:22"
     expose:
-      - "11111"
       - "11112"
     networks:
       - frontnet
diff --git a/compose.yaml.prod b/compose.yaml.prod
index 9eec933..1f37dfd 100644
--- a/compose.yaml.prod
+++ b/compose.yaml.prod
@@ -140,10 +140,11 @@ services:
       context: sshtun
       dockerfile: Dockerfile
     restart: always
+    environment:
+      - USE_TUN=${USE_TUN}
     ports:
       - "22222:22"
     expose:
-      - "11111"
       - "11112"
     networks:
       - frontnet
diff --git a/dotenv b/dotenv
index 98b80f5..9b5c435 100644
--- a/dotenv
+++ b/dotenv
@@ -13,6 +13,9 @@ BUILD_GPG_PP=
 # Tor:
 # true/false:
 USE_TOR=false
+# SSH Tun:
+# true/false:
+USE_TUN=false
 
 # Backend:
 FLASK_SECRET_KEY="flaskkey"
diff --git a/sshtun/entrypoint.sh b/sshtun/entrypoint.sh
index 55ebd77..d639832 100755
--- a/sshtun/entrypoint.sh
+++ b/sshtun/entrypoint.sh
@@ -1,8 +1,14 @@
 #!/bin/bash
-# Container goal:
-# autossh -N -R 11111:localhost:11434 -i sshtun/oilykey/<SOMEKEY> -p 22222 <SOMEURL>
-# forwards    rem_c_port:(operator_pc:op_pc_port) ...some args...  rem_host_p rem_host_url 
+# Container goal: egress
+# first:	physical_box$ autossh -N -R 11111:localhost:11434 -i sshtun/oilykey/<SOMEKEY> -p 22222 <rem_vps_url>
+# will forward rem_c_port:physical_box:physical_box_port ...some args...  rem_vps_p rem_vps_url
+# then:		frontnet_c$ curl sshtun.frontnet:11112 --> physical_box:11434
 
-nohup socat TCP-LISTEN:11112,fork TCP:localhost:11111 &
-/usr/sbin/sshd -D
+if $USE_TUN ; then
+	echo "@@@@@@@@@@ SSH TUNNEL ENABLED BY ENV"
+	nohup socat TCP-LISTEN:11112,fork TCP:localhost:11111 &
+	/usr/sbin/sshd -De
+else
+	echo "@@@@@@@@@@ SSH TUNNEL DISABLED BY ENV"
+fi