diff --git a/piawg.sh b/piawg.sh
index 97e8261..5113277 100755
--- a/piawg.sh
+++ b/piawg.sh
@@ -71,17 +71,23 @@ opn_curl() {
 	local error
 	local response
 	local http_code
-	path="$1"
+	path="$opn_endpoint/$1"
 	shift
-	error="Failed request to '$opn_endpoint/$path'"
+	error="Failed request to '$path'"
 	if ! response="$(_curl -H 'Content-Type: application/json' \
 		-u "$opn_key:$opn_secret" -w '\n%{http_code}' \
-		"$@" "$opn_endpoint/$path")"; then
+		"$@" "$path")"; then
 		err "$error"
 	fi
 	http_code="$(printf '%s' "$response" | tail -1)"
+	response="$(printf '%s' "$response" | sed '$d')"
+	if ! check_http "$http_code"; then
+		error_msg="$(printf '%s' "$response" | \
+			jq -r '.errorMessage // empty' 2>/dev/null)"
+		[ -n "$error_msg" ] && error="$error_msg ($path)"
+	fi
 	check_http "$http_code" || err "$error"
-	printf '%s' "$response" | sed '$d'
+	printf '%s' "$response"
 }
 
 pia_addkey() {
@@ -98,7 +104,7 @@ pia_addkey() {
 			--cacert ./ca.rsa.4096.crt \
 			--data-urlencode "pt=$pia_token" \
 			--data-urlencode "pubkey=$piawg_pubkey" \
-			"https://$server_cn:1337/addKey"
+			"https://$server_cn:$server_port/addKey"
 	); then
 		err "Failed connect to $server_cn to addKey"
 	fi
@@ -148,6 +154,10 @@ pia_addkey() {
 		err "Failed to reload Wireguard service"
 	fi
 
+	set -x
+	opn_curl 'routes/gateway/searchGateway'
+	set +x
+
 	# Update OpenBao config with response data
 	server_vip="$(printf '%s' "$response" | jq -r '.server_vip')"
 	info "Update server_vip at $BAO_PATH_CONFIG to $server_vip"
@@ -333,6 +343,7 @@ opn_if_reply="$(opn_curl 'wireguard/server/searchServer' -d '{}' |
 piawg_uuid="$(printf '%s' "$opn_if_reply" | jq -r .uuid)"
 piawg_pubkey="$(printf '%s' "$opn_if_reply" | jq -r .pubkey)"
 piawg_tunaddr="$(printf '%s' "$opn_if_reply" | jq -r .tunneladdress)"
+piawg_interface="$(printf '%s' "$opn_if_reply" | jq -r .interface)"
 debug -f "Wireguard instance $OPN_IF from OPNsense API\n%s" \
 	"$(printf '%s' "$opn_if_reply" | jq '.privkey = "[CENSORED]"')"
 unset opn_if_reply
@@ -352,6 +363,7 @@ wg_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"
 server_ip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_ip)"
 server_cn="$(printf '%s' "$wg_reply" | jq -r .data.data.server_cn)"
 server_port="$(printf '%s' "$wg_reply" | jq -r .data.data.server_port)"
+server_vip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_vip)"
 debug -f "Config from OpenBao ($BAO_PATH_CONFIG)\n%s" \
 	"$(printf '%s' "$wg_reply" | jq .)"
 unset wg_reply
@@ -382,3 +394,23 @@ else
 		fi
 	fi
 fi
+
+if conf_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"; then
+	port_forward="$(printf '%s' "$conf_reply" | jq -r '.data.data.port_forward')"
+	if [ "$port_forward" = "true" ]; then
+		server_cn="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_cn')"
+		server_vip="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_vip')"
+		set -x
+		if ! pf_sig_reply="$(_curl -G --cacert ./ca.rsa.4096.crt \
+			--interface "$piawg_interface" \
+			--resolve "$server_cn:19999:$server_vip" \
+			--data-urlencode "token=$pia_token" \
+			"https://$server_cn:19999/getSignature")"; then
+			err "Failed to connect to https://$server_cn:19999/getSignature"
+		fi
+		set +x
+		debug -f "getSignature\n%s" "$(printf '%s' "$pf_sig_reply" | jq .)"
+	fi
+fi
+debug -f "Check for port_forward value in OpenBao ($BAO_PATH_CONFIG)\n%s" \
+	"$(printf '%s' "$conf_reply" | jq .)"