diff --git a/piawg.sh b/piawg.sh
index 9004e42..dc9018f 100755
--- a/piawg.sh
+++ b/piawg.sh
@@ -421,3 +421,37 @@ else
 		fi
 	fi
 fi
+
+# Optional: port forward
+if conf_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"; then
+	debug -f "Check for port_forward value in OpenBao ($BAO_PATH_CONFIG)\n%s" \
+		"$(printf '%s' "$conf_reply" | jq .)"
+	port_forward="$(printf '%s' "$conf_reply" | jq -r '.data.data.port_forward')"
+	if [ "$port_forward" = "true" ]; then
+		server_cn="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_cn')"
+		server_vip="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_vip')"
+		if ! pf_sig_reply="$(_curl -G --cacert ./ca.rsa.4096.crt \
+			--resolve "$server_cn:19999:$server_vip" \
+			--data-urlencode "token=$pia_token" \
+			"https://$server_cn:19999/getSignature")"; then
+			err "Failed to connect to https://$server_cn:19999/getSignature"
+		fi
+		debug -f "getSignature\n%s" "$(printf '%s' "$pf_sig_reply" | jq .)"
+		[ "$(printf '%s' "$pf_sig_reply" | jq -r '.status')" != "OK" ] &&
+			err "getSignature failed"
+		pf_payload="$(printf '%s' "$pf_sig_reply" | jq -r '.payload')"
+		pf_signature="$(printf '%s' "$pf_sig_reply" | jq -r '.signature')"
+		pf_port="$(printf '%s' "$pf_payload" |
+			base64 -d 2>/dev/null | jq -r '.port // empty')"
+		pf_expires="$(printf '%s' "$pf_payload" |
+			base64 -d 2>/dev/null | jq -r '.expires_at // empty')"
+		pf_update="$(jq -n --arg v "$pf_signature" '.data.pf_signature = $v')"
+		pf_update="$(printf '%s' "$pf_update" |
+			jq --arg v "$pf_payload" '.data.pf_payload = $v')"
+		pf_update="$(printf '%s' "$pf_update" |
+			jq --arg v "$pf_port" '.data.pf_port = $v')"
+		pf_update="$(printf '%s' "$pf_update" |
+			jq --arg v "$pf_expires" '.data.pf_expires = $v')"
+		bao_curl -p "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG" -X PATCH -d "$pf_update"
+	fi
+fi