diff --git a/vpn-node/Dockerfile b/vpn-node/Dockerfile
index e4f17ee..6c6e244 100644
--- a/vpn-node/Dockerfile
+++ b/vpn-node/Dockerfile
@@ -2,28 +2,28 @@ FROM debian:bookworm-slim
 
 LABEL description="dante SOCKS5 + purevpn-cli exit node"
 
-# ── System dependencies ───────────────────────────────────────────────────────
+# ── System dependencies (all in one layer so apt cache is fresh for installer) ─
 RUN apt-get update && apt-get install -y --no-install-recommends \
         dante-server \
         curl wget ca-certificates \
         iproute2 iptables iputils-ping \
         netcat-openbsd procps dnsutils \
         expect \
+        openvpn wireguard wireguard-tools \
+        net-tools openresolv \
     && rm -rf /var/lib/apt/lists/*
 
-# ── Install purevpn-cli (official installer) ──────────────────────────────────
-# Running as root inside Docker — no sudo needed.
+# ── Install purevpn-cli ───────────────────────────────────────────────────────
+# Pre-installing its dependencies above means the installer's own apt calls
+# find everything already present and skip cleanly.
+# Binary lands at /opt/purevpn-cli/bin/purevpn-cli
 RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/production/cli-install.sh \
         -o /tmp/cli-install.sh \
     && bash /tmp/cli-install.sh \
-    && rm -f /tmp/cli-install.sh \
-    && echo ">>> purevpn-cli install search:" \
-    && find / -maxdepth 8 -name "purevpn*" 2>/dev/null || true \
-    && echo ">>> /etc/pure-linux-cli contents:" \
-    && ls -la /etc/pure-linux-cli/ 2>/dev/null || echo "(directory not found)"
+    && rm -f /tmp/cli-install.sh
 
-# ── Add purevpn-cli to PATH (as per official docs) ────────────────────────────
-ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/etc/pure-linux-cli/
+# ── PATH: installer puts binary in /opt/purevpn-cli/bin/ ─────────────────────
+ENV PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 # ── Location list ─────────────────────────────────────────────────────────────
 COPY servers.txt /etc/vpndock/servers.txt
diff --git a/vpn-node/entrypoint.sh b/vpn-node/entrypoint.sh
index 6690806..f770482 100755
--- a/vpn-node/entrypoint.sh
+++ b/vpn-node/entrypoint.sh
@@ -4,22 +4,7 @@
 # then starts dante SOCKS5 proxy bound to 0.0.0.0, routing out through tun0.
 set -euo pipefail
 
-export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/etc/pure-linux-cli/
-
-# ── Locate purevpn-cli wherever the installer put it ─────────────────────────
-if ! command -v purevpn-cli &>/dev/null; then
-    _bin=$(find / -maxdepth 8 -name "purevpn-cli" -type f 2>/dev/null | head -1)
-    if [[ -n "$_bin" ]]; then
-        export PATH="$(dirname "$_bin"):$PATH"
-        echo "[entrypoint] purevpn-cli found at $_bin — PATH updated"
-    else
-        echo "[entrypoint] FATAL: purevpn-cli not found anywhere on the filesystem"
-        echo "[entrypoint] All purevpn* files:"
-        find / -maxdepth 8 -name "purevpn*" 2>/dev/null || true
-        exit 1
-    fi
-fi
-echo "[entrypoint] Using purevpn-cli: $(command -v purevpn-cli)"
+export PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 SOCKS5_PORT="${SOCKS5_INNER_PORT:-1080}"
 VPN_IF="tun0"