diff --git a/books/base.yml b/books/base.yml
index d245bad..141b323 100644
--- a/books/base.yml
+++ b/books/base.yml
@@ -1,7 +1,12 @@
 #!/usr/bin/env ansible-playbook
 ---
+- hosts: vpn, !tests,
+  roles:
+    - client_apt_proxy
+
 - hosts: all, !tests,
   roles:
     - base_config
     - create_users
     - ssh_totp
+
diff --git a/group_vars/all/apt_proxy.yml b/group_vars/all/apt_proxy.yml
index 169bdf0..290ae89 100644
--- a/group_vars/all/apt_proxy.yml
+++ b/group_vars/all/apt_proxy.yml
@@ -5,3 +5,5 @@ apt_proxy_admin_mdp: "{{ vault_apt_proxy_admin_mdp }}"
 
 apt_proxy_allowed_clients: 
   - "{{ intranet['ipv4'] }}/{{ intranet['netmaskv4'] }}"
+
+apt_proxy_address: "{{ intranet['subnets']['physical']['subnets']['hindley']['ipv4'] }}"
diff --git a/group_vars/all/networking.yaml b/group_vars/all/networking.yml
similarity index 100%
rename from group_vars/all/networking.yaml
rename to group_vars/all/networking.yml
diff --git a/roles/client_apt_proxy/tasks/main.yml b/roles/client_apt_proxy/tasks/main.yml
new file mode 100644
index 0000000..09f1776
--- /dev/null
+++ b/roles/client_apt_proxy/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Tell apt to use the proxy
+  template:
+    src: "00aptproxy.j2"
+    dest: "/etc/apt/apt.conf.d/00aptproxy"
+    owner: root
+    group: root
+    mode: '644'
diff --git a/roles/client_apt_proxy/templates/00aptproxy.j2 b/roles/client_apt_proxy/templates/00aptproxy.j2
new file mode 100644
index 0000000..b0c4997
--- /dev/null
+++ b/roles/client_apt_proxy/templates/00aptproxy.j2
@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+Acquire::http::Proxy "http://{{ apt_proxy_address }}:{{ apt_proxy_port }}/";
+