diff --git a/src/config/config.go b/src/config/config.go
index 041147b8..fe3409d2 100644
--- a/src/config/config.go
+++ b/src/config/config.go
@@ -37,10 +37,21 @@ type NodeConfig struct {
 	PrivateKey          string                     `comment:"Your private key. DO NOT share this with anyone!"`
 	IfName              string                     `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."`
 	IfMTU               uint64                     `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
+	TunnelRouting       TunnelRouting              `comment:"Allow tunneling non-Yggdrasil traffic over Yggdrasil. This effectively\nallows you to use Yggdrasil to route to, or to bridge other networks,\nsimilar to a VPN tunnel. Tunnelling works between any two nodes and\ndoes not require them to be directly peered."`
 	NodeInfoPrivacy     bool                       `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
 	NodeInfo            map[string]interface{}     `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
 }
 
+// TunnelRouting contains the crypto-key routing tables for tunneling regular
+// IPv4 or IPv6 subnets across the Yggdrasil network.
+type TunnelRouting struct {
+	Enable            bool              `comment:"Enable or disable tunnel routing."`
+	IPv6RemoteSubnets map[string]string `comment:"IPv6 subnets belonging to remote nodes, mapped to the node's public\nkey, e.g. { \"aaaa:bbbb:cccc::/e\": \"boxpubkey\", ... }"`
+	IPv6LocalSubnets  []string          `comment:"IPv6 subnets belonging to this node's end of the tunnels. Only traffic\nfrom these ranges (or the Yggdrasil node's IPv6 address/subnet)\nwill be tunnelled."`
+	IPv4RemoteSubnets map[string]string `comment:"IPv4 subnets belonging to remote nodes, mapped to the node's public\nkey, e.g. { \"a.b.c.d/e\": \"boxpubkey\", ... }"`
+	IPv4LocalSubnets  []string          `comment:"IPv4 subnets belonging to this node's end of the tunnels. Only traffic\nfrom these ranges will be tunnelled."`
+}
+
 type MulticastInterfaceConfig struct {
 	Regex  string
 	Beacon bool
diff --git a/src/tuntap/ckr.go b/src/tuntap/ckr.go
index 7a594b76..44110f2d 100644
--- a/src/tuntap/ckr.go
+++ b/src/tuntap/ckr.go
@@ -44,10 +44,10 @@ func (c *cryptokey) init(tun *TunAdapter) {
 
 // Configure the CKR routes. This should only ever be ran by the TUN/TAP actor.
 func (c *cryptokey) configure() {
-	current := c.tun.config.GetCurrent()
+	//current := c.tun.config.GetCurrent()
 
 	// Set enabled/disabled state
-	c.setEnabled(current.TunnelRouting.Enable)
+	c.setEnabled(c.tun.config.TunnelRouting.Enable)
 
 	// Clear out existing routes
 	c.mutexremotes.Lock()
@@ -56,14 +56,14 @@ func (c *cryptokey) configure() {
 	c.mutexremotes.Unlock()
 
 	// Add IPv6 routes
-	for ipv6, pubkey := range current.TunnelRouting.IPv6RemoteSubnets {
+	for ipv6, pubkey := range c.tun.config.TunnelRouting.IPv6RemoteSubnets {
 		if err := c.addRemoteSubnet(ipv6, pubkey); err != nil {
 			c.tun.log.Errorln("Error adding CKR IPv6 remote subnet:", err)
 		}
 	}
 
 	// Add IPv4 routes
-	for ipv4, pubkey := range current.TunnelRouting.IPv4RemoteSubnets {
+	for ipv4, pubkey := range c.tun.config.TunnelRouting.IPv4RemoteSubnets {
 		if err := c.addRemoteSubnet(ipv4, pubkey); err != nil {
 			c.tun.log.Errorln("Error adding CKR IPv4 remote subnet:", err)
 		}
@@ -77,7 +77,7 @@ func (c *cryptokey) configure() {
 
 	// Add IPv6 sources
 	c.ipv6locals = make([]net.IPNet, 0)
-	for _, source := range current.TunnelRouting.IPv6LocalSubnets {
+	for _, source := range c.tun.config.TunnelRouting.IPv6LocalSubnets {
 		if err := c.addLocalSubnet(source); err != nil {
 			c.tun.log.Errorln("Error adding CKR IPv6 local subnet:", err)
 		}
@@ -85,7 +85,7 @@ func (c *cryptokey) configure() {
 
 	// Add IPv4 sources
 	c.ipv4locals = make([]net.IPNet, 0)
-	for _, source := range current.TunnelRouting.IPv4LocalSubnets {
+	for _, source := range c.tun.config.TunnelRouting.IPv4LocalSubnets {
 		if err := c.addLocalSubnet(source); err != nil {
 			c.tun.log.Errorln("Error adding CKR IPv4 local subnet:", err)
 		}
diff --git a/yggdrasil b/yggdrasil
new file mode 100755
index 00000000..1b09c491
Binary files /dev/null and b/yggdrasil differ
diff --git a/yggdrasilctl b/yggdrasilctl
new file mode 100755
index 00000000..5a3b6596
Binary files /dev/null and b/yggdrasilctl differ