diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index 8d1bce9..f99bc84 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -92,6 +92,10 @@ in {
           id = 13;
           connections = [ "bitcoind" ];
         };
+        lnd = {
+          id = 14;
+          connections = [ "bitcoind" ];
+        };
       };
 
       systemd.services = {
@@ -191,6 +195,20 @@ in {
         bind-addr = "${netns.clightning.address}:${toString config.services.clightning.onionport}";
       };
 
+      # lnd: Custom netns configs
+      services.lnd = mkIf config.services.lnd.enable {
+        listen = netns.lnd.address;
+        rpclisten = [
+          "${netns.lnd.address}"
+          "127.0.0.1"
+        ];
+        restlisten = [
+          "${netns.lnd.address}"
+          "127.0.0.1"
+        ];
+        bitcoind-host = netns.bitcoind.address;
+      };
+
     })
     # Custom netns config option values if netns-isolation not enabled
     (mkIf (!cfg.enable) {
diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index 46e9c51..50638aa 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -91,7 +91,7 @@ in {
       tor-socks = cfg.tor.client.socksListenAddress;
       enforceTor = true;
     };
-    services.tor.hiddenServices.lnd = mkHiddenService { port = cfg.lnd.onionport; };
+    services.tor.hiddenServices.lnd = mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; };
 
     # liquidd
     services.liquidd = {
diff --git a/pkgs/generate-secrets/openssl.cnf b/pkgs/generate-secrets/openssl.cnf
index 66f25e4..641d13d 100644
--- a/pkgs/generate-secrets/openssl.cnf
+++ b/pkgs/generate-secrets/openssl.cnf
@@ -30,3 +30,5 @@ subjectAltName			= @alt_names
 [ alt_names ]
 IP.1 = 127.0.0.1
 DNS.1 = localhost
+# TODO: Remove hardcoded lnd IP
+IP.2 = 169.254.1.14