diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 760826b8665f149742b6602288e153e209e00488..c1a9f60a0e4154b4bc208429c8f4ab5704c106d6 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -15,7 +15,6 @@ import ../../lib/make-grid.nix {
   in {
     "payments" = import ../../lib/make-issuer.nix ({
       publicIPv4 = "18.197.42.120";
-      monitoringvpnIPv4 = "172.23.23.11";
       inherit sshUsers;
       hardware = ../../lib/issuer-aws.nix;
       stateVersion = "19.03";
@@ -23,7 +22,6 @@ import ../../lib/make-grid.nix {
 
     "storage001" = import ../../lib/make-testing.nix (cfg // {
       publicIPv4 = "3.120.26.190";
-      monitoringvpnIPv4 = "172.23.23.11";
       inherit sshUsers;
       hardware = ./testing001-hardware.nix;
       stateVersion = "19.03";
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 912b022495166589ae3b13fa0da9a59ee694b38e..17382c4bed0e548baf49431cda493c4ca7305fee 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -1,16 +1,41 @@
 { hardware
 , ristrettoSigningKeyPath
 , stripeSecretKeyPath
-, monitoringvpnSecretKeyDir
 , issuerDomain
 , letsEncryptAdminEmail
 , allowedChargeOrigins
 , sshUsers
 , stateVersion
 , publicIPv4
-, monitoringvpnIPv4
+, monitoringvpnSecretKeyDir ? null
+, monitoringvpnIPv4 ? null
 , ...
-}: rec {
+}: let
+
+  enableVpn = if (monitoringvpnSecretKeyDir != null &&
+                  monitoringvpnIPv4 != null)
+              then true else false;
+
+  vpnSecrets = if !enableVpn then {} else {
+    "monitoringvpn-secret-key" = {
+      source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
+      destination = "/run/keys/monitoringvpn/client.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+    "monitoringvpn-preshared-key" = {
+      source = monitoringvpnSecretKeyDir + "/preshared.key";
+      destination = "/run/keys/monitoringvpn/preshared.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+  };
+
+in rec {
   deployment = {
     targetHost = publicIPv4;
 
@@ -31,23 +56,7 @@
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
-      "monitoringvpn-secret-key" = {
-        source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
-        destination = "/run/keys/monitoringvpn/client.key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-      };
-      "monitoringvpn-preshared-key" = {
-        source = monitoringvpnSecretKeyDir + "/preshared.key";
-        destination = "/run/keys/monitoringvpn/preshared.key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-      };
-    };
+    } // vpnSecrets;
   };
 
   imports = [
@@ -71,7 +80,7 @@
 
   system.stateVersion = stateVersion;
 
-  services.private-storage.monitoring.vpn.client = {
+  services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
     enable = true;
     ip = monitoringvpnIPv4;
   };
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index 050c4399731506738bb4bbee357ec218032e4964..149ae7409ee2604cfb21fe31b33157e75da95044 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -2,12 +2,37 @@
 , hardware
 , publicStoragePort
 , ristrettoSigningKeyPath
-, monitoringvpnSecretKeyDir
 , passValue
 , sshUsers
 , stateVersion
-, monitoringvpnIPv4
-, ... }: rec {
+, monitoringvpnSecretKeyDir ? null
+, monitoringvpnIPv4 ? null
+, ... }: let
+
+  enableVpn = if (monitoringvpnSecretKeyDir != null &&
+                  monitoringvpnIPv4 != null)
+              then true else false;
+
+  vpnSecrets = if !enableVpn then {} else {
+    "monitoringvpn-secret-key" = {
+      source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
+      destination = "/run/keys/monitoringvpn/client.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+    "monitoringvpn-preshared-key" = {
+      source = monitoringvpnSecretKeyDir + "/preshared.key";
+      destination = "/run/keys/monitoringvpn/preshared.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+  };
+
+in rec {
 
   deployment = {
     targetHost = publicIPv4;
@@ -24,23 +49,7 @@
         # extract it from the tahoe-lafs nixos module somehow?
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
-      "monitoringvpn-secret-key" = {
-        source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
-        destination = "/run/keys/monitoringvpn/client.key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-      };
-      "monitoringvpn-preshared-key" = {
-        source = monitoringvpnSecretKeyDir + "/preshared.key";
-        destination = "/run/keys/monitoringvpn/preshared.key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-      };
-    };
+    } // vpnSecrets;
   };
 
   imports = [
@@ -60,7 +69,7 @@
 
   system.stateVersion = stateVersion;
 
-  services.private-storage.monitoring.vpn.client = {
+  services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
     enable = true;
     ip = monitoringvpnIPv4;
   };