diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 93779117b49d74315894b6308a027bae50abe0c2..457343aea0469c077efeba42593e302c3c7a30ec 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -1,7 +1,7 @@
 { "publicStoragePort": 8898
 , "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
 , "stripeSecretKeyPath": "./secrets/stripe.secret"
-, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "monitoringvpnKeyFolder": "./secrets/monitoringvpn"
 , "monitoringvpnEndpoint": "192.168.67.24:51820"
 , "passValue": 1000000
 , "issuerDomain": "payments.localdev"
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index ee4a2c15a5e0bc07704de9b5463d295a60ca40c5..da606417a8d56f081cf3611e92e0029e3ffae6cb 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -8,10 +8,13 @@ import ../../lib/make-grid.nix {
   let
     sshUsers = import ./users.nix;
     vpnClientIPs = [ "172.23.23.11" "172.23.23.12" "172.23.23.13" ]; # TBD: derive automatically
+    # Get vpn key folder relative to current dir, as a string:
+    monitoringvpnKeyDir = toString ./. + "/${cfg.monitoringvpnKeyFolder}";
   in {
     "payments1" = import ../../lib/make-issuer.nix (rec {
       publicIPv4 = "192.168.67.21";
       monitoringvpnIPv4 = "172.23.23.11";
+      inherit monitoringvpnKeyDir;
       inherit sshUsers;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.03";
@@ -20,6 +23,7 @@ import ../../lib/make-grid.nix {
     "storage1" = import ../../lib/make-testing.nix (rec {
       publicIPv4 = "192.168.67.22";
       monitoringvpnIPv4 = "172.23.23.12";
+      inherit monitoringvpnKeyDir;
       inherit sshUsers;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.09";
@@ -28,6 +32,7 @@ import ../../lib/make-grid.nix {
     "storage2" = import ../../lib/make-testing.nix (rec {
       publicIPv4 = "192.168.67.23";
       monitoringvpnIPv4 = "172.23.23.13";
+      inherit monitoringvpnKeyDir;
       inherit sshUsers;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.09";
@@ -38,6 +43,7 @@ import ../../lib/make-grid.nix {
       monitoringvpnIPv4 = "172.23.23.1";
       inherit vpnClientIPs;
       inherit sshUsers;
+      inherit monitoringvpnKeyDir;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.09";
     } // cfg);
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 6570b63131720825fd205a35dcfe1ebce35db123..4302b406908f45b145ef805bb23aa834425283fb 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -86,5 +86,6 @@ in rec {
     enable = true;
     ip = monitoringvpnIPv4;
     endpoint = monitoringvpnEndpoint;
+    endpointPublicKeyFile = monitoringvpnKeyDir + "/server.pub";
   };
 }
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index b65f724901ea0cb07a625f0d4bca1cc5153130e0..ebc98625a4bfd64f9f2759ed181b5b5904877cf7 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -49,6 +49,7 @@ in rec {
     enable = true;
     ip = monitoringvpnIPv4;
     inherit vpnClientIPs;
+    pubKeysPath = monitoringvpnKeyDir;
   };
 
   system.stateVersion = stateVersion;
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index 158e7ea156b372b66993dfa9ec2ddc43d06c351b..050ffd1ec40ca36d94f6dce9507bd5ee09dea69b 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -75,5 +75,6 @@ in rec {
     enable = true;
     ip = monitoringvpnIPv4;
     endpoint = monitoringvpnEndpoint;
+    endpointPublicKeyFile = monitoringvpnKeyDir + "/server.pub";
   };
 }
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 4c651f612ef7d906a44efd99e68a054b7708c912..dbd50b82ef5b09495e332e6fbb7ac5676f5ac322 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -49,7 +49,6 @@ in {
     endpointPublicKeyFile = lib.mkOption {
       type = lib.types.path;
       example = lib.literalExample ../PrivateStorageSecrets/monitoringvpn/server.pub;
-      default = ../../../../../PrivateStorageSecrets/monitoringvpn/server.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
       '';
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index b7f8c00cf74b961ac2e2c4228f824ae8f933b0e5..2374ddc8657fb299fb83155cbabe328cd54c1aaf 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -52,7 +52,6 @@ in {
     pubKeysPath = lib.mkOption {
       type = lib.types.path;
       example = lib.literalExample ../PrivateStorageSecrets/monitoringvpn;
-      default = ../../../../../PrivateStorageSecrets/monitoringvpn;
       description = ''
         The path to the directory that holds the public keys.
       '';