diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix
index 1e29e32..4dfd0c8 100644
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -120,6 +120,7 @@ in
           serviceConfig = {
             Type = "simple";
             Restart = "always";
+            RestartSec = "10s";
             RuntimeMaxSec = "30d";
           };
 
@@ -127,6 +128,12 @@ in
             set -euo pipefail
             ${scripts.scriptCommon}
 
+            # Clean up stale state from previous attempts
+            ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true
+            ip route del default dev ${cfg.interfaceName} 2>/dev/null || true
+            iptables -t nat -F 2>/dev/null || true
+            iptables -F FORWARD 2>/dev/null || true
+
             proxy="${proxy}"
 
             # 1. Authenticate with PIA via proxy (VPN container has no internet yet)