diff --git a/common/network/pia-wireguard.nix b/common/network/pia-wireguard.nix
index d9d2023..e5f0c21 100644
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -6,7 +6,6 @@
 #   https://github.com/pia-foss/manual-connections
 #   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
 
-# TODO reassign ports of other VPN container services to ones that PIA won't forward to and add bash code to check to be sure port stays in this range
 # TODO handle potential errors (or at least print status, success, and failures to the console)
 # TODO handle 2 month limit for port
 # TODO handle VPN container with different name
@@ -14,6 +13,7 @@
 #   - TODO implement this module such that the wireguard VPN doesn't have to live in a container
 # TODO add some variance to the port forward timer
 # TODO look at wg-gen script for example of looking up a random server in a region and connect to that (user should not need to specify IP addr)
+# TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
 
 with builtins;
 
@@ -37,6 +37,14 @@ let
 in {
   options.pia.wireguard = {
     enable = lib.mkEnableOption "Enable private internet access";
+    badPortForwardPorts = lib.mkOption {
+      type = lib.types.listOf lib.types.port;
+      description = ''
+        Ports that will not be accepted from PIA.
+        If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
+        This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
+      '';
+    };
     wireguardListenPort = lib.mkOption {
       type = lib.types.port;
       description = "The port wireguard listens on for this VPN connection";
@@ -201,6 +209,14 @@ in {
         payload=$(echo "$payload_and_signature" | jq -r '.payload')
         port=$(echo "$payload" | base64 -d | jq -r '.port')
 
+        # Check if the port is acceptable
+        notallowed=(${lib.concatStringsSep " " (map toString cfg.badPortForwardPorts)})
+        if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
+          # the port PIA assigned is not allowed, kill the connection
+          wg-quick down /tmp/${cfg.interfaceName}.conf
+          exit 1
+        fi
+
         # write reserved port to file readable for all users
         echo $port > /tmp/${cfg.interfaceName}-port
         chmod 644 /tmp/${cfg.interfaceName}-port
diff --git a/machines/ponyo/configuration.nix b/machines/ponyo/configuration.nix
index 9263953..8d9b309 100644
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
@@ -62,6 +62,7 @@
       host = "radio.runyan.org";
     };
   };
+  pia.wireguard.badPortForwardPorts = [];
   services.nginx.virtualHosts."radio.runyan.org" = {
     enableACME = true;
     forceSSL = true;
diff --git a/machines/storage/s0/configuration.nix b/machines/storage/s0/configuration.nix
index e5bec05..8674c06 100644
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@@ -114,6 +114,14 @@
       uid = 994;
     };
   };
+  pia.wireguard.badPortForwardPorts = [
+    9696 # prowlarr
+    8989 # sonarr
+    6767 # bazarr
+    7878 # radarr
+    8686 # lidarr
+    9091 # transmission web
+  ];
 
   # jellyfin
   # jellyfin cannot run in the vpn container and use hardware encoding