diff --git a/common/network/pia-vpn/default.nix b/common/network/pia-vpn/default.nix
index 98b92db..4cf1660 100644
--- a/common/network/pia-vpn/default.nix
+++ b/common/network/pia-vpn/default.nix
@@ -56,8 +56,8 @@ let
               default = null;
               description = ''
                 Target port to forward to. If null, forwards to the same PIA-assigned port.
-                PIA-assigned ports below 1000 are rejected to avoid accidentally
-                forwarding traffic to privileged services.
+                PIA-assigned ports below 10000 are rejected to avoid accidentally
+                forwarding traffic to other services.
               '';
             };
             protocol = mkOption {
diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix
index 890a17e..e2d7f43 100644
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -44,8 +44,8 @@ let
       '';
     in
     ''
-      if [ "$PORT" -lt 1000 ]; then
-        echo "ERROR: PIA assigned privileged port $PORT (< 1000), refusing to set up DNAT" >&2
+      if [ "$PORT" -lt 10000 ]; then
+        echo "ERROR: PIA assigned low port $PORT (< 10000), refusing to set up DNAT" >&2
       else
         ${tcpRules}
         ${udpRules}
diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix
index ea80a6f..c186ee4 100644
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -67,13 +67,13 @@
       onPortForwarded = ''
         # Notify Transmission of the PIA-assigned peer port via RPC
         for i in $(seq 1 30); do
-          curlout=$(curl -s "http://transmission.containers:80/transmission/rpc" 2>/dev/null) && break
+          curlout=$(curl -s "http://transmission.containers:8080/transmission/rpc" 2>/dev/null) && break
           sleep 2
         done
         regex='X-Transmission-Session-Id: (\w*)'
         if [[ $curlout =~ $regex ]]; then
           sessionId=''${BASH_REMATCH[1]}
-          curl -s "http://transmission.containers:80/transmission/rpc" \
+          curl -s "http://transmission.containers:8080/transmission/rpc" \
             -d "{\"method\":\"session-set\",\"arguments\":{\"peer-port\":$PORT}}" \
             -H "X-Transmission-Session-Id: $sessionId"
         fi
@@ -91,7 +91,7 @@
             "incomplete-dir-enabled" = true;
 
             "rpc-enabled" = true;
-            "rpc-port" = 80;
+            "rpc-port" = 8080;
             "rpc-bind-address" = "0.0.0.0";
             "rpc-whitelist" = "127.0.0.1,10.100.*.*,192.168.*.*";
             "rpc-host-whitelist-enabled" = false;
@@ -232,7 +232,7 @@
         (mkVirtualHost "lidarr.s0.neet.dev" "http://servarr.containers:8686")
         (mkVirtualHost "sonarr.s0.neet.dev" "http://servarr.containers:8989")
         (mkVirtualHost "prowlarr.s0.neet.dev" "http://servarr.containers:9696")
-        (mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:80")
+        (mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:8080")
         (mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
         (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
         (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")