diff --git a/cli/vpn.go b/cli/vpn.go
index 1b220ee3..4105f477 100644
--- a/cli/vpn.go
+++ b/cli/vpn.go
@@ -5,6 +5,7 @@ import (
 	"io/ioutil"
 	"net"
 	"os"
+	"regexp"
 	"strings"
 
 	"github.com/golang/glog"
@@ -19,6 +20,11 @@ const (
 	vpnLastIPConfFileRelative  = "/modules/kubernetes/wireguard/extra/last_ip.txt"
 )
 
+var (
+	allowedClientName = regexp.MustCompile(`^[a-zA-Z0-9 ]+$`)
+	allowedPubKey     = regexp.MustCompile(`^[a-zA-Z0-9=]$`)
+)
+
 // addVPNClient inserts new client config
 func addVPNClient(gitFs *GitFS, clientName, publicKey, clientsConfPath, ip string) error {
 	if clientName == "" {
@@ -27,6 +33,13 @@ func addVPNClient(gitFs *GitFS, clientName, publicKey, clientsConfPath, ip strin
 	if publicKey == "" {
 		return fmt.Errorf("public key cannot be empty when creating new vpn config")
 	}
+	if !allowedClientName.Match([]byte(clientName)) {
+		return fmt.Errorf("client key must match '%s', got %s", allowedClientName.String(), clientName)
+	}
+	if !allowedPubKey.Match([]byte(publicKey)) {
+		return fmt.Errorf("client public key must match '%s', got '%s'", allowedPubKey.String(), publicKey)
+	}
+
 	contents := "[Peer]\n# friendly_name = " + clientName + "\nPublicKey = " + publicKey + "\nAllowedIPs = " + ip + "\n\n"
 	glog.Infof("adding the following config: \n%s", contents)
 	f, err := (*gitFs.fs).OpenFile(clientsConfPath, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644)
diff --git a/modules/kubernetes/kafka/main.tf b/modules/kubernetes/kafka/main.tf
index 4dba350c..6b5f9aef 100644
--- a/modules/kubernetes/kafka/main.tf
+++ b/modules/kubernetes/kafka/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "client_certificate_secret_name" {}
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -109,7 +110,10 @@ resource "kubernetes_ingress" "kafka-ui" {
     name      = "kafka-ui-ingress"
     namespace = "kafka"
     annotations = {
-      "kubernetes.io/ingress.class" = "nginx"
+      "kubernetes.io/ingress.class"                        = "nginx"
+      "nginx.ingress.kubernetes.io/force-ssl-redirect"     = "true"
+      "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
+      "nginx.ingress.kubernetes.io/auth-tls-secret"        = var.client_certificate_secret_name
     }
   }
 
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index ad023f1c..81d1369a 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -84,8 +84,9 @@ module "hackmd" {
 # }
 
 module "kafka" {
-  source          = "./kafka"
-  tls_secret_name = var.tls_secret_name
+  source                         = "./kafka"
+  client_certificate_secret_name = var.client_certificate_secret_name
+  tls_secret_name                = var.tls_secret_name
 }
 
 module "kms" {
diff --git a/terraform.tfstate b/terraform.tfstate
index 474244fc..a1f1e0c0 100644
Binary files a/terraform.tfstate and b/terraform.tfstate differ