diff --git a/lib/tunnel.js b/lib/tunnel.js
new file mode 100644
index 0000000..ea09873
--- /dev/null
+++ b/lib/tunnel.js
@@ -0,0 +1,30 @@
+'use strict';
+
+module.exports.create = function (opts/*, servers*/) {
+  // servers = { plainserver, server }
+  var tunnel = require('daplie-tunnel');
+  var stunnel = require('stunnel');
+
+
+  return tunnel.token({
+    refreshToken: opts.refreshToken
+  , email: opts.email
+  , domains: [ opts.servername ]
+  }).then(function (result) {
+    // { jwt, tunnelUrl }
+    stunnel.connect({
+      token: result.jwt
+    , stunneld: result.tunnelUrl
+    , locals: [
+        { protocol: 'https'
+        , hostname: opts.servername
+        , port: opts.port
+        }
+      , { protocol: 'http'
+        , hostname: opts.servername
+        , port: opts.insecurePort || opts.port
+        }
+      ]
+    });
+  });
+};
diff --git a/serve.js b/serve.js
index a2ec860..b4f7fcd 100755
--- a/serve.js
+++ b/serve.js
@@ -181,7 +181,7 @@ function createServer(port, pubdir, content, opts) {
 
     server.on('request', function (req, res) {
       console.log('[' + req.method + '] ' + req.url);
-      if (!req.socket.encrypted) {
+      if (!req.socket.encrypted && !/\/\.well-known\/acme-challenge\//.test(req.url)) {
         opts.redirectApp(req, res);
         return;
       }
@@ -424,6 +424,9 @@ function run() {
           }
         });
       }
+      else {
+        require('./lib/tunnel.js').create(opts);
+      }
 
       Object.keys(opts.ifaces).forEach(function (iname) {
         var iface = opts.ifaces[iname];