diff --git a/.gitea/workflows/deploy-my-vpn.yml b/.gitea/workflows/deploy-my-vpn.yml
index f993cf5..eb66c0c 100644
--- a/.gitea/workflows/deploy-my-vpn.yml
+++ b/.gitea/workflows/deploy-my-vpn.yml
@@ -7,18 +7,24 @@ on:
 
 jobs:
   deploy:
-    runs-on: [linux, x64, server-2]
+    runs-on: ubuntu-latest
     steps:
       - name: Deploy via SSH
         env:
           VPN_HOST: ${{ secrets.VPN_HOST }}
           VPN_USER: ${{ secrets.VPN_USER }}
-          VPN_SSH_KEY: ${{ secrets.TEST_KEY }}
+          VPN_SSH_KEY_B64: ${{ secrets.TEST_KEY_B64 }}
         run: |
+          set -euo pipefail
           mkdir -p ~/.ssh
           chmod 700 ~/.ssh
-          echo "$VPN_SSH_KEY" > ~/.ssh/id_ci_runner
+          printf '%s' "$VPN_SSH_KEY_B64" | base64 -d > ~/.ssh/id_ci_runner
           chmod 600 ~/.ssh/id_ci_runner
-          ssh-keyscan -H "$VPN_HOST" >> ~/.ssh/known_hosts
+          VPN_USER="$(printf '%s' "$VPN_USER" | tr -d '\r\n')"
+          VPN_HOST="$(printf '%s' "$VPN_HOST" | tr -d '\r\n')"
+          echo "using user=${VPN_USER} host=${VPN_HOST}"
+          ssh-keyscan -H "$VPN_HOST" >> ~/.ssh/known_hosts || true
+          ssh-keygen -lf ~/.ssh/id_ci_runner
+          ssh -vvv -o BatchMode=yes -o ConnectTimeout=10 -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ci_runner "${VPN_USER}@${VPN_HOST}" "echo ok"
 
-          ssh -i ~/.ssh/id_ci_runner "$VPN_USER@$VPN_HOST" "cd /srv/ip-ua && git fetch --all && git reset --hard origin/main && bash deploy/my-vpn/deploy.sh"
+          ssh -o BatchMode=yes -o ConnectTimeout=10 -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ci_runner "${VPN_USER}@${VPN_HOST}" "cd /srv/ip-ua && git fetch --all && git reset --hard origin/main && bash deploy/my-vpn/deploy.sh"