diff --git a/README.md b/README.md
index 30bae42..f1f71d5 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,7 @@ use the provided `xmpp-proxy.toml` configuration as-is.
 Edit `/etc/prosody/prosody.cfg.lua`, Add these to modules_enabled:
 ```
 "net_proxy";
+"secure_interfaces";
 "s2s_outgoing_proxy";
 ```
 Until prosody-modules is updated, use my new module [mod_s2s_outgoing_proxy.lua](https://www.moparisthebest.com/mod_s2s_outgoing_proxy.lua).
@@ -71,6 +72,9 @@ s2s_secure_auth = false
 -- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
 s2s_outgoing_proxy = { "127.0.0.1", 15270 }
 
+-- trust connections coming from these IPs
+secure_interfaces = { "127.0.0.1", "::1" }
+
 -- handle PROXY protocol on these ports
 proxy_port_mappings = {
     [15222] = "c2s",
@@ -134,3 +138,8 @@ To build a reverse proxy only, but supporting all of STARTTLS/TLS/QUIC, run: `ca
 GNU/AGPLv3 - Check LICENSE.md for details
 
 Thanks [rxml](https://github.com/horazont/rxml) for afl-fuzz seeds
+
+#### todo
+  1. sasl external for s2s, initiating and recieving
+  2. better debug log output
+  3. websocket incoming and outgoing, maybe even for s2s
diff --git a/src/quic.rs b/src/quic.rs
index ccac99d..749c0d5 100644
--- a/src/quic.rs
+++ b/src/quic.rs
@@ -15,7 +15,7 @@ pub async fn quic_connect(target: SocketAddr, server_name: &str, is_c2s: bool) -
     endpoint_builder.default_client_config(client_cfg);
     let (endpoint, _incoming) = endpoint_builder.bind(&bind_addr)?;
     // connect to server
-    let quinn::NewConnection { connection, .. } = endpoint.connect(&target, server_name).unwrap().await?;
+    let quinn::NewConnection { connection, .. } = endpoint.connect(&target, server_name)?.await?;
     debug!("[client] connected: addr={}", connection.remote_address());
 
     let (wrt, rd) = connection.open_bi().await?;
@@ -72,24 +72,27 @@ pub fn spawn_quic_listener(local_addr: SocketAddr, config: CloneableConfig, serv
     let mut endpoint_builder = Endpoint::builder();
     endpoint_builder.listen(server_config);
     let (_endpoint, mut incoming) = endpoint_builder.bind(&local_addr).die("cannot listen on port/interface");
-    // accept a single connection
     tokio::spawn(async move {
-        let incoming_conn = incoming.next().await.unwrap();
-        let mut new_conn = incoming_conn.await.unwrap();
-        let client_addr = new_conn.connection.remote_address();
-        let config = config.clone();
-        tokio::spawn(async move {
-            println!("INFO: {} quic connected", client_addr);
+        // when could this return None, do we quit?
+        while let Some(incoming_conn) = incoming.next().await {
+            let config = config.clone();
+            tokio::spawn(async move {
+                if let Ok(mut new_conn) = incoming_conn.await {
+                    let client_addr = new_conn.connection.remote_address();
+                    println!("INFO: {} quic connected", client_addr);
 
-            while let Some(Ok((wrt, rd))) = new_conn.bi_streams.next().await {
-                let config = config.clone();
-                tokio::spawn(async move {
-                    if let Err(e) = shuffle_rd_wr(rd, wrt, config, local_addr, client_addr).await {
-                        eprintln!("ERROR: {} {}", client_addr, e);
+                    while let Some(Ok((wrt, rd))) = new_conn.bi_streams.next().await {
+                        let config = config.clone();
+                        tokio::spawn(async move {
+                            if let Err(e) = shuffle_rd_wr(rd, wrt, config, local_addr, client_addr).await {
+                                eprintln!("ERROR: {} {}", client_addr, e);
+                            }
+                        });
                     }
-                });
-            }
-        });
+                }
+            });
+        }
+        println!("INFO: quic listener shutting down, should never happen????");
         #[allow(unreachable_code)]
         Ok(())
     })