diff --git a/certidude/api/__init__.py b/certidude/api/__init__.py
index ac1421d..b12a0a1 100644
--- a/certidude/api/__init__.py
+++ b/certidude/api/__init__.py
@@ -63,7 +63,8 @@ class SessionResource(object):
                 try:
                     last_seen = datetime.strptime(xattr.getxattr(path, "user.lease.last_seen"), "%Y-%m-%dT%H:%M:%S.%fZ")
                     lease = dict(
-                        address = xattr.getxattr(path, "user.lease.address"),
+                        inner_address = xattr.getxattr(path, "user.lease.inner_address"),
+                        outer_address = xattr.getxattr(path, "user.lease.outer_address"),
                         last_seen = last_seen,
                         age = datetime.utcnow() - last_seen
                     )
diff --git a/certidude/api/attrib.py b/certidude/api/attrib.py
index 3b611c6..722c4ce 100644
--- a/certidude/api/attrib.py
+++ b/certidude/api/attrib.py
@@ -22,7 +22,7 @@ class AttributeResource(object):
             raise falcon.HTTPNotFound()
         else:
             try:
-                whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii"))
+                whitelist = ip_address(attribs.get("user").get("lease").get("inner_address").decode("ascii"))
             except AttributeError: # TODO: probably race condition
                 raise falcon.HTTPForbidden("Forbidden",
                     "Attributes only accessible to the machine")
diff --git a/certidude/api/lease.py b/certidude/api/lease.py
index 18655e7..7db525a 100644
--- a/certidude/api/lease.py
+++ b/certidude/api/lease.py
@@ -20,8 +20,9 @@ class LeaseDetailResource(object):
         try:
             path, buf, cert = authority.get_signed(cn)
             return dict(
-                last_seen = xattr.getxattr(path, "user.lease.last_seen"),
-                address = xattr.getxattr(path, "user.lease.address").decode("ascii")
+                last_seen =     xattr.getxattr(path, "user.lease.last_seen"),
+                inner_address = xattr.getxattr(path, "user.lease.inner_address").decode("ascii"),
+                outer_address = xattr.getxattr(path, "user.lease.outer_address").decode("ascii")
             )
         except EnvironmentError: # Certificate or attribute not found
             raise falcon.HTTPNotFound()
@@ -35,7 +36,8 @@ class LeaseResource(object):
         if req.get_param("serial") and cert.serial != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
             raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
 
-        xattr.setxattr(path, "user.lease.address", req.get_param("address", required=True).encode("ascii"))
+        xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
+        xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
         xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
         push.publish("lease-update", common_name)
 
diff --git a/certidude/static/views/status.html b/certidude/static/views/status.html
index 220769f..6fe2ad1 100644
--- a/certidude/static/views/status.html
+++ b/certidude/static/views/status.html
@@ -5,10 +5,13 @@
     </svg>
     {% if certificate.lease.age > session.authority.lease.offline %}
       Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
-      at {{ certificate.lease.address }}
+      at {{ certificate.lease.inner_address }}
     {% else %}
       Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
-      <a target="{{ certificate.lease.address }}" href="http://{{ certificate.lease.address }}">{{ certificate.lease.address }}</a>
+      <a target="{{ certificate.lease.inner_address }}" href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>
     {% endif %}
+    via
+    <a target="{{ certificate.lease.outer_address }}"
+        href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>
   {% endif %}
 </span>
diff --git a/tests/test_cli.py b/tests/test_cli.py
index e7fa96f..660d92b 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -258,6 +258,8 @@ def test_cli_setup_authority():
 
     sleep(1) # Wait for serve to start up
 
+    # TODO: check that port 8080 is listening, otherwise app probably crashed
+
     import requests
 
     # Test CA certificate fetch
@@ -477,7 +479,7 @@ def test_cli_setup_authority():
 
     # Insert lease
     r = client().simulate_post("/api/lease/",
-        query_string = "client=test&address=127.0.0.1",
+        query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8",
         headers={"Authorization":admintoken})
     assert r.status_code == 200, r.text # lease update ok
     r = client().simulate_get("/api/signed/nonexistant/script/")
@@ -487,13 +489,13 @@ def test_cli_setup_authority():
     assert "uci set " in r.text, r.text
 
     r = client().simulate_post("/api/lease/",
-        query_string = "client=test&address=127.0.0.1&serial=0",
+        query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8&serial=0",
         headers={"Authorization":admintoken})
     assert r.status_code == 403, r.text # invalid serial number supplied
     r = client().simulate_get("/api/signed/test/attr/")
     assert r.status_code == 200, r.text # read okay from own address
     r = client().simulate_post("/api/lease/",
-        query_string = "client=test&address=1.2.3.4",
+        query_string = "client=test&inner_address=1.2.3.4&outer_address=8.8.8.8",
         headers={"Authorization":admintoken})
     assert r.status_code == 200, r.text # lease update ok
     r = client().simulate_get("/api/signed/test/attr/")