diff --git a/.gitea/workflows/ci-test.yaml b/.gitea/workflows/ci-test.yaml
index 9fa30c1..a8ed64b 100644
--- a/.gitea/workflows/ci-test.yaml
+++ b/.gitea/workflows/ci-test.yaml
@@ -34,16 +34,31 @@ jobs:
           path: infra/secrets
 
 
-      - name: Install cloudflare prerequisites
-        run: |
-          apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
 
       - name: Install cloudflared
         run: |
-          # pacote .deb oficial - funcionará numa runner Ubuntu x86_64
-          curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
-          dpkg -i cloudflared.deb
-          cloudflared --version
+          apt-get install -y cloudflared dante-server
+
+
+      - name: Configure dante-server
+        run: |
+          cat <<EOF | sudo tee /etc/danted.conf
+          logoutput: stderr
+          internal: 127.0.0.1 port = 1080
+          external: lo
+          method: none
+          clientmethod: none
+          client pass {
+              from: 0.0.0.0/0 to: 0.0.0.0/0
+              log: connect disconnect
+          }
+          # encaminhar tudo para o listener TCP do cloudflared
+          socks pass {
+              from: 0.0.0.0/0 to: 0.0.0.0/0
+              command: connect udpassociate bind
+              log: connect disconnect
+          }
+          EOF
 
       - name: Start cloudflared Access TCP -> SOCKS5 (background)
         env:
@@ -55,18 +70,18 @@ jobs:
           # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
           nohup cloudflared access tcp \
             --hostname "$HOSTNAME" \
-            --listener "socks5://127.0.0.1:1080" \
+            --listener "tcp://127.0.0.1:1081" \
             --service-token-id "$CF_SVC_ID" \
             --service-token-secret "$CF_SVC_SECRET" \
             > cloudflared.log 2>&1 &
 
           # espera a porta do listener estar pronta (timeout 30s)
           for i in $(seq 1 30); do
-            ss -tnl | grep -q ":1080" && break
+            ss -tnl | grep -q ":1081" && break
             sleep 1
           done
 
-          if ! ss -tnl | grep -q ":1080"; then
+          if ! ss -tnl | grep -q ":1081"; then
             echo "SOCKS listener not ready after 30s, printing cloudflared.log"
             tail -n +1 cloudflared.log
             cat cloudflared.log
@@ -77,6 +92,14 @@ jobs:
           sleep 1
           # opcional: ver primeiros logs
           tail -n 50 cloudflared.log || true
+      
+      - name: Start dante-server
+        run: |
+          sudo pkill danted || true
+          sudo danted -f /etc/danted.conf -D > dante.log 2>&1 &
+          sleep 3
+          cat dante.log
+          
       - name: vaultwarden login
         working-directory: infra/iac
         run: |