diff --git a/diyvpn.sh b/diyvpn.sh
index 49f2760..7bdd645 100755
--- a/diyvpn.sh
+++ b/diyvpn.sh
@@ -10,7 +10,7 @@ common_ssh_cfg_path="${DIYVPN_SSH_CFG:-$script_dir/common_sshconfig}"
 diyvpn_cfg="${DIYVPN_CFG:-$HOME/.config/diyvpn/servers}"
 
 generate() {
-	local cfgpath name server_ssh_cfg idle_timeout listen_port
+	local cfgpath name server_ssh_cfg idle_timeout listen_address
 	cfgpath="$1"
 	name=$(basename "$cfgpath" | tr -d '[:space:]')
 	server_ssh_cfg="$cfgpath"/ssh_config # TODO validate
@@ -18,7 +18,7 @@ generate() {
 	source "$cfgpath/config.rc"
 
 	idle_timeout="${IDLE_TIMEOUT:-10min}"
-	listen_port="${LISTEN_PORT:?LISTEN_PORT should be set}"
+	listen_address="${LISTEN_ADDRESS:?LISTEN_ADDRESS should be set}"
 
 	cat >"$opdir/diyvpnssh-$name.service" <<-EOF
 		[Unit]
@@ -52,7 +52,7 @@ generate() {
 		Description=Socket for diyvpn to server $name
 
 		[Socket]
-		ListenStream=$listen_port
+		ListenStream=$listen_address
 
 		[Install]
 		WantedBy=sockets.target
diff --git a/diyvpnctl.sh b/diyvpnctl.sh
new file mode 100755
index 0000000..f00296b
--- /dev/null
+++ b/diyvpnctl.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+set -euo pipefail
+
+diyvpn_cfg="${DIYVPN_CFG:-$HOME/.config/diyvpn/servers}"
+
+add() {
+	read -rp "Server name [e.g. foobar] [required] : " name
+	if [[ -d "$diyvpn_cfg/$name" ]]; then
+		echo "Warning: $diyvpn_cfg/$name already exists. Exising files will be overwritten. [Ctrl+C to quit]"
+	fi
+
+	read -rp "Listen address [e.g. 127.0.0.1:9090] [required] : " listen_address
+	read -rp "Idle Timeout [e.g. 5min] [5min] : " idle_timeout
+	: "${idle_timeout:=5min}"
+
+	read -rp "Remote server Ip [e.g. 1.2.3.4] [required] : " hostname
+	read -rp "Remote server ssh port [e.g. 2222] [22] : " port
+	: "${port:=22}"
+	read -rp "Remote server username [e.g. dave] [required] : " username
+	read -rp "SSH private key [e.g. ~/.ssh/id_ed25519] [required] : " identityfile
+
+	mkdir -p "$diyvpn_cfg/$name"
+
+	cat >"$diyvpn_cfg/$name/config.rc" <<-EOF
+		LISTEN_ADDRESS=$listen_address
+		IDLE_TIMEOUT=$idle_timeout
+	EOF
+
+	cat >"$diyvpn_cfg/$name/ssh_config" <<-EOF
+		Hostname $hostname
+		Port $port
+		User $username
+		IdentityFile $identityfile
+	EOF
+
+	head -100 "$diyvpn_cfg/$name/"*
+
+	systemctl --user daemon-reload
+}
+
+action="${1:-none}"
+
+case "$action" in
+
+add)
+
+	add
+	;;
+
+list)
+
+	echo "config path: $diyvpn_cfg"
+	paste <(
+		echo "servers"
+		cd "$diyvpn_cfg"
+		basename ./*
+	) <(
+		echo "ListenAddress"
+		sed -n '/LISTEN/s/.*=\(.*\)/\1/p' "$diyvpn_cfg"/*/config.rc
+	) | column -t
+	;;
+
+*)
+	echo "Usage: diyvpnctl.sh [add|list]"
+	;;
+
+esac