diff --git a/hallpass.go b/hallpass.go
index bed2b3b..a1289af 100644
--- a/hallpass.go
+++ b/hallpass.go
@@ -40,15 +40,16 @@ import (
 )
 
 var (
-	secretServer  = flag.String("secret-server", "", "setec secret server base URL; if empty, setec is not used")
-	oauthSecret   = flag.String("oauth-secret", keyPath("hallpass-key"), "name of setec secret containing Tailscale OAuth ClientSecret; if --secret-server is empty, ignored and reads from $HOME/keys/hallpass-key; ignored if workload identity federation is used")
-	webhookSecret = flag.String("webhook-secret", keyPath("hallpass-webhook"), "name of setec secret containing the Slack webhook URL; if --secret-server is empty, ignored and reads from $HOME/keys/hallpass-webhook")
-	wifClientID   = flag.String("wif-client-id", "", "Tailscale OAuth client ID, if using Workload Identity Federation instead of --oauth-secret")
-	wifAudience   = flag.String("wif-audience", "", "OAuth audience, if using Workload Identity Federation instead of --oauth-secret")
-	configDir     = flag.String("tsnet-dir", "", "tsnet server directory; if empty, tsnet uses an automatic config directory based on the binary name")
-	tls           = flag.Bool("tls", true, "serve over TLS using Tailscale Serve")
-	loginServer   = flag.String("login-server", "", "optional alternate URL of the control login server")
-	apiServer     = flag.String("api-server", "", "optional alternate URL of the control API server")
+	secretServer            = flag.String("secret-server", "", "setec secret server base URL; if empty, setec is not used")
+	secretClientHostNetwork = flag.Bool("secret-client-host-network", false, "access --secret-server using the host networking stack instead of hallpass's tsnet node; this is useful if the host is running tailscaled with different setec access permissions than the tsnet app")
+	oauthSecret             = flag.String("oauth-secret", keyPath("hallpass-key"), "name of setec secret containing Tailscale OAuth ClientSecret; if --secret-server is empty, ignored and reads from $HOME/keys/hallpass-key; ignored if workload identity federation is used")
+	webhookSecret           = flag.String("webhook-secret", keyPath("hallpass-webhook"), "name of setec secret containing the Slack webhook URL; if --secret-server is empty, ignored and reads from $HOME/keys/hallpass-webhook")
+	wifClientID             = flag.String("wif-client-id", "", "Tailscale OAuth client ID, if using Workload Identity Federation instead of --oauth-secret")
+	wifAudience             = flag.String("wif-audience", "", "OAuth audience, if using Workload Identity Federation instead of --oauth-secret")
+	configDir               = flag.String("tsnet-dir", "", "tsnet server directory; if empty, tsnet uses an automatic config directory based on the binary name")
+	tls                     = flag.Bool("tls", true, "serve over TLS using Tailscale Serve")
+	loginServer             = flag.String("login-server", "", "optional alternate URL of the control login server")
+	apiServer               = flag.String("api-server", "", "optional alternate URL of the control API server")
 )
 
 func main() {
@@ -125,10 +126,14 @@ func main() {
 		if *oauthSecret != "" {
 			secrets = append(secrets, *oauthSecret)
 		}
+		doHTTP := ts.HTTPClient().Do
+		if *secretClientHostNetwork {
+			doHTTP = nil
+		}
 		ss, err := setec.NewStore(context.Background(), setec.StoreConfig{
 			Client: setec.Client{
 				Server: *secretServer,
-				DoHTTP: ts.HTTPClient().Do,
+				DoHTTP: doHTTP,
 			},
 			Secrets: secrets,
 		})