diff --git a/README.md b/README.md
index 389bccd..9979419 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,7 @@
   * [On premises/IaaS](#install-k3s-on-premises)
     * [Configure upstream DNS-resolver](#upstream-dns-resolver)
     * [Change NodePort range](#nodeport-range)
+    * [Install Canal as NetworkPolicy controller](#canal)
     * [Clustering](#clustering)
   * [On Docker with k3d](#install-k3s-on-docker-k3d)
 * [Namespaces and resource limits](#namespaces-limits)
@@ -87,6 +88,13 @@ ExecStart=/usr/local/bin/k3s \
 2. Re-load systemd config: `systemctl daemon-reload`
 3. Re-start k3s: `systemctl restart k3s.service`
 
+### Install Canal as NetworkPolicy controller <a name="user-content-canal"></a>
+1. Download the yaml manifest Canal: `wget https://docs.projectcalico.org/manifests/canal.yaml -O canal.yaml`
+1. Find and enable (uncomment) the env variable `CALICO_IPV4POOL_CIDR`
+1. Set the value of `CALICO_IPV4POOL_CIDR` to `10.42.0.0/16` (or your value of `--cluster-cidr` - k3s defaults to `10.42.0.0/16`)
+1. Apply the manifest: `kubectl apply -f canal.yaml`
+1. Wait a moment and then check if canal was installed successfully
+
 ### Clustering <a name="user-content-clustering"></a>
 If you want to build a K3s-cluster the default networking model is *overlay@VXLAN*. In this case make sure that
 * all of your nodes can reach (ping) each other over the underlying network (local, routed/vpn). This is required for the overlay network to work properly. VXLAN spans a mashed network over all K3s-nodes.
@@ -101,6 +109,23 @@ ExecStart=/usr/local/bin/k3s \
     agent \
     --flannel-iface <name-of-vpn-interface> \
 ```
+* if your public/external nodes are connected through VPN and you have configured [canal](https://github.com/projectcalico/canal) to manage NetworkPolicies you will need to edit node config and change the public IP-addresses (in this example: `1.2.3.4`) of your nodes to internal VPN-IPs (in this example: `172.16.1.2`). Otherwise canal will bypass VPN and route VXLAN traffic through public IP addresses:
+```
+kubectl edit node <external-node-01>
+
+apiVersion: v1
+kind: Node
+metadata:
+  annotations:
+    alpha.kubernetes.io/provided-node-ip: 172.16.1.2
+    [...]
+    flannel.alpha.coreos.com/backend-data: '{"VtepMAC":"ce:09:ce:de:4d:36"}'
+    flannel.alpha.coreos.com/backend-type: vxlan
+    flannel.alpha.coreos.com/kube-subnet-manager: "true"
+>> DEL >> flannel.alpha.coreos.com/public-ip: 1.2.3.4
+>> ADD >> flannel.alpha.coreos.com/public-ip: 172.16.1.2
+    [...]
+```
 
 ## On Docker with K3d <a name="user-content-install-k3s-on-docker-k3d"></a>
 K3d is a terraforming orchestrator which deploys a K3s cluster (masters and nodes) directly on docker without the need for virtual machines for each node (master/worker).