diff --git a/Dockerfile b/Dockerfile
index 46d5f53b0f..9422e70341 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,6 +3,7 @@
 ARG CROSS="false"
 ARG GO_VERSION=1.13.1
 ARG DEBIAN_FRONTEND=noninteractive
+ARG VPNKIT_DIGEST=e508a17cfacc8fd39261d5b4e397df2b953690da577e2c987a47630cd0c42f8e
 
 FROM golang:${GO_VERSION}-stretch AS base
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
@@ -240,6 +241,8 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
         PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
 COPY ./contrib/dockerd-rootless.sh /build
 
+FROM djs55/vpnkit@sha256:${VPNKIT_DIGEST} AS vpnkit
+
 # TODO: Some of this is only really needed for testing, it would be nice to split this up
 FROM runtime-dev AS dev
 ARG DEBIAN_FRONTEND
@@ -301,7 +304,7 @@ COPY --from=dockercli /build/ /usr/local/cli
 COPY --from=registry /build/registry* /usr/local/bin/
 COPY --from=criu /build/ /usr/local/
 COPY --from=rootlesskit /build/ /usr/local/bin/
-COPY --from=djs55/vpnkit@sha256:e508a17cfacc8fd39261d5b4e397df2b953690da577e2c987a47630cd0c42f8e /vpnkit /usr/local/bin/vpnkit.x86_64
+COPY --from=vpnkit /vpnkit /usr/local/bin/vpnkit.x86_64
 
 ENV PATH=/usr/local/cli:$PATH
 ENV DOCKER_BUILDTAGS apparmor seccomp selinux