diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 468017499..6d99a6a4a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,3 +1,8 @@
+# We're running on a self-hosted runner, so only allow one workflow to run at a
+# time.
+# XXX: Remove this when self-hosted ephemeral runners are implmented.
+concurrency: ci
+
 name: CI
 on:
   - push
diff --git a/omnibus/cookbooks/firezone/recipes/network.rb b/omnibus/cookbooks/firezone/recipes/network.rb
index d1fe7c859..7d9b4b127 100644
--- a/omnibus/cookbooks/firezone/recipes/network.rb
+++ b/omnibus/cookbooks/firezone/recipes/network.rb
@@ -44,17 +44,14 @@ if wg_exists.status.exitstatus == 1
   end
 end
 
-ifconfig '10.3.2.1/24' do
-  family 'inet'
-  device wg_interface
-  mtu '1420'
+execute 'wireguard_ipv4' do
+  addr = '10.3.2.1/24'
+  command "ip address replace #{addr} dev #{wg_interface}"
 end
 
-  # XXX: Make this configurable
-ifconfig 'fd00:3:2::1/120' do
-  family 'inet6'
-  device wg_interface
-  mtu '1420'
+execute 'wireguard_ipv6' do
+  addr = 'fd00:3:2::1/120'
+  command "ip -6 address replace #{addr} dev #{wg_interface}"
 end
 
 execute 'set_wireguard_interface_private_key' do
@@ -75,6 +72,10 @@ route 'fd00:3:2::0/120' do
   device wg_interface
 end
 
+execute 'set_mtu' do
+  command "ip link set mtu 1420 up dev #{wg_interface}"
+end
+
 replace_or_add "IPv4 packet forwarding" do
   path "/etc/sysctl.conf"
   pattern "^#net.ipv4.ip_forward=1"