diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 287d11e..0d03cf4 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -55,6 +55,8 @@ services:
     build:
       context: .
       dockerfile: gateway/Dockerfile
+    depends_on:
+      - backend
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
diff --git a/deploy/scripts/gateway-entrypoint.sh b/deploy/scripts/gateway-entrypoint.sh
index 65b9de9..46f3b40 100644
--- a/deploy/scripts/gateway-entrypoint.sh
+++ b/deploy/scripts/gateway-entrypoint.sh
@@ -31,7 +31,7 @@ if [ -z "${NEXAVPN_GATEWAY_ID:-}" ] && [ -f "${GATEWAY_ID_FILE}" ]; then
   NEXAVPN_GATEWAY_ID="$(cat "${GATEWAY_ID_FILE}")"
 fi
 
-if [ -z "${NEXAVPN_GATEWAY_ID:-}" ]; then
+bootstrap_gateway() {
   GATEWAY_PUBLIC_KEY="$(printf '%s' "${NEXAVPN_GATEWAY_PRIVATE_KEY}" | wg pubkey)"
   echo "Bootstrapping gateway ${GATEWAY_NAME}"
   BOOTSTRAP_RESPONSE="$(curl -fsSL \
@@ -40,18 +40,13 @@ if [ -z "${NEXAVPN_GATEWAY_ID:-}" ]; then
     -d "{\"name\":\"${GATEWAY_NAME}\",\"endpoint\":\"${DEFAULT_GATEWAY_ENDPOINT:-localhost:51820}\",\"public_key\":\"${GATEWAY_PUBLIC_KEY}\",\"listen_port\":51820,\"vpn_cidr\":\"${DEFAULT_VPN_CIDR:-100.96.0.0/24}\",\"dns_servers\":[\"10.20.0.53\"]}" \
     "${BOOTSTRAP_URL}")"
   NEXAVPN_GATEWAY_ID="$(printf '%s' "${BOOTSTRAP_RESPONSE}" | jq -r '.id')"
+  if [ -z "${NEXAVPN_GATEWAY_ID:-}" ] || [ "${NEXAVPN_GATEWAY_ID}" = "null" ]; then
+    echo "Gateway bootstrap did not return an id."
+    return 1
+  fi
   printf '%s' "${NEXAVPN_GATEWAY_ID}" > "${GATEWAY_ID_FILE}"
-fi
+}
 
-if [ -z "${NEXAVPN_GATEWAY_ID:-}" ] || [ -z "${NEXAVPN_GATEWAY_PRIVATE_KEY:-}" ]; then
-  echo "Gateway sync is not configured yet."
-  echo "Gateway bootstrap or key generation failed."
-  echo "Gateway apply state will be written to /var/lib/nexavpn when configured."
-  tail -f /dev/null
-  exit 0
-fi
-
-SYNC_URL="${NEXAVPN_GATEWAY_SYNC_URL}/${NEXAVPN_GATEWAY_ID}/sync"
 STATE_JSON="/var/lib/nexavpn/sync-bundle.json"
 WG_CONF="/etc/wireguard/${IFACE}.conf"
 WG_GENERATED="/var/lib/nexavpn/${IFACE}.generated.conf"
@@ -60,6 +55,16 @@ NFT_CONF="/var/lib/nexavpn/nftables.generated.conf"
 mkdir -p /etc/wireguard
 
 apply_bundle() {
+  if [ -z "${NEXAVPN_GATEWAY_ID:-}" ]; then
+    bootstrap_gateway || return 1
+  fi
+
+  if [ -z "${NEXAVPN_GATEWAY_ID:-}" ] || [ -z "${NEXAVPN_GATEWAY_PRIVATE_KEY:-}" ]; then
+    echo "Gateway sync is not configured yet."
+    return 1
+  fi
+
+  SYNC_URL="${NEXAVPN_GATEWAY_SYNC_URL}/${NEXAVPN_GATEWAY_ID}/sync"
   echo "Fetching bundle from ${SYNC_URL}"
   curl -fsSL \
     -H "X-Gateway-Bootstrap-Token: ${GATEWAY_BOOTSTRAP_TOKEN}" \