diff --git a/pkg/vpn/bonafide/bonafide.go b/pkg/vpn/bonafide/bonafide.go
index 99634483e38a141bce3de4d88ba3b91b7ee62c09..9916b55e813cc96e302d1432a1df5b9937cd3d87 100644
--- a/pkg/vpn/bonafide/bonafide.go
+++ b/pkg/vpn/bonafide/bonafide.go
@@ -232,7 +232,7 @@ func (b *Bonafide) GetOpenvpnArgs() ([]string, error) {
 }
 
 func (b *Bonafide) fetchGeolocation() ([]string, error) {
-	/* FIXME in float deployments, geolocation is served on gemyip.domain/json, with a LE certificate.
+	/* FIXME in float deployments, geolocation is served on gemyip.domain/json, with a LE certificate, but in riseup is served behind the api certificate.
 	So this is a workaround until we streamline that behavior */
 	resp, err := b.client.Post(config.GeolocationAPI, "", nil)
 	if err != nil {
diff --git a/pkg/vpn/bonafide/eip_service.go b/pkg/vpn/bonafide/eip_service.go
index 49f4bb1f7f2f6cbad85a77a8350f299af50aaaa5..961ac403cc5ae0c2408556c6956141c474603147 100644
--- a/pkg/vpn/bonafide/eip_service.go
+++ b/pkg/vpn/bonafide/eip_service.go
@@ -116,6 +116,9 @@ func (b *Bonafide) fetchEipJSON() error {
 	}
 
 	b.setupAuthentication(b.eip)
+	/* TODO we could launch the looping call from here.
+	but smells: calls a bonafide method that in turn calls methods in this file
+	*/
 	b.sortGateways()
 	return nil
 }
@@ -204,8 +207,9 @@ func (eip eipService) getOpenvpnArgs() []string {
 }
 
 func (eip *eipService) sortGatewaysByGeolocation(geolocatedGateways []string) {
-	gws := make([]gatewayV3, len(eip.Gateways))
+	gws := make([]gatewayV3, 0)
 
+	/* TODO this probably should be moved out of this method */
 	if eip.defaultGateway != "" {
 		for _, gw := range eip.Gateways {
 			if gw.Location == eip.defaultGateway {
@@ -213,6 +217,8 @@ func (eip *eipService) sortGatewaysByGeolocation(geolocatedGateways []string) {
 				break
 			}
 		}
+		// a manually selected gateway means we do want exactly one remote
+		return
 	}
 
 	for _, host := range geolocatedGateways {
@@ -224,7 +230,9 @@ func (eip *eipService) sortGatewaysByGeolocation(geolocatedGateways []string) {
 	}
 
 	if len(gws) == 0 {
-		log.Println("ERROR: avoiding to replace eip.Gateways will null list. Is the geolocation service properly configured?")
+		// this can happen if a misconfigured geoip service does not match the
+		// providers list we got.
+		log.Println("ERROR: avoiding to nullify eip.Gateways. Is the geolocation service properly configured?")
 	} else {
 		if len(gws) > 2 {
 			eip.Gateways = gws[:3]