diff --git a/go/tokend/tokend.go b/go/tokend/tokend.go
index 6b6638134a..9eb3a28bfe 100644
--- a/go/tokend/tokend.go
+++ b/go/tokend/tokend.go
@@ -215,8 +215,19 @@ func attachUserData(ctx context.Context, c net.Conn) context.Context {
 func main() {
 	flag.Parse()
 
+	d := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}
+	agentPath := strings.TrimPrefix(*agentAddr, "unix://")
+	agentDialer := func(ctx context.Context, network, addr string) (net.Conn, error) {
+		// Ignore what they want.
+		return d.DialContext(ctx, "unix", agentPath)
+	}
+
 	vcfg := vapi.DefaultConfig()
-	vcfg.AgentAddress = *agentAddr
+	vcfg.AgentAddress = "http://vault-agent"
+	vcfg.HttpClient.Transport.(*http.Transport).DialContext = agentDialer
 	v, err := vapi.NewClient(vcfg)
 	if err != nil {
 		log.Exitf("creating vault client against %v: %v", *agentAddr, err)
@@ -238,17 +249,9 @@ func main() {
 			}
 		}
 	}()
-	d := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
-	}
-	agentPath := strings.TrimPrefix(*agentAddr, "unix://")
 	vp := &vaultProxier{v: v, c: c, hc: &http.Client{
 		Transport: &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				// Ignore what they want.
-				return d.DialContext(ctx, "unix", agentPath)
-			},
+			DialContext:           agentDialer,
 			ForceAttemptHTTP2:     true,
 			MaxIdleConns:          100,
 			IdleConnTimeout:       90 * time.Second,