diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/GeneralHelper.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/GeneralHelper.java
index 5f23453b4..bc524782f 100644
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/GeneralHelper.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/GeneralHelper.java
@@ -565,11 +565,23 @@ public class GeneralHelper {
         if (getEncrypt(tunnel))
             return 1;
         if (getProperty(tunnel, "i2cp.leaseSetType", "1").equals("5")) {
+            int rv;
+            String authType = getProperty(tunnel, "i2cp.leaseSetAuthType", "0");
+            if (authType.equals("2")) {
+                rv = 6;
+            } else if (authType.equals("1")) {
+                // shared DH key
+                rv = 4;
+                // per-client DH key
+                //rv = 8;
+            } else {
+                rv = 2;
+            }
+
             String pw = getBlindedPassword(tunnel);
             if (pw != null && pw.length() > 0)
-                return 3;
-            return 2;
-            // LS auth (rv 4-7) TODO
+                rv++;
+            return rv;
         }
         return 0;
     }
diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/TunnelConfig.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/TunnelConfig.java
index db58ddbe6..f167b1720 100644
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/TunnelConfig.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/ui/TunnelConfig.java
@@ -657,34 +657,63 @@ public class TunnelConfig {
             }
 
             switch (_encryptMode) {
-              case 0:
+              case 0:  // none
               default:
                 config.remove(OPT + "i2cp.leaseSetSecret");
                 if ("5".equals(config.get(OPT + "i2cp.leaseSetType")))
                     config.remove(OPT + "i2cp.leaseSetType");
                 break;
 
-              case 1:
+              case 1:  // LS1
                 config.remove(OPT + "i2cp.leaseSetType");
                 config.remove(OPT + "i2cp.leaseSetSecret");
+                config.remove(OPT + "i2cp.leaseSetAuthType");
                 break;
 
-              case 4:
-              case 6:
-                // TODO
-                // Fallthrough
-              case 2:
+              case 2:  // blinded
                 config.put(OPT + "i2cp.leaseSetType", "5");
                 config.remove(OPT + "i2cp.leaseSetSecret");
+                config.remove(OPT + "i2cp.leaseSetAuthType");
                 break;
     
-              case 5:
-              case 7:
-                // TODO
-                // Fallthrough
-              case 3:
+              case 3:  // blinded + secret
                 config.put(OPT + "i2cp.leaseSetType", "5");
+                config.remove(OPT + "i2cp.leaseSetAuthType");
                 break;
+
+              case 4:  // blinded, shared key (implicit DH)
+                config.put(OPT + "i2cp.leaseSetType", "5");
+                config.remove(OPT + "i2cp.leaseSetSecret");
+                config.put(OPT + "i2cp.leaseSetAuthType", "1");
+                break;
+    
+              case 5:  // blinded, secret, shared key (implicit DH)
+                config.put(OPT + "i2cp.leaseSetType", "5");
+                config.put(OPT + "i2cp.leaseSetAuthType", "1");
+                break;
+
+              case 6:  // blinded, per-client PSK
+                config.put(OPT + "i2cp.leaseSetType", "5");
+                config.remove(OPT + "i2cp.leaseSetSecret");
+                config.put(OPT + "i2cp.leaseSetAuthType", "2");
+                break;
+    
+              case 7:  // blinded, secret, per-client PSK
+                config.put(OPT + "i2cp.leaseSetType", "5");
+                config.put(OPT + "i2cp.leaseSetAuthType", "2");
+                break;
+
+              case 8:  // blinded, per-client DH
+                config.put(OPT + "i2cp.leaseSetType", "5");
+                config.remove(OPT + "i2cp.leaseSetSecret");
+                config.put(OPT + "i2cp.leaseSetAuthType", "1");
+                break;
+    
+              case 9:  // blinded, secret, per-client DH
+                config.put(OPT + "i2cp.leaseSetType", "5");
+                config.put(OPT + "i2cp.leaseSetAuthType", "1");
+                break;
+
             }
         }
 
@@ -857,7 +886,7 @@ public class TunnelConfig {
          PROP_MAX_STREAMS, I2PClient.PROP_SIGTYPE,
          "inbound.randomKey", "outbound.randomKey", "i2cp.leaseSetSigningPrivateKey", "i2cp.leaseSetPrivateKey",
          I2PTunnelServer.PROP_ALT_PKF,
-         "i2cp.leaseSetSecret"
+         "i2cp.leaseSetSecret", "i2cp.leaseSetType", "i2cp.leaseSetAuthType"
         };
     private static final String _httpServerOpts[] = {
         I2PTunnelHTTPServer.OPT_POST_WINDOW,
diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/web/IndexBean.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/web/IndexBean.java
index 2a4f9a40b..249b727a4 100644
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/web/IndexBean.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/web/IndexBean.java
@@ -567,8 +567,8 @@ public class IndexBean {
                 try {
                     String secret = _helper.getBlindedPassword(tunnel);
                     boolean requireSecret = secret != null && secret.length() > 0 &&
-                                            (mode == 3 || mode == 5 || mode == 7);
-                    boolean requireAuth = mode >= 4 && mode <= 7;
+                                            (mode == 3 || mode == 5 || mode == 7 || mode == 9);
+                    boolean requireAuth = mode >= 4 && mode <= 9;
                     return Blinding.encode(_context, d.getSigningPublicKey(), requireSecret, requireAuth);
                 } catch (RuntimeException re) {}
             }
diff --git a/apps/i2ptunnel/jsp/editServer.jsi b/apps/i2ptunnel/jsp/editServer.jsi
index 93b670f09..f92f1b88c 100644
--- a/apps/i2ptunnel/jsp/editServer.jsi
+++ b/apps/i2ptunnel/jsp/editServer.jsi
@@ -461,9 +461,13 @@
                 <span class="multiOption"><label title="<%=intl._t("Only clients with the password and key will be able to connect")%>"><input value="5" type="radio" name="encryptMode"<%=(curEncryptMode.equals("5") ? " checked=\"checked\"" : "")%> class="tickbox" />
                     <%=intl._t("Blinded with lookup password and shared key")%></label></span>
                 <span class="multiOption"><label title="<%=intl._t("Only clients with the encryption key will be able to connect")%>"><input value="6" type="radio" name="encryptMode"<%=(curEncryptMode.equals("6") ? " checked=\"checked\"" : "")%> class="tickbox" />
-                    <%=intl._t("Blinded with per-user key")%></label></span>
+                    <%=intl._t("Blinded with per-user key")%> (PSK)</label></span>
                 <span class="multiOption"><label title="<%=intl._t("Only clients with the password and key will be able to connect")%>"><input value="7" type="radio" name="encryptMode"<%=(curEncryptMode.equals("7") ? " checked=\"checked\"" : "")%> class="tickbox" />
-                    <%=intl._t("Blinded with lookup password and per-user key")%></label></span>
+                    <%=intl._t("Blinded with lookup password and per-user key")%> (PSK)</label></span>
+                <span class="multiOption"><label title="<%=intl._t("Only clients with the encryption key will be able to connect")%>"><input value="8" type="radio" name="encryptMode"<%=(curEncryptMode.equals("8") ? " checked=\"checked\"" : "")%> class="tickbox" />
+                    <%=intl._t("Blinded with per-user key")%> (DH)</label></span>
+                <span class="multiOption"><label title="<%=intl._t("Only clients with the password and key will be able to connect")%>"><input value="9" type="radio" name="encryptMode"<%=(curEncryptMode.equals("9") ? " checked=\"checked\"" : "")%> class="tickbox" />
+                    <%=intl._t("Blinded with lookup password and per-user key")%> (DH)</label></span>
 <%
                      } // isAdvanced()
                 } // allowBlinding