diff --git a/articles/miragevpn.html b/articles/miragevpn.html
index 029c13c..4a42cf9 100644
--- a/articles/miragevpn.html
+++ b/articles/miragevpn.html
@@ -42,12 +42,12 @@ The latter uses separate data & control channels where the control channel u
 <p>Before diving into TLS mode and eventually tls-crypt-v2 it's worth to briefly discuss why we spend time reimplementing the OpenVPN™ protocol.
 You may ask yourself: why not just use the existing tried and tested implementation?</p>
 <p>OpenVPN™ community edition is implemented in the C programming language.
-It heavily uses the OpenSSL library[^mbedtls] which is as well written in C and has in the past had some notable security vulnerabilities.
+It heavily uses the OpenSSL library<sup><a href="#fn-mbedtls" id="ref-1-fn-mbedtls" role="doc-noteref" class="fn-label">[1]</a></sup> which is as well written in C and has in the past had some notable security vulnerabilities.
 Many vulnerabilities and bugs in C can be easily avoided in other languages due to bounds checking and stricter and more expressive type systems.
 The state machine of the protocol can be more easily be expressed in OCaml, and some properties of the protocol can be encoded in the type system.</p>
 <p>Another reason is <a href="https://mirage.io/">Mirage OS</a>, a library operating system implemented in OCaml.
 We work on the Mirage project and write applications (unikernels) using Mirage.
-In many cases it would be desirable to be able to connect to an existing VPN network[^vpn-network],
+In many cases it would be desirable to be able to connect to an existing VPN network<sup><a href="#fn-vpn-network" id="ref-1-fn-vpn-network" role="doc-noteref" class="fn-label">[2]</a></sup>,
 or be able to offer a VPN network to clients using OpenVPN™.</p>
 <p>Consider a VPN provider:
 The VPN provider runs many machines that run an operating system in order to run the user-space OpenVPN™ service.
@@ -106,8 +106,12 @@ For general instructions on running Mirage unikernels see our <a href="https://r
 The unikernel will need a block device containing the OpenVPN™ configuration and a network device.
 More detailed instructions Will Follow Soon™!
 Don't hesitate to reach out to us on <a href="https://github.com/robur-coop/miragevpn/issues">GitHub</a>, <a href="https://robur.coop/Contact">by mail</a> or me personally <a href="https://bsd.network/@reynir">on Mastodon</a> if you're stuck.</p>
-<p>[^mbedtls]: It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.</p>
-<p>[^vpn-network]: I use the term &quot;VPN network&quot; to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.</p>
+<section role="doc-endnotes"><ol>
+<li id="fn-mbedtls">
+<p>It is possible to compile OpenVPN™ community edition with Mbed TLS instead of OpenSSL which is written in C as well.</p>
+<span><a href="#ref-1-fn-mbedtls" role="doc-backlink" class="fn-label">↩︎︎</a></span></li><li id="fn-vpn-network">
+<p>I use the term &quot;VPN network&quot; to mean the virtual private network itself. It is a bit odd because the 'N' in 'VPN' is 'Network', but without disambiguation 'VPN' could refer to the network itself, the software or the service.</p>
+<span><a href="#ref-1-fn-vpn-network" role="doc-backlink" class="fn-label">↩︎︎</a></span></li></ol></section>
 
     </article>