diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a6d49fcc83..57cf5a498f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     branches-ignore:
-      - "dependabot/*" 
+      - "dependabot/*"
   pull_request:
 
 jobs:
@@ -17,23 +17,23 @@ jobs:
         python: ['3.6', '3.7', '3.8']
         arch: ['x86', 'x64']
         lsp: ['']
+        lsp_extract_file: ['']
         extra_name: ['']
         include:
           - python: '3.8'
             arch: 'x64'
-            # This is a SUPER sketchy source for this -- I assume it
-            # has some kind of embedded malware -- but the real
-            # download site has the downloads locked behind a
-            # registration wall.
-            lsp: 'http://fs3.softfamous.com/downloads/tname-110575cb0f191/software/astrill-setup-win.exe'
+            lsp: 'https://raw.githubusercontent.com/python-trio/trio-ci-assets/master/komodia-based-vpn-setup.zip'
+            lsp_extract_file: 'komodia-based-vpn-setup.exe'
             extra_name: ', with Komodia LSP'
           - python: '3.8'
             arch: 'x64'
             lsp: 'http://www.proxifier.com/download/ProxifierSetup.exe'
+            lsp_extract_file: ''
             extra_name: ', with IFS LSP'
           - python: '3.8'
             arch: 'x64'
             lsp: 'http://download.pctools.com/mirror/updates/9.0.0.2308-SDavfree-lite_en.exe'
+            lsp_extract_file: ''
             extra_name: ', with non-IFS LSP'
     steps:
       - name: Checkout
@@ -48,6 +48,7 @@ jobs:
         shell: bash
         env:
           LSP: '${{ matrix.lsp }}'
+          LSP_EXTRACT_FILE: '${{ matrix.lsp_extract_file }}'
           # Should match 'name:' up above
           JOB_NAME: 'Windows (${{ matrix.python }}, ${{ matrix.arch }}${{ matrix.extra_name }})'
 
diff --git a/ci.sh b/ci.sh
index c4e046b986..cad85d2032 100755
--- a/ci.sh
+++ b/ci.sh
@@ -420,10 +420,19 @@ else
         # installing some untrustworthy quasi-malware onto into a sandboxed
         # machine for testing. So MITM attacks are really the least of our
         # worries.
-        curl-harder --insecure -o lsp-installer.exe "$LSP"
+        if [ "$LSP_EXTRACT_FILE" != "" ]; then
+            # We host the Astrill VPN installer ourselves, and encrypt it
+            # so as to decrease the chances of becoming an inadvertent
+            # public redistributor.
+            curl-harder -o lsp-installer.zip "$LSP"
+            unzip -P "not very secret trio ci key" lsp-installer.zip "$LSP_EXTRACT_FILE"
+            mv "$LSP_EXTRACT_FILE" lsp-installer.exe
+        else
+            curl-harder --insecure -o lsp-installer.exe "$LSP"
+        fi
         # This is only needed for the Astrill LSP, but there's no harm in
         # doing it all the time. The cert was manually extracted by installing
-        # the package in a VPN, clicking "Always trust from this publisher"
+        # the package in a VM, clicking "Always trust from this publisher"
         # when installing, and then running 'certmgr.msc' and exporting the
         # certificate. See:
         #    http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/