diff --git a/.github/workflows/build_and_test_debug.yml b/.github/workflows/build_and_test_debug.yml
index fff4e8c1..720d90f9 100644
--- a/.github/workflows/build_and_test_debug.yml
+++ b/.github/workflows/build_and_test_debug.yml
@@ -81,6 +81,32 @@ jobs:
           files: |
             src/shadowbox/server/api.yml
 
+  shadowbox-arm64:
+    name: Shadowbox (arm64)
+    runs-on: ubuntu-22.04-arm
+    needs: lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2.3.4
+
+      - name: Install Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: npm
+
+      - name: Install NPM Dependencies
+        run: npm ci
+
+      - name: Shadowbox Debug Build (arm64)
+        run: TARGET_ARCH=aarch64 ./task shadowbox:build
+
+      - name: Shadowbox Unit Test
+        run: ./task shadowbox:test
+
+      - name: Shadowbox Docker Build (arm64)
+        run: TARGET_ARCH=aarch64 ./task shadowbox:docker:build
+
   manual-install-script:
     name: Manual Install Script
     runs-on: ubuntu-latest
diff --git a/src/server_manager/install_scripts/install_server.sh b/src/server_manager/install_scripts/install_server.sh
index 04013372..9bf72a09 100755
--- a/src/server_manager/install_scripts/install_server.sh
+++ b/src/server_manager/install_scripts/install_server.sh
@@ -456,8 +456,8 @@ function set_hostname() {
 install_shadowbox() {
   local MACHINE_TYPE
   MACHINE_TYPE="$(uname -m)"
-  if [[ "${MACHINE_TYPE}" != "x86_64" ]]; then
-    log_error "Unsupported machine type: ${MACHINE_TYPE}. Please run this script on a x86_64 machine"
+  if [[ "${MACHINE_TYPE}" != "x86_64" && "${MACHINE_TYPE}" != "aarch64" && "${MACHINE_TYPE}" != "arm64" ]]; then
+    log_error "Unsupported machine type: ${MACHINE_TYPE}. Supported architectures: x86_64, aarch64/arm64."
     exit 1
   fi
 
diff --git a/src/shadowbox/Taskfile.yml b/src/shadowbox/Taskfile.yml
index fb72a9b8..0dc31414 100644
--- a/src/shadowbox/Taskfile.yml
+++ b/src/shadowbox/Taskfile.yml
@@ -23,7 +23,7 @@ tasks:
     vars:
       TARGET_OS: '{{.TARGET_OS | default "linux"}}'
       TARGET_ARCH: '{{.TARGET_ARCH | default "x86_64"}}'
-      GOARCH: '{{get (dict "x86_64" "amd64") .TARGET_ARCH | default .TARGET_ARCH}}'
+      GOARCH: '{{get (dict "x86_64" "amd64" "aarch64" "arm64") .TARGET_ARCH | default .TARGET_ARCH}}'
       TARGET_DIR: '{{.TARGET_DIR | default (joinPath .OUTPUT_BASE .TARGET_OS .TARGET_ARCH)}}'
       NODE_DIR: '{{joinPath .TARGET_DIR "app"}}'
       BIN_DIR: '{{joinPath .TARGET_DIR "bin"}}'
@@ -79,10 +79,19 @@ tasks:
       # Newer node images have no valid content trust data.
       # Pin the image node:16.18.0-alpine3.16 by hash.
       # See image at https://hub.docker.com/_/node/tags?page=1&name=18.18.0-alpine3.18
+      # Note: "aarch64" is an alias for "arm64" — Linux ARM64 hosts report "aarch64" via uname -m.
       NODE_IMAGE: '{{get
           (dict
-            "x86_64" "node@sha256:a0b787b0d53feacfa6d606fb555e0dbfebab30573277f1fe25148b05b66fa097"
-            "arm64" "node@sha256:b4b7a1dd149c65ee6025956ac065a843b4409a62068bd2b0cbafbb30ca2fab3b"
+            "x86_64"  "node@sha256:a0b787b0d53feacfa6d606fb555e0dbfebab30573277f1fe25148b05b66fa097"
+            "arm64"   "node@sha256:b4b7a1dd149c65ee6025956ac065a843b4409a62068bd2b0cbafbb30ca2fab3b"
+            "aarch64" "node@sha256:b4b7a1dd149c65ee6025956ac065a843b4409a62068bd2b0cbafbb30ca2fab3b"
+          ) .TARGET_ARCH
+        }}'
+      DOCKER_PLATFORM: '{{get
+          (dict
+            "x86_64"  "linux/amd64"
+            "arm64"   "linux/arm64"
+            "aarch64" "linux/arm64"
           ) .TARGET_ARCH
         }}'
     env:
@@ -103,6 +112,7 @@ tasks:
       # Build image with given root
       - |
         "${DOCKER:-docker}" build --force-rm \
+          --platform '{{.DOCKER_PLATFORM}}' \
           --build-arg NODE_IMAGE='{{.NODE_IMAGE}}' \
           --build-arg VERSION='{{.VERSION}}' \
           -f '{{joinPath .TASKFILE_DIR "docker" "Dockerfile"}}' \
diff --git a/src/shadowbox/integration_test/test.sh b/src/shadowbox/integration_test/test.sh
index 84b194e6..0f6adc84 100755
--- a/src/shadowbox/integration_test/test.sh
+++ b/src/shadowbox/integration_test/test.sh
@@ -100,10 +100,13 @@ function setup() {
   "${DOCKER}" run -d --rm -p "10080:80" --network="${NET_OPEN}" --network-alias="target" --name="${TARGET_CONTAINER}" "${TARGET_IMAGE}"
 
   # Shadowsocks service.
+  # Start on NET_OPEN first so that -p host port binding works on macOS Docker Desktop
+  # (Docker Desktop does not publish ports when the initial network is --internal).
+  # Then connect to NET_BLOCKED so the security isolation tests still pass.
   declare -ar shadowbox_flags=(
     -d
     --rm
-    --network="${NET_BLOCKED}"
+    --network="${NET_OPEN}"
     --network-alias="shadowbox"
     -p "20443:443"
     -e "SB_API_PORT=443"
@@ -118,8 +121,7 @@ function setup() {
     "${SHADOWBOX_IMAGE}"
   )
   "${DOCKER}" run "${shadowbox_flags[@]}"
-  # "${DOCKER}" network connect --alias shadowbox "${NET_BLOCKED}" "${SHADOWBOX_CONTAINER}"
-  "${DOCKER}" network connect "${NET_OPEN}" "${SHADOWBOX_CONTAINER}"
+  "${DOCKER}" network connect --alias shadowbox "${NET_BLOCKED}" "${SHADOWBOX_CONTAINER}"
 
   # Client service.
   "${DOCKER}" build --force-rm -t "${CLIENT_IMAGE}" "$(dirname "$0")/client"