diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 94bf583..fd15040 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -257,11 +257,20 @@ in {
       };
       cli = mkOption {
         type = types.package;
+        default = cfg.cli-nonetns-exec;
+        description = "Binary to connect with the bitcoind instance.";
+      };
+      # Needed because bitcoind-import-banlist already executes inside
+      # nb-bitcoind, hence it doesn't need netns-exec prefixed.
+      cli-nonetns-exec = mkOption {
         readOnly = true;
+        type = types.package;
         default = pkgs.writeScriptBin "bitcoin-cli" ''
           exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@"
         '';
-        description = "Binary to connect with the bitcoind instance.";
+        description = ''
+          Binary to connect with the bitcoind instance without netns-exec.
+        '';
       };
       enforceTor =  nix-bitcoin-services.enforceTor;
     };
@@ -321,7 +330,7 @@ in {
       bindsTo = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
       script = ''
-        cd ${cfg.cli}/bin
+        cd ${cfg.cli-nonetns-exec}/bin
         # Poll until bitcoind accepts commands. This can take a long time.
         while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do
           sleep 1
diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index 0793fd0..9c9757e 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -176,6 +176,9 @@ in {
         ] ++ lib.lists.concatMap (s: [
           "${netns.${s}.address}"
         ]) netns.bitcoind.availableNetns;
+        cli = pkgs.writeScriptBin "bitcoin-cli" ''
+          netns-exec nb-bitcoind ${config.services.bitcoind.package}/bin/bitcoin-cli -datadir='${config.services.bitcoind.dataDir}' "$@"
+        '';
       };
 
     })