diff --git a/roles/openvpn/README.md b/roles/openvpn/README.md
new file mode 100644
index 0000000..18b459f
--- /dev/null
+++ b/roles/openvpn/README.md
@@ -0,0 +1,13 @@
+# OpenVPN
+
+Installation and custom configuration of OpenVPN server.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+NOTE: Make sure you have already cloned shellpki in ~/GIT/
diff --git a/roles/openvpn/defaults/main.yml b/roles/openvpn/defaults/main.yml
new file mode 100644
index 0000000..dbf2f80
--- /dev/null
+++ b/roles/openvpn/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+openvpn_lan: "192.168.42.0"
+openvpn_netmask: "255.255.255.0"
diff --git a/roles/openvpn/files/check_openvpn.pl b/roles/openvpn/files/check_openvpn.pl
new file mode 100755
index 0000000..270fd1e
--- /dev/null
+++ b/roles/openvpn/files/check_openvpn.pl
@@ -0,0 +1,215 @@
+#!/usr/bin/perl -w
+
+#######################################################################
+#
+# Copyright (c) 2007 Jaime Gascon Romero <jgascon@gmail.com>
+#
+# License Information:
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# $Id: check_openvpn.pl,v 1.1 2014/09/29 08:39:24 rdessort Exp $
+# $Revision: 1.1 $
+# Home Site: http://emergeworld.blogspot.com/
+# #####################################################################
+
+use diagnostics;
+use strict;
+use Net::Telnet ();
+use Getopt::Long qw(:config no_ignore_case);
+use vars qw($PROGNAME $VERSION);
+use lib "/usr/lib/nagios/plugins/";
+use utils qw(%ERRORS);
+
+$PROGNAME = "check_openvpn";
+$VERSION = '$Revision: 1.1 $';
+
+$ENV{'PATH'}='';
+$ENV{'BASH_ENV'}=''; 
+$ENV{'ENV'}='';
+
+my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r);
+
+sub print_help ();
+sub print_usage ();
+
+GetOptions
+  ("h"  =>  \$opt_h, "help" => \$opt_h,
+   "H=s" => \$opt_H, "host=s"  => \$opt_H,
+   "p=i" => \$opt_p, "port=i" => \$opt_p,
+   "P=s" => \$opt_P, "password=s" => \$opt_P,
+   "t=i" => \$opt_t, "timeout=i" => \$opt_t,
+   "i"  =>  \$opt_i, "ip" => \$opt_i,
+   "n" => \$opt_n, "numeric" => \$opt_n,
+   "c" => \$opt_c, "critical" => \$opt_c,
+   "w" => \$opt_w, "warning" => \$opt_w,
+   "C=s" => \$opt_C, "common_name=s" => \$opt_C,
+   "r=s" => \$opt_r, "remote_ip=s" => \$opt_r,
+  ) or exit $ERRORS{'UNKNOWN'};
+
+# default values
+unless ( defined $opt_t ) {
+   $opt_t = 10;
+}
+
+if ($opt_h) {print_help(); exit $ERRORS{'OK'};}
+
+if ( ! defined($opt_H) || ! defined($opt_p) ) {
+  print_usage();
+  exit $ERRORS{'UNKNOWN'}
+}
+
+my @lines;
+my @clients;
+my @clients_ip;
+my $t;
+
+eval { 
+$t = new Net::Telnet (Timeout => $opt_t,
+                      Port => $opt_p,
+                      Prompt => '/END$/'
+                    );
+$t->open($opt_H);
+if ( defined $opt_P ) {
+  $t->waitfor('/ENTER PASSWORD:$/');
+  $t->print($opt_P);
+}
+$t->waitfor('/^$/');
+@lines = $t->cmd("status 2");
+$t->close;
+};
+
+if ($@) {
+ print "OpenVPN Critical: Can't connect to server\n";
+ exit $ERRORS{'CRITICAL'};
+}
+
+
+if (defined $opt_i || defined $opt_r) {
+  foreach (@lines) {
+    if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) {
+      push @clients_ip, $1;
+    }
+}
+  if (defined $opt_i) {
+    print "OpenVPN OK: "."@clients_ip ";
+    exit $ERRORS{'OK'};
+  } elsif (defined $opt_r) {
+    if ( ! grep /\b$opt_r\b/, @clients_ip) {
+      if (defined $opt_c) {
+        print "OpenVPN CRITICAL: $opt_r don't found";
+        exit $ERRORS{'CRITICAL'};
+      } else {
+        print "OpenVPN WARNING: $opt_r don't found";
+        exit $ERRORS{'WARNING'};
+      }
+    }
+    print "OpenVPN OK: "."@clients_ip ";
+    exit $ERRORS{'OK'};
+  }
+}
+
+foreach (@lines) {
+  if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) {
+    push @clients, $1;
+  }
+}
+
+if (defined $opt_C) {
+  if ( ! grep /\b$opt_C\b/, @clients) {
+    if (defined $opt_c) {
+      print "OpenVPN CRITICAL: $opt_C don't found";
+      exit $ERRORS{'CRITICAL'};
+    } else {
+      print "OpenVPN WARNING: $opt_C don't found";
+      exit $ERRORS{'WARNING'};
+    }
+  }
+}
+
+
+if (defined $opt_n) {
+print "OpenVPN OK: ".@clients." connected clients.";
+exit $ERRORS{'OK'};
+}
+
+print "OpenVPN OK: "."@clients ";
+exit $ERRORS{'OK'};
+
+#######################################################################
+###### Subroutines ####################################################
+
+sub print_usage() {
+  print "Usage: $PROGNAME -H | --host <IP or hostname> -p | --port <port number> [-P | --password] <password> [-t | --timeout] <timeout in seconds> 
+                    [-i | --ip] [-n | --numeric] [-C | --common_name] <common_name> [-r | --remote_ip] <remote_ip> [-c | --critical] [-w | --warning]\n\n";
+  print "       $PROGNAME [-h | --help]\n";
+}
+
+sub print_help() {
+  print "$PROGNAME $VERSION\n\n";
+  print "Copyright (c) 2007 Jaime Gascon Romero
+
+Nagios plugin to check the clients connected to a openvpn server.
+
+";
+ print_usage();
+  print "
+-H | --host
+  IP address or hostname of the openvpn server.
+
+-p | --port
+  Management port interface of the openvpn server.
+
+-P | --password
+  Password for the management interface of the openvpn server.
+
+-t | --timeout
+  Timeout for the connection attempt. Optional, default 10 seconds.
+
+
+        Optional parameters
+        ===================
+
+-i | --ip
+  Prints the IP address of the remote client instead of the common name.
+
+-n | --numeric
+  Prints the number of clients connected to the openvpn server.
+
+
+        Matching Parameters
+        ===================
+
+-C | --common_name
+  The common name, as it is specified in the client certificate, who is wanted to check.
+
+-r | --remote_ip
+  The client remote ip address who is wanted to check.
+
+-c | --critical
+  Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected.
+
+-w | --warning
+  Exits with WARNING status if the client specified by the common name or the remote ip address is not connected.
+
+
+       Other Parameters
+       ================
+
+-h | --help
+  Show this help.
+";
+
+}
+
+# vim:sts=2:sw=2:ts=2:et
diff --git a/roles/openvpn/files/shellpki b/roles/openvpn/files/shellpki
new file mode 120000
index 0000000..3036d45
--- /dev/null
+++ b/roles/openvpn/files/shellpki
@@ -0,0 +1 @@
+/home/tpilat/GIT/shellpki/
\ No newline at end of file
diff --git a/roles/openvpn/files/sudo_shellpki b/roles/openvpn/files/sudo_shellpki
new file mode 100644
index 0000000..08ca1ab
--- /dev/null
+++ b/roles/openvpn/files/sudo_shellpki
@@ -0,0 +1 @@
+%shellpki ALL = (root) /usr/local/sbin/shellpki
diff --git a/roles/openvpn/handlers/main.yml b/roles/openvpn/handlers/main.yml
new file mode 100644
index 0000000..b22f340
--- /dev/null
+++ b/roles/openvpn/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart openvpn
+  service:
+    name: openvpn
+    state: restarted
diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml
new file mode 100644
index 0000000..79299c4
--- /dev/null
+++ b/roles/openvpn/tasks/main.yml
@@ -0,0 +1,110 @@
+---
+- name: Install OpenVPN package
+  openbsd_pkg:
+    name: "openvpn--"
+  tags:
+  - openvpn
+
+- name: Create /etc/openvpn directory
+  file:
+    path: /etc/openvpn
+    state: directory
+    owner: "root"
+    group: "wheel"
+    mode: "0755"
+  tags:
+  - openvpn
+
+- name: Deploy OpenVPN configuration
+  template:                    
+    src: "server.conf.j2" 
+    dest: "/etc/openvpn/server.conf"
+    mode: "0600"               
+  notify: restart openvpn
+  tags:
+  - openvpn
+
+- name: Enabling OpenVPN
+  service:
+    name: openvpn
+    enabled: yes
+  tags:
+  - openvpn
+
+- name: Set OpenVPN flag
+  shell: 'rcctl set openvpn flags "--config /etc/openvpn/server.conf"'
+  tags:
+  - openvpn
+
+- name: Create shellpki user
+  user:
+    name: "_shellpki"
+    system: yes
+    state: present    
+    system: yes
+    home: "/etc/shellpki/"
+    shell: "/sbin/nologin"
+  tags:
+  - openvpn
+
+- name: Copy some shellpki files
+  copy: 
+    src: "{{ item.src }}"      
+    dest: "{{ item.dest }}"    
+    owner: root                
+    group: wheel
+    mode: "{{ item.mode }}"
+    force: yes                 
+  with_items:
+          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
+          - { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' }
+  tags:
+    - openvpn
+
+- name: Deploy DH PARAMETERS
+  template:                    
+    src: "dh2048.pem.j2" 
+    dest: "/etc/shellpki/dh2048.pem"
+    mode: "0600"               
+  tags:
+    - openvpn
+
+- name: Create /etc/sudoers.d directory
+  file:
+    path: /etc/sudoers.d
+    state: directory
+    owner: "root"
+    group: "wheel"
+    mode: "0755"
+  tags:
+  - openvpn
+
+- name: Include /etc/sudoers.d in sudoers configuration file
+  lineinfile:
+    path: /etc/sudoers
+    line: '#includedir /etc/sudoers.d'
+  tags:
+    - openvpn
+
+- name: Verify shellpki sudoers file presence
+  copy:
+    src: "sudo_shellpki"
+    dest: "/etc/sudoers.d/shellpki"
+    force: true
+    mode: "0440"               
+    validate: '/usr/local/sbin/visudo -cf %s'
+  tags:
+  - openvpn
+
+- name: Copy check_openvpn
+  copy: 
+    src: "{{ item.src }}"      
+    dest: "{{ item.dest }}"    
+    owner: root                
+    group: wheel
+    mode: "{{ item.mode }}"
+    force: yes                 
+  with_items:
+          - { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' }
+  tags:
+    - openvpn
diff --git a/roles/openvpn/templates/dh2048.pem.j2 b/roles/openvpn/templates/dh2048.pem.j2
new file mode 100644
index 0000000..9db20bb
--- /dev/null
+++ b/roles/openvpn/templates/dh2048.pem.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
+R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
+TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
+ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
+Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
+aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
+-----END DH PARAMETERS-----
diff --git a/roles/openvpn/templates/server.conf.j2 b/roles/openvpn/templates/server.conf.j2
new file mode 100644
index 0000000..377b5b1
--- /dev/null
+++ b/roles/openvpn/templates/server.conf.j2
@@ -0,0 +1,26 @@
+user  nobody
+group nogroup
+
+local {{ ansible_default_ipv4.address }}
+port 1194
+proto udp
+dev tun
+mode server
+keepalive 10 120
+
+cipher AES-128-CBC # AES
+#comp-lzo
+# compress (à partir d'OpenVPN 2.4)
+
+persist-key
+persist-tun
+
+status /var/log/openvpn-status.log
+log-append  /var/log/openvpn.log
+
+ca   /etc/shellpki/cacert.pem
+cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
+key  /etc/shellpki/private/{{ ansible_fqdn }}.key
+dh   /etc/shellpki/dh2048.pem
+
+server {{ openvpn_lan }} {{ openvpn_netmask }}