diff --git a/README.md b/README.md
index a8cc931cb0d6149a8e8f92d9ad78be3d1235a4e2..de703458f3ee020b8c4944d05de08b3f4923ccea 100644
--- a/README.md
+++ b/README.md
@@ -107,6 +107,10 @@ Open _hosts.yml_ and change `floatapp1` to your app host's hostname, and specify
 
 Configure the front-end reverse proxy and the gateway sections in the same way. Change the `floatrp1` to your hostname, and the `ansible_host` and `ip` to the IP it should have. Same for the gateway section: change `gateway1` to your gateway server's hostname and put the respective IP address under `ansible_host` and `ip`. Also set the `location` value to where this server is located. It's important to have two different IP addresses for the gateway server for ingress and egress traffic. Put the secondary gateway IP address in the `egress_ip` variable. If you have more than one gateway, just copy the whole block and modify its values respectively.
 
+You can control whether direct openvpn access is permitted for each gateway host by adjusting the `direct_openvpn_access` flag. This is enabled by default, you can disable for each gateway by kepping the variable as `false` under each gateway host.      
+Enabling this flag will mandate that users to use censorship-circumvention methods by default.    
+It's important to note that direct connections to openvpn can be easily detected by intermediaries
+
 _NOTE:_ If you use IPv6 addresses uncomment and adapt the gateway example given in the section `gateway2`.
 
 #### 3.2. Configure _config.yml_ :)
diff --git a/config/roles/openvpn/templates/50openvpn.firewall.j2 b/config/roles/openvpn/templates/50openvpn.firewall.j2
index 5f83df4da142151e52ce92f078ea80c1b65749b0..e81b6ec538eedfce3ede57aa674c792da7d28efc 100644
--- a/config/roles/openvpn/templates/50openvpn.firewall.j2
+++ b/config/roles/openvpn/templates/50openvpn.firewall.j2
@@ -1,11 +1,22 @@
 # Allow incoming connections to ipv4 port 80 for both udp and tcp
 add_rule4 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT
 add_rule4 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv4 | first }} --dport 80 -j ACCEPT
+{% if direct_openvpn_access is defined and direct_openvpn_access == false -%}
+add_rule4 -I user-input -p udp --dport 80 -j DROP
+add_rule4 -I user-input -p tcp --dport 80 -j DROP
+{% endif %}
+
 
 {% if openvpn_tcp_network6 is defined and openvpn_tcp_network6|d('')|length > 0 -%}
 # Allow incoming connections to ipv6 port 80 for both udp and tcp
 add_rule6 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT
 add_rule6 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT
+
+{% if direct_openvpn_access is defined and direct_openvpn_access == false -%}
+add_rule6 -I user-input -p udp --dport 80 -j DROP
+add_rule6 -I user-input -p tcp --dport 80 -j DROP
+{% endif %}
+
 {% endif %}
 
 
diff --git a/hosts.yml b/hosts.yml
index 6d7aca08faabc79ec8b08930531a1e566b07543a..d43b3926c2a9c6af59b7766c8dde9b0de267e7a8 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -28,6 +28,8 @@ hosts:
     # from the 'ip' value above to prevent traffic leaks.
     egress_ip: 37.218.242.216
     location: Amsterdam
+    # allow direct connections to openvpn (allowed by default)
+    direct_openvpn_access: true
 #    # For each gateway that has ipv6, you should allocate two ipv6 netblocks for
 #    # each gateway, one for TCP and one for UDP connections. These ipv6
 #    # netblocks should be in a different network than the ip6 address that you