diff --git a/config/roles/kresd/templates/kresd.conf.j2 b/config/roles/kresd/templates/kresd.conf.j2
index d577f195a00ef48b695f7a5e3bbfe90b7b730cd9..bec216d1a876961e3cab1ac6d04b3650bb23f69c 100644
--- a/config/roles/kresd/templates/kresd.conf.j2
+++ b/config/roles/kresd/templates/kresd.conf.j2
@@ -1,4 +1,5 @@
-net.listen('127.0.0.1', '::1', 53, { kind = 'dns' })
+net.listen('::', 53, { kind = 'dns' })
+net.listen('0.0.0.0', 53, { kind = 'dns' })
 net.listen('::', 8453, { kind = 'webmgmt' })
 
 -- Load Useful modules
diff --git a/config/roles/openvpn/tasks/openvpn.yml b/config/roles/openvpn/tasks/openvpn.yml
index 849c16b208898535e45c6c60b342c1767f9dc75c..72856979c4b24af78f2b309d96e97d7a0a610f50 100644
--- a/config/roles/openvpn/tasks/openvpn.yml
+++ b/config/roles/openvpn/tasks/openvpn.yml
@@ -11,12 +11,18 @@
     dest: "/etc/firewall/filter.d/50openvpn"
   notify: "reload firewall"
 
-# Set ip forwarding necessary for openvpn
+# Set ip forwarding necessary for openvpn ipv4
 - sysctl:
     name: net.ipv4.ip_forward
     value: '1'
     sysctl_set: yes
 
+# Set ip forwarding necessary for openvpn ipv6
+- sysctl:
+    name: net.ipv6.ip_forward
+    value: '1'
+    sysctl_set: yes
+
 - name: Install firewall nat config for vpnweb
   template:
     src: "50openvpn_nat.firewall.j2"
diff --git a/config/roles/openvpn/templates/50openvpn.firewall.j2 b/config/roles/openvpn/templates/50openvpn.firewall.j2
index 4af88962865de23987424d8387686ed3dd213895..4e6860a42712d2e22d152e203b81e7ee17d9692f 100644
--- a/config/roles/openvpn/templates/50openvpn.firewall.j2
+++ b/config/roles/openvpn/templates/50openvpn.firewall.j2
@@ -9,5 +9,11 @@ allow_port udp 1194
 add_rule4 -A FORWARD -s {{ openvpn_network | ipaddr('network') }}/{{ openvpn_network | ipaddr('netmask') }} -o {{ ansible_default_ipv4.interface }} -j ACCEPT
 # allow re/established *inbound* to vpn hosts
 add_rule4 -A FORWARD -d {{ openvpn_network | ipaddr('network') }}/{{ openvpn_network | ipaddr('netmask') }} -m state --state RELATED,ESTABLISHED -j ACCEPT
+add_rule6 -A FORWARD -s {{ openvpn_network6 }} -o tun0 -j ACCEPT
+# allow re/established *inbound* to vpn gateways
+add_rule6 -A FORWARD -d {{ openvpn_network6 }} -m state --state RELATED,ESTABLISHED -j ACCEPT
+# deny client-to-client communication
+add_rule4 -A FORWARD -i tun0 -o tun0 -j DROP
+add_rule6 -A FORWARD -i tun0 -o tun0 -j DROP
 
 
diff --git a/config/roles/openvpn/templates/tcp.conf.j2 b/config/roles/openvpn/templates/tcp.conf.j2
index e17196b4bc821af7709e2112a9a9b8a7bfce39cf..c63d23720463d3d6dd3988151efe781889f83348 100644
--- a/config/roles/openvpn/templates/tcp.conf.j2
+++ b/config/roles/openvpn/templates/tcp.conf.j2
@@ -12,10 +12,18 @@ duplicate-cn
 keepalive 10 30
 mute-replay-warnings
 mute 5
-proto tcp
+push "redirect-gateway def1 ipv6"
 push "dhcp-option DNS {{ openvpn_network | ipaddr('1') | ipaddr('address') }}"
-push "redirect-gateway def1"
+{% if openvpn_network6 is defined and openvpn_network6|length %}
+proto tcp6
+server-ipv6 {{ openvpn_network6 }}
 push "route-ipv6 2000::/3"
+push "dhcp-option DNS {{ openvpn_network6 }}"
+{% else %}
+proto tcp
+push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
+block-ipv6
+{% endif %}
 push "block-outside-dns"
 server {{ openvpn_network | ipaddr('network') }} {{ openvpn_network | ipaddr('netmask') }}
 status /tmp/openvpn-status-tcp 10
diff --git a/config/roles/openvpn/templates/udp.conf.j2 b/config/roles/openvpn/templates/udp.conf.j2
index 8e8fb4de892e4b412c71ddfb30023e7916d0066a..334a7c3fa070d7eed7b1a76c51613ac04d805a0a 100644
--- a/config/roles/openvpn/templates/udp.conf.j2
+++ b/config/roles/openvpn/templates/udp.conf.j2
@@ -12,10 +12,18 @@ duplicate-cn
 keepalive 10 30
 mute-replay-warnings
 mute 5
-proto udp
+push "redirect-gateway def1 ipv6"
 push "dhcp-option DNS {{ openvpn_network | ipaddr('1') | ipaddr('address') }}"
-push "redirect-gateway def1"
+{% if openvpn_network6 is defined and openvpn_network6|length %}
+proto udp6
+server-ipv6 {{ openvpn_network6 }}
 push "route-ipv6 2000::/3"
+push "dhcp-option DNS {{ openvpn_network6 }}"
+{% else %}
+proto udp
+push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
+block-ipv6
+{% endif %}
 push "block-outside-dns"
 server {{ openvpn_network | ipaddr('network') }} {{ openvpn_network | ipaddr('netmask') }}
 status /tmp/openvpn-status-udp 10
diff --git a/config/services.openvpn.yml b/config/services.openvpn.yml
index 246287da98c7ca326a467b72d01d3fcc7f290ba2..933326f6ff70bf76045111f094dd52a8002f9a78 100644
--- a/config/services.openvpn.yml
+++ b/config/services.openvpn.yml
@@ -46,7 +46,7 @@ openvpn:
   containers:
     - name: openvpn
       image: registry.0xacab.org/leap/container-platform/openvpn:latest
-      ports: [1194, 23042]
+      ports: [1194, 23042, 53]
       drop_capabilities: false
       docker_options: '--cap-add=NET_ADMIN --cap-add=CAP_NET_BIND_SERVICE'
       volumes: