diff --git a/group_vars/pyrocufflink-dns.yml b/group_vars/pyrocufflink-dns/main.yml
similarity index 92%
rename from group_vars/pyrocufflink-dns.yml
rename to group_vars/pyrocufflink-dns/main.yml
index 6378778..af18adf 100644
--- a/group_vars/pyrocufflink-dns.yml
+++ b/group_vars/pyrocufflink-dns/main.yml
@@ -1,3 +1,8 @@
+protonvpn_tunnel: 1.1.1.1,1.0.0.1
+named_forward_only: true
+named_forwarders:
+- 1.1.1.1
+- 1.0.0.1
 named_listen:
 - addresses:
   - any
diff --git a/group_vars/pyrocufflink-dns/secrets b/group_vars/pyrocufflink-dns/secrets
new file mode 100644
index 0000000..0fd6105
--- /dev/null
+++ b/group_vars/pyrocufflink-dns/secrets
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+34303664613262623439636133393766306638343261373633633136323562643761383039376565
+3339663861393833666164633136373966336630346434660a616231343233653366393666336339
+31643862626561643636343666313539343933353138336166373335323830643361303362353864
+3934633236313862620a616561393265336138383339393063613631633030646633363736333139
+37343664333063616430366534633366383565613530613439313732333232363336626236613235
+35636165386565633466306638656662323739396535386565316662353735386466643038613337
+61363936326363323730393132313532326336373761653237623963363163373633623737643434
+66386234303265343262333566356566626531633665626464343962633337373962396533343432
+6163
diff --git a/hosts b/hosts
index 1b5515c..aae1ac7 100644
--- a/hosts
+++ b/hosts
@@ -81,6 +81,9 @@ dc0.pyrocufflink.blue
 cloud0.pyrocufflink.blue
 hassdb0.pyrocufflink.blue
 
+[protonvpn:children]
+pyrocufflink-dns
+
 [public-web]
 web0.pyrocufflink.blue
 
diff --git a/protonvpn.yml b/protonvpn.yml
new file mode 100644
index 0000000..5ab95ce
--- /dev/null
+++ b/protonvpn.yml
@@ -0,0 +1,3 @@
+- hosts: protonvpn
+  roles:
+  - protonvpn
diff --git a/roles/protonvpn/defaults/main.yml b/roles/protonvpn/defaults/main.yml
new file mode 100644
index 0000000..8c9ca64
--- /dev/null
+++ b/roles/protonvpn/defaults/main.yml
@@ -0,0 +1,2 @@
+protonvpn_server: us-il-41.protonvpn.com
+protonvpn_tunnel: 0.0.0.0/0,::/0
diff --git a/roles/protonvpn/files/ProtonVPN_ike_root.pem b/roles/protonvpn/files/ProtonVPN_ike_root.pem
new file mode 100644
index 0000000..6cc7940
--- /dev/null
+++ b/roles/protonvpn/files/ProtonVPN_ike_root.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
+MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
+QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
+MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
+vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
+wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
+2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
+qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
+nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
+JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
+a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
+WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
+ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
+lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
+m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
+A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
+TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
+blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
+htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
+MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
+ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
+51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
+zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
+eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
+Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
+zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
+N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
+DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
+A1gTTlpi7A==
+-----END CERTIFICATE-----
diff --git a/roles/protonvpn/handlers/main.yml b/roles/protonvpn/handlers/main.yml
new file mode 100644
index 0000000..3e98587
--- /dev/null
+++ b/roles/protonvpn/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: reload strongswan config
+  command:
+    swanctl --load-all
diff --git a/roles/protonvpn/meta/main.yml b/roles/protonvpn/meta/main.yml
new file mode 100644
index 0000000..c8e2185
--- /dev/null
+++ b/roles/protonvpn/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- strongswan-swanctl
diff --git a/roles/protonvpn/tasks/main.yml b/roles/protonvpn/tasks/main.yml
new file mode 100644
index 0000000..dd9ee60
--- /dev/null
+++ b/roles/protonvpn/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: ensure protonvpn ca certificate is installed
+  copy:
+    src: ProtonVPN_ike_root.pem
+    dest: /etc/strongswan/swanctl/x509ca/
+    mode: '0644'
+  notify: reload strongswan config
+  tags:
+  - strongswan-cacert
+
+- name: ensure protonvpn configuration is set
+  template:
+    src: protonvpn.conf.j2
+    dest: /etc/strongswan/swanctl/conf.d/protonvpn.conf
+    mode: '0640'
+  notify: reload strongswan config
+  tags:
+  - strongswan-config
+  - protonvpn-config
diff --git a/roles/protonvpn/templates/protonvpn.conf.j2 b/roles/protonvpn/templates/protonvpn.conf.j2
new file mode 100644
index 0000000..50ba0ed
--- /dev/null
+++ b/roles/protonvpn/templates/protonvpn.conf.j2
@@ -0,0 +1,30 @@
+connections {
+    protonvpn {
+        local_addrs = %defaultroute
+        remote_addrs = {{ protonvpn_server }}
+        vips = 0.0.0.0,::
+        local {
+            auth = eap-mschapv2
+            eap_id = {{ protonvpn_username }}
+        }
+        remote {
+            auth = pubkey
+        }
+        children {
+            dpd_delay = 30s
+            protonvpn {
+                remote_ts = {{ protonvpn_tunnel }}
+                start_action = start
+                close_action = start
+                dpd_action = start
+            }
+        }
+    }
+}
+
+secrets {
+    eap-protonvpn {
+        id = {{ protonvpn_username }}
+        secret = {{ protonvpn_password }}
+    }
+}
diff --git a/roles/strongswan-swanctl/tasks/main.yml b/roles/strongswan-swanctl/tasks/main.yml
new file mode 100644
index 0000000..3fb1dac
--- /dev/null
+++ b/roles/strongswan-swanctl/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: ensure strongswan is installed
+  package:
+    name: strongswan
+    state: present
+  tags:
+  - install
+
+- name: ensure strongswan starts at boot
+  service:
+    name: strongswan
+    enabled: true
+- name: ensure strongswan is running
+  service:
+    name: strongswan
+    state: started