diff --git a/roles/dch-proxy/tasks/main.yml b/roles/dch-proxy/tasks/main.yml
index ee5b9ff..5bd1417 100644
--- a/roles/dch-proxy/tasks/main.yml
+++ b/roles/dch-proxy/tasks/main.yml
@@ -25,3 +25,10 @@
     dest=/etc/haproxy/70-backend-jenkins.cfg
     mode=0644
   notify: reload haproxy
+
+- name: ensure openvpn haproxy backend is configured
+  template:
+    src=backend-openvpn.haproxy.cfg.j2
+    dest=/etc/haproxy/70-backend-openvpn.cfg
+    mode=0644
+  notify: reload haproxy
diff --git a/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2 b/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
new file mode 100644
index 0000000..42fef03
--- /dev/null
+++ b/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
@@ -0,0 +1,3 @@
+backend openvpn
+	mode tcp
+	server openvpn 172.30.0.1:9876 check
diff --git a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
index ef0ee79..bb43f39 100644
--- a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
@@ -20,4 +20,5 @@ frontend main-tls
     use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.net }
     use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.blue }
     use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.net }
-    default_backend myala-tls
+    use_backend myala-tls if { req_ssl_sni -i darkchestofwonders.us }
+    default_backend openvpn