diff --git a/defaults/main.yml b/defaults/main.yml
index d07d9b0..67c5495 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,8 @@
 ---
 openvpn_enabled: True
 openvpn_enable_system_forward: True
+# Only set when the protocol is tcp, anyway
+openvpn_disable_tcp_syn_cookie: True
 openvpn_management_enabled: False
 openvpn_management_ip: 127.0.0.1
 openvpn_management_port: 1195
@@ -35,6 +37,7 @@ openvpn_mode: server
 openvpn_dev: tun
 openvpn_port: 1194
 openvpn_protocol: udp
+openvpn_status_dir: '/run/openvpn'
 openvpn_server_net: '192.168.254.0 255.255.255.0'
 #openvpn_push_routes: []
 #  - '192.168.253.0 255.255.255.0'
diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml
index 708ba73..0a70564 100644
--- a/tasks/openvpn.yml
+++ b/tasks/openvpn.yml
@@ -123,6 +123,17 @@
     - not openvpn_is_master_host | bool
   tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
 
+- block:
+    - name: Ensure that the OpenVPN service is enabled and running
+      service: name=openvpn state=started enabled=yes
+      when: openvpn_enabled | bool
+
+    - name: Ensure that the OpenVPN service is stopped and disabled
+      service: name=openvpn state=stopped enabled=no
+      when: not openvpn_enabled | bool
+
+  tags: [ 'openvpn', 'openvpn_service' ]
+
 - block:
     - name: Enable kernel forwarding
       sysctl: name={{ item }} value=1 reload=yes state=present
@@ -139,14 +150,23 @@
         - net.ipv4.ip_forward
         # - net.ipv6.conf.all.forwarding
       when: not openvpn_enable_system_forward
+  tags: [ 'openvpn', 'openvpn_kernel_forwarding' ]
 
-    - name: Ensure that the OpenVPN service is enabled and running
-      service: name=openvpn state=started enabled=yes
-      when: openvpn_enabled | bool
+- block:
+    - name: Disable tcp syn cookies
+      sysctl: name={{ item }} value=0 reload=yes state=present
+      with_items:
+        - net.ipv4.tcp_syncookies
+      when:
+        - openvpn_disable_tcp_syn_cookie | bool
+        - openvpn_protocol == 'tcp'
 
-    - name: Ensure that the OpenVPN service is stopped and disabled
-      service: name=openvpn state=stopped enabled=no
-      when: not openvpn_enabled | bool
+    - name: Enable tcp syn cookies
+      sysctl: name={{ item }} value=1 reload=yes state=present
+      with_items:
+        - net.ipv4.tcp_syncookies
+      when:
+        - not openvpn_disable_tcp_syn_cookie | bool or openvpn_protocol == 'udp'
 
-  tags: openvpn
+  tags: [ 'openvpn', 'openvpn_kernel_syn_cookies' ]
 
diff --git a/templates/client.conf.j2 b/templates/client.conf.j2
index 27a23f4..a9ce6bd 100644
--- a/templates/client.conf.j2
+++ b/templates/client.conf.j2
@@ -29,6 +29,7 @@ tls-auth {{ openvpn_tls_auth }} 1
 key-direction 1
 cipher AES-256-CBC
 keepalive {{ openvpn_keepalive }}
+status {{ openvpn_status_dir }}/openvpn-status.log
 # Set log file verbosity.
 verb {{ openvpn_verbosity_log }}
 # Silence repeating messages
diff --git a/templates/openvpn.conf.j2 b/templates/openvpn.conf.j2
deleted file mode 100644
index f2bf690..0000000
--- a/templates/openvpn.conf.j2
+++ /dev/null
@@ -1,126 +0,0 @@
-mode {{ openvpn_mode }}
-dev {{ openvpn_dev }}
-
-port {{ openvpn_port }}
-proto {{ openvpn_protocol }}
-
-{% if openvpn_tls_server %}
-tls-server
-{% endif %}
-
-dh {{ openvpn_dh }}
-ca {{ openvpn_ca }}
-cert {{ openvpn_cert }}
-key {{ openvpn_key }}
-
-topology subnet
-
-server {{ openvpn_server_net }}
-
-ifconfig-pool-persist ipp/ipp.txt
-
-client-config-dir ccd
-# EXAMPLE: Suppose the client
-# having the certificate common name "Thelonious"
-# also has a small subnet behind his connecting
-# machine, such as 192.168.40.128/255.255.255.248.
-# First, uncomment out these lines:
-;client-config-dir ccd
-;route 192.168.40.128 255.255.255.248
-# Then create a file ccd/Thelonious with this line:
-#   iroute 192.168.40.128 255.255.255.248
-# This will allow Thelonious' private subnet to
-# access the VPN.  This example will only work
-# if you are routing, not bridging, i.e. you are
-# using "dev tun" and "server" directives.
-
-# EXAMPLE: Suppose you want to give
-# Thelonious a fixed VPN IP address of 10.9.0.1.
-# First uncomment out these lines:
-;client-config-dir ccd
-;route 10.9.0.0 255.255.255.252
-# Then add this line to ccd/Thelonious:
-#   ifconfig-push 10.9.0.1 10.9.0.2
-
-# Suppose that you want to enable different
-# firewall access policies for different groups
-# of clients.  There are two methods:
-# (1) Run multiple OpenVPN daemons, one for each
-#     group, and firewall the TUN/TAP interface
-#     for each group/daemon appropriately.
-# (2) (Advanced) Create a script to dynamically
-#     modify the firewall in response to access
-#     from different clients.  See man
-#     page for more info on learn-address script.
-;learn-address ./script
-
-{% for route in openvpn_push_routes %}
-push "route {{ route }}"
-{% endfor %}
-
-{% for route in openvpn_push_routes %}
-push "route {{ route }}"
-{% endfor %}
-
-{% if openvpn_push_settings is defined %}
-{% for dhcp_opt in openvpn_push_settings %}
-push "{{ dhcp_opt }}"
-{% endfor %}
-{% endif %}
-
-tls-auth {{ openvpn_tls_auth }}
-
-# Select a cryptographic cipher.
-# This config item must be copied to
-# the client config file as well.
-# Note that v2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
-cipher AES-256-CBC
-
-
-{% if openvpn_compression_enabled %}
-compress lz4-v2
-push "compress lz4-v2"
-{% endif %}
-
-keepalive {{ openvpn_keepalive }}
-
-{% if not openvpn_cert_auth_enabled %}
-# Disable cert-auth
-client-cert-not-required
-{% endif %}
-
-{% if openvpn_username_pam_auth %}
-username-as-common-name
-# PAM login
-plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
-{% endif %}
-
-{% if openvpn_ldap_auth %}
-plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
-{% endif %}
-
-{% if openvpn_ldap_perl_auth %}
-auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
-#script-security 3 execve
-{% endif %}
-
-max-clients {{ openvpn_max_clients }}
-
-persist-tun
-persist-key
-
-status status/openvpn-status.log
-
-{% if openvpn_run_unprivileged %}
-user {{ openvpn_unprivileged_user }}
-group {{ openvpn_unprivileged_group }}
-{% endif %}
-
-verb {{ openvpn_verbosity_log }}
-mute {{ openvpn_mute_after }}
-
-# Notify the client that when the server restarts so it
-# can automatically reconnect.
-explicit-exit-notify 1
diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
index d96d73f..bf53572 100644
--- a/templates/server.conf.j2
+++ b/templates/server.conf.j2
@@ -70,7 +70,7 @@ persist-key
 {% if openvpn_persist_tun %}
 persist-tun
 {% endif %}
-status status/openvpn-status.log
+status {{ openvpn_status_dir }}/openvpn-status.log
 {% if openvpn_run_unprivileged %}
 user {{ openvpn_unprivileged_user }}
 group {{ openvpn_unprivileged_group }}