diff --git a/handlers/main.yml b/handlers/main.yml
index 53894b2de6d863ff5cb093baf10ed86018183f6b..6023af077ee60899330d53ace320889bae0ece46 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -33,3 +33,8 @@
   service:
     name: systemd-timesyncd
     state: restarted
+
+- name: Restart stunnel
+  service:
+    name: '{{ stunnel_server[ansible_os_family] }}'
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index b849f6eec832ab6edd45ea6d4a27a0caef1f141b..85e298a6cdaea5a18ea48bf2ed2beafd4f5f6453 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -56,5 +56,8 @@
 - include: lock_root.yml
   when: lock_root|default(True) and not common_role_finished is defined
 
+- include: stunnel.yml
+  when: stunnel|default(True) and not common_role_finished is defined
+
 - set_fact:
     common_role_finished: True
diff --git a/tasks/stunnel.yml b/tasks/stunnel.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ae5652cab2f00cfac7d0a74e8058d1c18b298626
--- /dev/null
+++ b/tasks/stunnel.yml
@@ -0,0 +1,44 @@
+---
+
+- assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
+
+- name: apt install stunnel
+  when: ansible_pkg_mgr == 'apt'
+  apt:
+    name: stunnel4
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: pkg install stunnel
+  when: ansible_pkg_mgr == 'openbsd_pkg'
+  openbsd_pkg:
+    name: '{{ openbsd_stunnel_version[ansible_os_family] }}'
+    state: present
+
+- name: Configure stunnel
+  with_dict:
+    syslog: yes
+    key: '{{ tls_key_path }}'
+    cert: '{{ tls_cert_path }}'
+    CAfile: '{{ ca_store[ansible_os_family] }}'
+    ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1'
+    options: NO_SSLv2
+    options: NO_SSLv3
+  lineinfile:
+    dest: /etc/stunnel/stunnel.conf
+    line: '{{ item.key }} = {{ item.value }}'
+    regexp: '^{{ item.key }} ='
+    state: present
+  notify:
+  - Restart stunnel
+
+- name: Allow stunnel to access the TLS key
+  user:
+    name: '{{ stunnel_user[ansible_os_family] }}'
+    groups: ssl-cert
+    append: yes
+    state: present
+  notify:
+  - Restart stunnel
diff --git a/vars/main.yml b/vars/main.yml
index 427472d1d179e86f9d735c2918e7a98c35d868df..f8fc46b7036daffe502c44bc54b0fec2026b6796 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -31,7 +31,16 @@ openbsd_collectd_version:
     '5.7': 'collectd-5.4.1p1'
     '5.8': 'collectd-5.5.0p1'
 
+openbsd_stunnel_version:
+    '5.5': 'stunnel-4.56'
+    '5.6': 'stunnel-5.00p0'
+    '5.7': 'stunnel-5.06'
+    '5.8': 'stunnel-5.19'
+
 openbsd_pkg_mirror: http://www.mirrorservice.org/pub
+ca_store:
+    OpenBSD: /etc/ssl/cert.pem
+    Debian: /etc/ssl/certs/ca-certificates.crt
 update_ca_certificates:
     OpenBSD: /usr/local/sbin/update-ca-certificates
     Debian: /usr/sbin/update-ca-certificates
@@ -56,3 +65,9 @@ ntpd_service:
 aliases_file:
     OpenBSD: /etc/mail/aliases
     Debian: /etc/aliases
+stunnel_service:
+    OpenBSD: stunnel
+    Debian: stunnel4
+stunnel_user:
+    OpenBSD: _stunnel
+    Debian: stunnel4