diff --git a/config.cfg b/config.cfg
index f2374d1..0252cc1 100644
--- a/config.cfg
+++ b/config.cfg
@@ -22,6 +22,9 @@ dns_servers:
   - 8.8.4.4
   - 2001:4860:4860::8888
   - 2001:4860:4860::8844
+  
+# IP address for proxy and local dns resolver
+local_service_ip: 172.16.0.1 
 
 users:
   - mr.smith
diff --git a/roles/common/templates/10-loopback-services.cfg.j2 b/roles/common/templates/10-loopback-services.cfg.j2
index c5c47e4..09f572d 100644
--- a/roles/common/templates/10-loopback-services.cfg.j2
+++ b/roles/common/templates/10-loopback-services.cfg.j2
@@ -1,6 +1,6 @@
 auto lo:100
 iface lo:100 inet static
-	address 172.16.0.1
+	address {{ local_service_ip }}
 	netmask 255.255.255.255
 
 iface lo:100 inet6 static
diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2
index 316f11a..69c317e 100644
--- a/roles/dns_adblocking/templates/dnsmasq.conf.j2
+++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2
@@ -110,7 +110,7 @@ group=nogroup
 #except-interface=
 # Or which to listen on by address (remember to include 127.0.0.1 if
 # you use this.)
-listen-address=172.16.0.1,127.0.0.1,FCAA::1
+listen-address=127.0.0.1,FCAA::1,{{ local_service_ip }}
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to
 # disable DHCP and TFTP on it.
diff --git a/roles/proxy/templates/ports.conf.j2 b/roles/proxy/templates/ports.conf.j2
index 2618436..eb6be22 100644
--- a/roles/proxy/templates/ports.conf.j2
+++ b/roles/proxy/templates/ports.conf.j2
@@ -2,12 +2,12 @@
 # have to change the VirtualHost statement in
 # /etc/apache2/sites-enabled/000-default.conf
 
-Listen 172.16.0.1:8080
+Listen {{ local_service_ip }}:8080
 
 <IfModule ssl_module>
-	Listen 172.16.0.1:443
+	Listen {{ local_service_ip }}:443
 </IfModule>
 
 <IfModule mod_gnutls.c>
-	Listen 172.16.0.1:443
+	Listen {{ local_service_ip }}:443
 </IfModule>
diff --git a/roles/proxy/templates/privoxy_config.j2 b/roles/proxy/templates/privoxy_config.j2
index dd55f0f..485734c 100644
--- a/roles/proxy/templates/privoxy_config.j2
+++ b/roles/proxy/templates/privoxy_config.j2
@@ -781,7 +781,7 @@ logfile logfile
 #        listen-address [::1]:8118
 #
 #
-listen-address  172.16.0.1:8118
+listen-address  {{ local_service_ip }}:8118
 #
 #  4.2. toggle
 #  ============
@@ -1256,7 +1256,7 @@ enable-proxy-authentication-forwarding 0
 #        forward  /                        parent-proxy.example.org:8000
 #        forward  ipv6-server.example.org  .
 #        forward  <[2-3][0-9a-f][0-9a-f][0-9a-f]:*>   .
-forward   /      172.16.0.1:8080
+forward   /      {{ local_service_ip }}:8080
 forward   :443   .
 #
 #
diff --git a/roles/security/templates/rules.v4.j2 b/roles/security/templates/rules.v4.j2
index 46fbe85..c8dc1de 100644
--- a/roles/security/templates/rules.v4.j2
+++ b/roles/security/templates/rules.v4.j2
@@ -1,9 +1,6 @@
 *nat
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-{% if dns_enabled is defined and dns_enabled == "Y" %}
--A PREROUTING -s {{ vpn_network }} -p udp -m udp --dport 53 -j DNAT --to-destination 172.16.0.1:53
-{% endif %}
 -A POSTROUTING -s {{ vpn_network }} -m policy --pol none --dir out -j MASQUERADE
 COMMIT
 *filter
@@ -22,8 +19,8 @@ COMMIT
 # The IP of the resolver should be bound to a DUMMY interface.
 # DUMMY interfaces are the proper way to install IPs without assigning them any
 # particular virtual (tun,tap,...) or physical (ethernet) interface.
--A INPUT -d 172.16.0.1 -p udp --dport 53 -j ACCEPT
--A INPUT -d 172.16.0.1 -p tcp -m multiport --dport 8080,8118 -j ACCEPT
+-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT
+-A INPUT -d {{ local_service_ip }} -p tcp -m multiport --dport 8080,8118 -j ACCEPT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -p tcp --dport 445 -j DROP
 -A FORWARD -p udp -m multiport --ports 137,138 -j DROP
diff --git a/roles/security/templates/rules.v6.j2 b/roles/security/templates/rules.v6.j2
index 14449cf..a0c38e8 100644
--- a/roles/security/templates/rules.v6.j2
+++ b/roles/security/templates/rules.v6.j2
@@ -1,9 +1,6 @@
 *nat
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-{% if dns_enabled is defined and dns_enabled == "Y" %}
--A PREROUTING -s {{ vpn_network_ipv6 }} -p udp -m udp --dport 53 -j DNAT --to-destination fcaa::1:53
-{% endif %}
 -A POSTROUTING -s {{ vpn_network_ipv6 }} -m policy --pol none --dir out -j MASQUERADE
 COMMIT
 *filter
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
index 94ccdfc..203e1ef 100644
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@@ -13,5 +13,5 @@
       - "#    Config files and certificates are in the ./configs/ directory.    #"
       - "#          Go to https://www.dnsleaktest.com/ after connecting         #"
       - "#        and ensure that all your traffic passes through the VPN.      #"
-      - "#          Local DNS resolver and Proxy IP address: 172.16.0.1         #"
+      - "#          Local DNS resolver and Proxy IP address: {{ local_service_ip }}"
       - "#----------------------------------------------------------------------#"
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index cd00596..e0bec01 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -23,10 +23,10 @@ conn %default
     right=%any
     rightauth=pubkey
     rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }}
-{% if service_dns is defined and service_dns == "N" %}
-    rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
-{% else %}    
-    rightdns=172.16.0.1
+{% if service_dns is defined and service_dns == "Y" %}
+    rightdns={{ local_service_ip }}
+{% else %}
+    rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}    
 {% endif %}