diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml
index 860a329..259464b 100644
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@@ -31,25 +31,20 @@
         groups: algo
         home: '/var/jail/{{ item }}'
         createhome: yes
-        generate_ssh_key: yes
+        generate_ssh_key: false
         shell: /bin/false
-        ssh_key_type: ecdsa
-        ssh_key_bits: 256
-        ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
-        ssh_key_passphrase: "{{ p12_export_password }}"
-        update_password: on_create
         state: present
         append: yes
       with_items: "{{ users }}"
       tags: update-users
 
     - name: The authorized keys file created
-      file:
-        src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
-        dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
-        owner: "{{ item }}"
-        group: "{{ item }}"
-        state: link
+      authorized_key:
+        user: "{{ item }}"
+        key: "{{ lookup('file', 'configs/' + IP_subject_alt_name + '/pki/public/' + item + '.pub') }}"
+        state: present
+        manage_dir: true
+        exclusive: true
       with_items: "{{ users }}"
       tags: update-users
 
@@ -57,15 +52,6 @@
       shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
       register: ssh_fingerprints
 
-    - name: Fetch users SSH private keys
-      fetch:
-        src: '/var/jail/{{ item }}/.ssh/id_ecdsa'
-        dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem
-        flat: yes
-        mode: "0600"
-      with_items: "{{ users }}"
-      tags: update-users
-
     - name: Fetch the known_hosts file
       local_action:
         module: template
@@ -83,20 +69,21 @@
       tags: update-users
       with_items: "{{ users }}"
 
-    - name: SSH | Get active system users
-      shell: >
-        getent group algo | cut -f4 -d: | sed "s/,/\n/g"
-      register: valid_users
+    - name: Get active users
+      getent:
+        database: group
+        key: algo
+        split: ':'
       tags: update-users
 
-    - name: SSH | Delete non-existing users
+    - name: Delete non-existing users
       user:
         name: "{{ item }}"
         state: absent
         remove: yes
         force: yes
       when: item not in users
-      with_items: "{{ valid_users.stdout_lines | default('null') }}"
+      with_items: "{{ getent_group['algo'][2].split(',') }}"
       tags: update-users
   rescue:
     - debug: var=fail_hint
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
index 51b06bf..a7e3ea0 100644
--- a/roles/vpn/defaults/main.yml
+++ b/roles/vpn/defaults/main.yml
@@ -34,6 +34,7 @@ ipv6_support: false
 dns_encryption: true
 domain: false
 subjectAltName_IP: "IP:{{ IP_subject_alt_name }}"
+subjectAltName_USER: "{% if '@' in item %}email:{{ item }}{% else %}DNS:{{ item }}{% endif %}"
 openssl_bin: openssl
 strongswan_enabled_plugins:
   - aes
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 2a7a90b..27be701 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -1,10 +1,10 @@
 ---
 - block:
-    - name: Ensure that the strongswan group exist
-      group: name=strongswan state=present
-
-    - name: Ensure that the strongswan user exist
-      user: name=strongswan group=strongswan state=present
+    - name: Include WireGuard role
+      include_role:
+        name: wireguard
+      tags: wireguard
+      when: wireguard_enabled and ansible_distribution == 'Ubuntu'
 
     - include_tasks: ubuntu.yml
       when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml
index acd966c..a817597 100644
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@@ -16,12 +16,14 @@
       dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
       state: directory
       recurse: yes
+      mode: '0700'
     with_items:
       - ecparams
       - certs
       - crl
       - newcerts
       - private
+      - public
       - reqs
 
   - name: Ensure the files exist
@@ -42,6 +44,7 @@
 
   - name: Build the CA pair
     shell: >
+      umask 077;
       {{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem &&
       {{ openssl_bin }} req -utf8 -new
       -newkey ec:ecparams/secp384r1.pem
@@ -70,6 +73,7 @@
 
   - name: Build the server pair
     shell: >
+      umask 077;
       {{ openssl_bin }} req -utf8 -new
       -newkey ec:ecparams/secp384r1.pem
       -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
@@ -92,9 +96,10 @@
 
   - name: Build the client's pair
     shell: >
+      umask 077;
       {{ openssl_bin }} req -utf8 -new
       -newkey ec:ecparams/secp384r1.pem
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
       -keyout private/{{ item }}.key
       -out reqs/{{ item }}.req -nodes
       -passin pass:"{{ CA_password }}"
@@ -102,7 +107,7 @@
       {{ openssl_bin }} ca -utf8
       -in reqs/{{ item }}.req
       -out certs/{{ item }}.crt
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
       -days 3650 -batch
       -passin pass:"{{ CA_password }}"
       -subj "/CN={{ item }}" &&
@@ -113,8 +118,24 @@
       executable: bash
     with_items: "{{ users }}"
 
+  - name: Create links for the private keys
+    file:
+      src: "pki/private/{{ item }}.key"
+      dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem"
+      state: link
+      force: true
+    with_items: "{{ users }}"
+
+  - name: Build openssh public keys
+    openssl_publickey:
+      path:  "configs/{{ IP_subject_alt_name }}/pki/public/{{ item }}.pub"
+      privatekey_path: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.key"
+      format: OpenSSH
+    with_items: "{{ users }}"
+
   - name: Build the client's p12
     shell: >
+      umask 077;
       {{ openssl_bin }} pkcs12
       -in certs/{{ item }}.crt
       -inkey private/{{ item }}.key
@@ -149,7 +170,7 @@
   - name: Revoke non-existing users
     shell: >
       {{ openssl_bin }} ca -gencrl
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}"))
       -passin pass:"{{ CA_password }}"
       -revoke certs/{{ item }}.crt
       -out crl/{{ item }}.crt
diff --git a/roles/vpn/templates/strongswan.conf.j2 b/roles/vpn/templates/strongswan.conf.j2
index b658ac0..7fcf9ef 100644
--- a/roles/vpn/templates/strongswan.conf.j2
+++ b/roles/vpn/templates/strongswan.conf.j2
@@ -10,7 +10,7 @@ charon {
 		include strongswan.d/charon/*.conf
 	}
 	user = strongswan
-	group = strongswan
+	group = nogroup
 {% if ansible_distribution == 'FreeBSD' %}
 	filelog {
 	  /var/log/charon.log {
diff --git a/server.yml b/server.yml
index 4f8ad7c..b6e8340 100644
--- a/server.yml
+++ b/server.yml
@@ -16,14 +16,14 @@
     - role: dns_adblocking
       when: algo_local_dns
       tags: dns_adblocking
-    - role: ssh_tunneling
-      when: algo_ssh_tunneling
-      tags: ssh_tunneling
     - role: wireguard
       when: wireguard_enabled
       tags: wireguard
     - role: vpn
       tags: vpn
+    - role: ssh_tunneling
+      when: algo_ssh_tunneling
+      tags: ssh_tunneling
 
   post_tasks:
     - block:
diff --git a/users.yml b/users.yml
index 36f162f..bb93494 100644
--- a/users.yml
+++ b/users.yml
@@ -60,13 +60,13 @@
 
   roles:
     - role: common
-    - role: ssh_tunneling
-      when: algo_ssh_tunneling
     - role: wireguard
       tags: [ 'vpn', 'wireguard' ]
       when: wireguard_enabled
     - role: vpn
       tags: vpn
+    - role: ssh_tunneling
+      when: algo_ssh_tunneling
 
   post_tasks:
     - block: