diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml
index e361834db..9b34f45a3 100644
--- a/roles/openvpn/tasks/main.yml
+++ b/roles/openvpn/tasks/main.yml
@@ -154,12 +154,21 @@
 # /etc/iiab/openvpn_handle to xscenet.net -- and
 # "systemctl restart openvpn@xscenet" was failing completely (no matter how
 # many times it was run) to transmit /etc/iiab/openvpn_handle to xscenet.net
+
+# 2018-09-02: OpenVPN had been starting tunnels by accident after reboot,
+# with new IIAB installs.  Fix below (https://github.com/iiab/iiab/pull/1079)
+# changes most all instances below from PARENT service "openvpn@xscenet" to
+# CHILD service "openpvn".  See these 2 critical files to understand why:
+#
+#    /etc/default/openvpn
+#    /etc/openvpn/xscenet.conf
+
 - name: Enable & (Re)Start PARENT service openvpn, which (re)starts CHILD service openvpn@xscenet (& actual tunnel)
   systemd:
     name: openvpn
     daemon_reload: yes
     enabled: yes
-    state: restarted
+    state: restarted    # 2018-09-02: Should we be concerned that "systemctl status openvpn" often shows "active (exited)" ?  If so we might consider "state: started" or "state: reloaded" instead?
   when: openvpn_enabled
 
 - name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?)