Initial commit

AK/openvpn/ak/chris.conf

@@ -0,0 +1,257 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote gw-ak.oopen.de 1194
+
+topology subnet
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Server CA
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIGxjCCBK6gAwIBAgIJAOsCU4dMDXNfMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMG
+VlBOLUFLMQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
+cGVuLmRlMCAXDTE4MDIwNjEyMTIxNVoYDzIwNTAwMjA2MTIxMjE1WjCBnDELMAkG
+A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYD
+VQQKEwZvLm9wZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMT
+BlZQTi1BSzEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
+b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKYNRn3v3bgu
+7yd9rSSHGfKeKuCoT/KQg8054E0HB7zOjCpI3HMrK+UaA/BB47k82aj4zrGBz179
+Gw3E7EqlMXUeUfWa46FADakj6QrimSzaIctCy5bCHCogBV0HhVaMnTO6+GCoPuLP
+D779zJ/YzIO3476pWIVuK5AAgqobyGaJ5OPR0rUWrl1yQK48yYQfSbnU0IcchDny
+VS42E64k+TbOixg5dRHxr/8JQ6UbPHJWE5oePbm5Rx345jV2dU3QjfJTe8HtoUeL
+TwHsSE+JilWxq1ID4sEIY7+5bvaQCsjVUwim5XHg/8iv0ekHlwmFmz/ycQ1+xMcz
+NzBqpuZCqkY4NJHclZGwS5L1dEfaLLEAKueUbqFURsyMSoKb0N5S78Gf96E6PgJV
+De+YtbdxM3S3EAa0Y0NkukBHUGOPiBd9g2EnbW4GfKhsPPWMOWFANl22xupgt5SU
+HnqF71ofKCNi2Zkc32lJzbHQNIO86N52wI2E8F8iy9SJ2+969SsCxNhBKP8pRFaG
+9HSeRoi8nTsDcYczERlEb5qhA8+rWho4XpWgDXE4qrT0wmuMqoo1bTPCDsGSkzUe
+CdUD5/m174RVrnc0o+SyHLIGuS2XpU9KuPBLV4d8CzKakGLudUG/4ikntBZBW7hL
+IJOOGAv3kaWOj3GbfF/zNza2lC/WvMiXAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU
+6meVlB1GjkS/l6QJvUA9ANnT7kAwgdEGA1UdIwSByTCBxoAU6meVlB1GjkS/l6QJ
+vUA9ANnT7kChgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
+DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3
+b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEd
+MBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDrAlOHTA1zXzAMBgNVHRME
+BTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAMzcwewxPfcS4H5YYlvYgmy4iCUson
+vz4RVsyQxinlmnBDMZc7YrkERSQ8O9GWq2Qzge0c0xaEMZxhrkosQi7mAL4JrFjr
+i1fWYYsocBd/6ZXNkro3uJ231RyOiNWGaFNc3kkorWeGlQmlJsYSK2jtEZtezTGu
+4yEHZwDLK7ArI1IydUAJ1K4k/P0YLsQw4fcMXtJF5GRpunwy2VGXBOF2WlIMHaMU
+XKpFDOZGlvnbshIoDuNhdTSVZ3UWkNQSfMnVjv1UDNsxleeJWIjpvB/wNDsIgMmd
+y4DWJzYO8p9w4bBq4GEdvhiL5tNFdHPRS3v42zAmsjvyJChUbFWApXRdb8p8dmtP
+qneRvgUKTc+03nv5z7bO653yzuxRCk/4g8SqMKC6qIMeKEOcG9ZDEGs3YJ3d2NMg
+OHSEkfXSJKGkQfaM3vORjF3zuC6ZFpNSYMMVctAwLfwu7q0YdOfIWPsUFgAtaePp
+JRDpVjbWGk+/WDVIWO/tVEFmy1xT7CPMEMgMbTGl1mGPezPBeAqgs4LXWlYgQfox
+K2BhLOD+YwlfvDUaJPhp10oJ6rhfnveTPhmhGslTZzaLYShP1Bg5J21gZf7+Wou7
+fwpliRLlB8gFk6czpGspmyGdTPjqXOvVxIqffmxRtzsMZJSEJWV/6023AxQdnFz2
+U7OFfF99B7LFVw==
+-----END CERTIFICATE-----
+</ca>
+
+# Client Certificate
+<cert>
+-----BEGIN CERTIFICATE-----
+MIIHIjCCBQqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzM3NTRaFw0zODAyMDYxMzM3NTRaMIGiMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEVMBMGA1UEAxMMVlBOLUFLLWNo
+cmlzMQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm9o3YQBBbQtW48vI
+VigK2757feiRej46t4mRxAERSB3J+XAookCyrouPslZ1eV+yb5Yf4riDwXWz+dJC
+RKLGA0jFCRf8dxPPOqeyczkQB7k7oCjo2oIHhxeGk5W/+l0qOWiMbtWO/ZvObCgT
+ijPwarQXBz/RfaWl/KDjJnNJCrrXhG+kU+zv5xc7yrad0ohCFtzAUN5e0sWIuSjw
+A9dehs28WX7i1tWj7c+X3trgzcgNlvoGxbxtedBlq2717qmI3Y77LHZIcxC3WosF
+rJLfzqfImOLEEKFK95u4wLlZlJ2olVlJ4ckp1p4Z97Soqp6SBLplEUi7+C7sCKSz
+Ny4u0tZKzvzeFRh4NJe5luPBmPkPZ33qTRK68n/0nmGB5GHf7lXWF7NLwBuvMJ9/
+p5OBZhQtCH6DXddXXCHyQ0nfUJpYLfizy9VakQyQR1njXniCk2zbgn4iclxHjtlJ
+Kmme2PFwN9BpggVCEgLX8ni5iOr+kprVILTbiuhU62EmBd0xWbLhk5pDgsBV/9SM
+0Lq99sSaWHMUO5aqAf4tyX/3tZMupxl/YKsB57EqGqJOhabZe5J6zuPeUKyPZdVt
+nV4r0YbeByJWGAVSV4XKziWAaS83dNzKPkLZBffEWncm0+xSLgJSYQDEBqj6TSNC
+g3Ywbz1OeqYX/l4GpYehN9r7vIcCAwEAAaOCAWUwggFhMAkGA1UdEwQCMAAwLQYJ
+YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
+HQ4EFgQULsSnl6CMeLmzJQ6wxK6kQGqCpz8wgdEGA1UdIwSByTCBxoAU6meVlB1G
+jkS/l6QJvUA9ANnT7kChgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
+ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
+ExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQ
+TiBBSzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDrAlOHTA1zXzAT
+BgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEAYDVR0RBAkwB4IFY2hy
+aXMwDQYJKoZIhvcNAQELBQADggIBAGfnOVfi7lZodG1UTw0dwcMhOkzv4zFArpvn
+rxwj6lji+pf+4wG4MroLCxlJA5LTht/lV9fVUQAoURH9I+ihUUcoBilKF8WTOrhf
+kVipTa+QfcoV4AM+oC4bibrLkY/tUHp7p45USFQ2kh2BaweL+nPhFjA8rSqStxUD
+eIEnmTa+982RZCWQJyt2cHf/pMjIeS2NORxsVsV7XLIK5nfiFC4hbsVhCDeeieji
+wgaczpO2K4Lp2+7ZHB7OG0ChybGndrqWgCo2QOLwPWjLzI6zD2IUlQzHNM/guJTS
+eTKgugfZpxC+hPtK3dBAB1+Pu1JwT0a+c88OKREqUrPjV7BybqNHYh9T1ceKMlQT
+C2iO1o//LUNsC6w41oFvpFdpPCco2mBCAaq5TjGK3kfFXLIcn5SOk7g+hfDWpkVJ
+OhTXrtLzV8AElbgNgvH1pJDGMi5ysrRcVp77ehalIayO48JImHME2nO5BBQJfVW5
+U3FilEruSXpzbEteAl2N721g2elpKRCXqf1NndCcyKcmDX/CsumVF3sxJX5D5i/u
+I8OxfNUOHFxcSfLKHQbm7OtAIYqMWbTgmgj69TU0vRzF6N301f97rFsZFdddCRz+
+JQfnsH6tSuB4BY0quHzSmk0ZC9UVA/nG/r0vbN4mOx44RG93E3u1CTqzvFT6OFYF
+rlg1WFOF
+-----END CERTIFICATE-----
+</cert>
+
+# Client Key
+<key>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI8D+IDkooTeUCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECOeFJGd9/t0cBIIJSBRyHxbI/0Jv
+mraoNvyjbi4l27LhE8fsI6p7f5YIg2kMATDHyrnt4uPUnv8d1ah+C39TdNpu9Sbt
+HPEljwfULWlkWQbkCvvESfIufjhdiIphA4krzxTdofs/afR24v6HehYa2F9rnWoH
+iEb+c0El8YV+AvWU7mp1Mr3l6DYGvnioSGm6a+G1Ww2RouKFKAOSsKE2ozUNGAsr
+jXROHfpk4MdlsZBySHuMfmatoDyPYEYcnvJ67n378aShBb4OXP15Q4qY3O4nnwe4
+/QeBSjiuumcJE3Xu+QpiyftnaPH4jgOiCKqUQtXIgTzR0MbosE5epsvZHj0BeCGF
+VUq52VV6sFnsOphairq186juiFs3HRIfW1xcjk8uQVk88gKf/JswYDeBvXxRfOde
+gO2LhE9Q1Jej4buqet0xWuVe4r3YAcittfesXrsVjx+9NJPujBm5Iz/wbW72xo0J
++OqLQiq9DOcO/K7Gzt6x6TJ1VfG1bbAii52YyOK5acCzJFPp/C385jTv7yF8NGDY
+E6ROoGzU5jMkLs0WYiJvQimMeX4rPWXxVyCCerSyBFAfSDkY++9yXjjtgWICDYzd
+GJKOSnp52T1gHEf+IPdxUwPm6MrVcbY+dQqyXXSeKZdGkPuRK5WVz8qtAIAMvoKo
+jjSI55MLhxSGdJFX0nYOfbzU4LTlnKeTzSby929dyWwDu1/tRVzhWkiyDCBxUVkA
+MXc6csOSRm9gV4lgILQlc+XLTa+5mOdCz//sP49DdoiPuosclRfJPQp1LIXGoKm6
+s0Qwvw6hpa5aPUrzDpAtgA6j59YZU1QSE57vYUNVoyDJo/6X/bk0hwh+LE18XC6l
+KchLtOWf3D8Ca2TLWpIsUWuW7zuySG35A5OQhmzJXe7Fbx02MW1ppvDDRP6t366a
+qMlIQgQYhN9Bj3lNYdrMragqURfUQhCTWQG5CXfbKXgQHSQsA8F0XnpmtXq9gtaq
+7foW3ecw6asOfTM2imgTfLGFtkybRfA0ZInUgz2WSikZwrG7wIjeSJ0OIg4ckI9y
+bKLDMwNJGeyGZcdcsJVBxjaKje0Il9UZJxJGQ+p+BAj82cWrMFbloVNgnHEcOu5v
+KI88ucMUTOaPS/bPSo2Orj5UQIID/2lqymoqXvFLqX2ftYQT/xkGFdm2cjB/7x3T
+jsvFZezPjUcWp5t0oJncER0vWM29aTSwWyybyeGX1TWrvul85aRBr3RU4OZ2e/9P
+/W4g/pDXDuuYxqIWkxwAlcuncmcb0OfR+GBKelIPKsItlyoBS2tRFAaUCjItV4PJ
+PAopqedq4QT4mypmw+5MKObRqfdpxDoKCHzJhakDmw77miXdON2V1M7xWk+kfD9B
+H8t1QdJyzB87FQwsXlrMVh1jF+m0PIytM3l4DNqIft8AYEulbinkeB67XAhWGIqo
+IAmxhYpFfhWxmECDwUQ+nrrz6jW0LJtZKwUITH5C42BBw0I5OmVJhYNlStj8VayR
+ykkAeoiC361DKvlqHabh6KRZT/yhNtQ2TH13UGgOBDeXUQMGaKhYmdUiEjnuek4P
+lbu4cG1BtjIHtpD1LRON29rvRGw44FEEeuxmd+KyJfLdJWJQ/zjXg3owM/cZzAum
+t1qbMwxEE/EZJdRhD5cyVoWiAiFmgRfjPpv3CUCPP88QvdueRURe+i53TbqFGVqR
+dRs5hC6gjJ/nTnmF5ZjsbYqy+IKWCiGNjZA8P3pKzgXY4J45y6rRD8HNVZqWzIen
+rD2OOpvchPVCJPJUk5L7AreaMZENAyciKuLtBOp+D2INo+exE+IVaBtM5NeNnKXn
+7veiczJguLkUXMQXyxYLv7J49RbAA2WQNRcbLGuJklFVkyWYdtB+nGejMdiHjkri
+bVJcGazlJmFXhBhwEHROEJW3SOLcPwsfxjDE7LmzF80uCZbG6HFDVjPkyGZGz6y5
+g9+Kh4dQuboCT+3nhGYTUxcRe6FzHWBplq/tBPmyJNeTCvNBpOD8xVlNOi/2PUTx
+FsaIE3XGnJH9E5GpLoYA9K6oHW0w1rb7U5P0Z9arTKhPyeQYlUJwNjrLUAw++pgl
+QfY3MR8VMLAzZ/jbp0k30JE2SPAE8Bnoe3U0oQOwhGJCS36hQnMsWtW+CF+OIeV1
+Uwz+OysJKWQbB1QLUDYN36D5XRIwwcDyt3+RIl34hSai8PWC/IA52SytS8d0z+bc
+L4bavw/5JNVgGTmrMYYvFa2vY2f5VHoLnfdB7hnZJzHfbkpziuD4qB9Q/bxmywDF
+lYnZq19t2LHtE+z8Arv+NEhJULUz86O7bZq2PjWe46FhNwzVxZdtsJWH/KSg137S
+DcdAc7a4yNk3602EFBUTIKWeEuEr6SsPG9IjBq6gZbCiPbSRj8EhH8pk2d40/64B
+1ZMS/7Qd1qES1G/ggC7Xby0ggRGR9D8Uu9Ismd6EOZ1pnNP8bfeajnCyNo17MAsH
+I/2W2ZF847wjoC8kmPHxWiN3pbGaHeZb4bwNw5PxuQboGxY4nR8yf7qxOgv4ST7T
+08V+nDawKDL43vSz9cWK6Q0Cdhpsc6H72rv3eMXcQ9+6oOrsG/VsqNtUxXX0dAUB
+nqlgPLfmyneVJwBfRboDEicxEvsJtxLDNe5PKyYk1ilCmD1vi8hWu9JPp4LBmLgm
+wr9HEL0qNz8E8QLQkBPxmdOXH4bx9bagN2/TMd7As9h2klZ1gru+Vq9VZ7/gE+gh
+kbG5VlmhGQycNP2b0JZauA9fsNwAFEqsHczGw7fKdtAscm4b09DJe3o8gpdVqIFe
+qi+zdZl9NhUyvcNU67hfoTxe7hmy2Ht7hkrNnlUfCPPLIip6a75TiEOUsZMpEHBV
+h2NNoWmnOBiFT8ptA9vSAuJZifrsjK3DPDuLIN6Le/XAMLOMA2mYdxA/fB6A67Vc
+9Sr/DgK6DCTZ1Z3PaND6W+tY6LM73LfolSPOGYGcL10F0exEcIkWDEF9z3lqfUrg
+mPnbi3GzA/zFz0HE8+4wcb9zUzmfunaZGSemPXVtDkco/UgsTOfduyV7C2FDYhTQ
+yXlrj+lZYazKF2wu7kDvho4kmudkKTmfsv6/1k2+GybWisNIQmxCe8KsjZVB+f9E
+dQq6AzY/4SWMmC2h0E9ou5x4qWiVZPyX6l5dN9kmkwleGZQf/kTJaL5SKcR8RFy7
+v0RsRna9sOxc6YrsiqAeGg==
+-----END ENCRYPTED PRIVATE KEY-----
+</key>
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-serve
+ns-cert-type server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+#
+# Don't forget to set the 'key-direction' Parameter if using
+# Inline Key. Usualy , sever has key direction '0', while client
+# has ke direction '1'.
+#
+key-direction 1
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+6ba2290fe261ac9beea46806d40e5667
+f5f0149c4b65bbad8c2c5ee859b29c49
+ea7edf2232bd81b43f1e9409d4c39d92
+de7d1d585330fdf6a617531896bff6af
+7cb96947de1e4153efc626fa93641f60
+7f3ce648d309155f2724318b119e6212
+d8f736d8997ee84ed55050d526c2849e
+685c531da93df302ee6ec2cf6c32c2c7
+0a08aee8d9efc3ef0a2a3611b92dcc88
+13aba6c2a566f297bbb63470b4cc098a
+e8631344b68825a1299101e3d0995274
+f0b404ed4a34579ceb3235a7f7597158
+ed052b0d74f3fca57344151330858dd4
+741deb038c30416db61b6ebd984957f2
+f5483a7dc8ac95c5d5a0ca9fa8f26901
+f85d64bac4b39ed010e52c07f0d30b68
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 1
+
+# Setting 'pull' on the client takes care to get the 'push' durectives
+# from the server
+pull

AK/openvpn/ak/crl.pem

@@ -0,0 +1,18 @@
+-----BEGIN X509 CRL-----
+MIIC5TCBzjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUxDzANBgNVBAgT
+BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4xGTAXBgNV
+BAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEPMA0GA1UEKRMG
+VlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZRcNMTgwMjA2MTIz
+NzIzWhgPMjA1MDAyMDYxMjM3MjNaMA0GCSqGSIb3DQEBCwUAA4ICAQAdBAzogWGb
+pzQi6FLfTzN/5T8lyZ2ogSE80/Z0kOinhuMwSso5Bp6urQIjp94sc6476FxAOYWF
+I081NS+a87QNNI77Z8moFZ/5cqeUPhfCHD5XnGCGd9LxAkqsxG2MwQS9ageErWYp
+9swB9OHd/d7W5f1qSpCZuCtoFVsJS3Bjuvd2qkW2V8uzsmyXHg+Jk0NhcE04K9n9
+Ri8ZILOG84UHex1P2rpaK7G5HntAxUqe/6mkh6a1bliMNr37D9ufgj2nwuooL59S
+AxFMXK3dH2H2mrBc4i+oo/6b9P3VvRjsZGb34Mzcp8fefV/aogh2ZawC/fKGIwgT
+DZi41VPtNZm1akQtR9ILHaXLbFIkA0jFRzFSJUdVIaXLfyHC8AtpZhg0jHrVZYXz
+gsgaAA405mCwKJguRdwE8wQRgQ7om8qa4mSA99HeQq2655eSS77laLMrxG9LtmwJ
+7QTtWT/lIuK9svVL/2ucAq3UDDFRdn1eaX2mS9bKZ88N4SPmnDi2muvNGfQHXNZD
+kkvgmOkkz2SgDOJ5oTBcUJx1h74LXMi6TBs/hWEKIqQcfq1vNes1/qu9PWYP7sB6
+THyq6coO+WU7YXYidzBwyerYEg4nHZ0bxWyJziCvHZPTeX3m8r2sHoxG6/s+jKiU
+0uxTXsuGKNLhDbJFxQX16xw8rYQXt2wRxg==
+-----END X509 CRL-----

AK/openvpn/ak/easy-rsa/build-ca

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-ca

AK/openvpn/ak/easy-rsa/build-dh

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-dh

AK/openvpn/ak/easy-rsa/build-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-inter

AK/openvpn/ak/easy-rsa/build-key

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key

AK/openvpn/ak/easy-rsa/build-key-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pass

AK/openvpn/ak/easy-rsa/build-key-pkcs12

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pkcs12

AK/openvpn/ak/easy-rsa/build-key-server

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-server

AK/openvpn/ak/easy-rsa/build-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req

AK/openvpn/ak/easy-rsa/build-req-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req-pass

AK/openvpn/ak/easy-rsa/clean-all

@@ -0,0 +1 @@
+/usr/share/easy-rsa/clean-all

AK/openvpn/ak/easy-rsa/inherit-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/inherit-inter

AK/openvpn/ak/easy-rsa/list-crl

@@ -0,0 +1 @@
+/usr/share/easy-rsa/list-crl

AK/openvpn/ak/easy-rsa/openssl-0.9.6.cnf

@@ -0,0 +1,268 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

AK/openvpn/ak/easy-rsa/openssl-0.9.8.cnf

@@ -0,0 +1,293 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

AK/openvpn/ak/easy-rsa/openssl-1.0.0.cnf

@@ -0,0 +1,290 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+#default_days	= 3650			# how long to certify for
+default_days   = 11688
+#default_crl_days= 30			# how long before next CRL
+default_crl_days   = 11688
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

AK/openvpn/ak/easy-rsa/openssl-1.0.0.cnf.ORIG

@@ -0,0 +1,288 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

AK/openvpn/ak/easy-rsa/openssl.cnf

@@ -0,0 +1 @@
+/etc/openvpn/ak/easy-rsa/openssl-1.0.0.cnf

AK/openvpn/ak/easy-rsa/pkitool

@@ -0,0 +1 @@
+/usr/share/easy-rsa/pkitool

AK/openvpn/ak/easy-rsa/revoke-full

@@ -0,0 +1 @@
+/usr/share/easy-rsa/revoke-full

AK/openvpn/ak/easy-rsa/sign-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/sign-req

AK/openvpn/ak/easy-rsa/vars

@@ -0,0 +1,96 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+export BASE_DIR="/etc/openvpn/ak"
+export EASY_RSA="$BASE_DIR/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="$BASE_DIR/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+##export KEY_SIZE=2048
+export KEY_SIZE=4096
+
+# In how many days should the root CA key expire?
+##export CA_EXPIRE=3650
+export CA_EXPIRE=11688
+
+# In how many days should certificates expire?
+##export KEY_EXPIRE=3650
+export KEY_EXPIRE=7305
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+export KEY_COUNTRY="DE"
+##export KEY_PROVINCE="CA"
+export KEY_PROVINCE="Berlin"
+##export KEY_CITY="SanFrancisco"
+export KEY_CITY="Berlin"
+##export KEY_ORG="Fort-Funston"
+export KEY_ORG="o.open"
+##export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL="argus@oopen.de"
+##export KEY_OU="MyOrganizationalUnit"
+export KEY_OU="Network Services"
+
+# X509 Subject Field
+##export KEY_NAME="EasyRSA"
+export KEY_NAME="VPN AK"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+## export KEY_CN="CommonName"
+export KEY_CN="VPN-AK"
+
+export KEY_ALTNAMES="VPN AK"

AK/openvpn/ak/easy-rsa/vars.2018-02-06-1310

@@ -0,0 +1,80 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
+export KEY_EMAIL="me@myhost.mydomain"
+export KEY_OU="MyOrganizationalUnit"
+
+# X509 Subject Field
+export KEY_NAME="EasyRSA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"

AK/openvpn/ak/easy-rsa/whichopensslcnf

@@ -0,0 +1 @@
+/usr/share/easy-rsa/whichopensslcnf

AK/openvpn/ak/ipp.txt

@@ -0,0 +1 @@
+VPN-AK-chris,10.0.0.2

AK/openvpn/ak/keys-created.txt

@@ -0,0 +1,4 @@
+
+key...............: chris.key
+common name.......: VPN-AK-chris
+password..........: dbddhkpuka.&EadGl15E.

AK/openvpn/ak/keys/01.pem

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 12:37:16 2018 GMT
+            Not After : Feb  6 12:37:16 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:c3:e5:c6:ea:48:8b:ac:0a:03:79:75:38:5b:f0:
+                    4a:42:eb:30:af:31:fe:cd:81:25:29:7d:eb:7c:fb:
+                    2d:fe:73:f3:3a:bd:fc:fa:09:c7:36:3a:dc:52:22:
+                    d3:7f:01:d3:3d:c3:86:01:c0:ec:76:6a:89:0c:49:
+                    e9:12:41:72:8e:41:b0:35:23:d0:35:5f:21:00:3f:
+                    be:80:03:ac:e2:f8:05:3a:bc:19:0a:48:13:8a:56:
+                    4d:65:ea:9a:8d:00:51:52:4f:8c:1f:8a:fa:bd:39:
+                    41:e2:7e:a6:d9:5c:42:a6:40:2a:88:59:54:91:5b:
+                    6d:69:ec:21:84:aa:fa:41:75:7b:8d:08:1f:7a:f9:
+                    71:60:73:60:9b:31:73:32:27:5c:34:2e:7f:ff:f8:
+                    be:26:eb:dd:aa:c1:b6:c2:70:d1:90:b5:47:e3:c9:
+                    2e:d3:bc:3d:11:69:58:aa:36:93:1a:11:b5:94:ca:
+                    e2:44:1a:9b:4d:3b:04:63:cd:d8:28:57:8c:f6:35:
+                    70:bd:fe:bb:ef:8c:95:82:91:a8:c1:2a:8d:d4:77:
+                    57:64:a5:cc:57:f3:b1:8a:2f:52:d8:d8:8d:e2:e1:
+                    3c:21:49:bf:b0:42:71:3a:71:cf:4f:5a:18:99:79:
+                    44:d1:72:06:4a:7d:30:29:fe:a7:43:2c:92:23:9b:
+                    69:2f:d2:88:3c:6c:c9:d1:8e:cd:d3:5d:24:3e:c9:
+                    f3:b5:8b:60:99:48:ff:90:bf:ad:f3:f7:3b:c6:7d:
+                    27:8f:d2:b8:88:02:0a:03:91:8a:3d:3c:25:53:6d:
+                    07:59:6c:b1:0d:f8:e5:93:02:58:54:60:0b:29:08:
+                    39:92:71:01:dc:0d:8d:b2:94:87:4b:08:39:20:cf:
+                    a7:e5:3b:66:91:c5:01:15:3c:2c:df:6a:9d:4b:48:
+                    b5:5e:fa:3f:6d:49:11:2b:92:bc:7a:46:70:b0:cf:
+                    cd:79:be:90:e1:ce:41:fa:43:31:cd:bb:b7:34:5f:
+                    c7:71:80:75:83:6e:f6:45:a0:ee:a7:b4:de:43:f1:
+                    fc:df:19:d8:6d:00:b5:ae:59:17:f7:7d:19:cd:c8:
+                    b7:4a:92:da:6d:ad:3c:d5:b0:db:6e:5b:b8:2d:62:
+                    d5:5f:e4:23:b0:65:8c:b5:da:d8:27:0a:34:9e:32:
+                    02:7e:bc:89:39:aa:7f:b2:07:26:2e:39:0a:21:c6:
+                    da:4e:d2:cf:53:45:9f:c2:9c:d0:c6:86:37:20:60:
+                    9c:7d:14:3a:2f:1c:5c:50:36:5d:d3:15:2e:94:f1:
+                    04:b8:22:4b:c9:85:6a:ec:59:ec:e2:01:e3:c9:e1:
+                    02:56:40:c1:8f:01:61:68:26:72:89:de:ba:29:2f:
+                    15:8f:d5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                3F:C0:FA:95:43:C6:88:A3:2E:18:8E:43:3C:BA:1C:97:2F:70:C7:59
+            X509v3 Authority Key Identifier: 
+                keyid:EA:67:95:94:1D:46:8E:44:BF:97:A4:09:BD:40:3D:00:D9:D3:EE:40
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:EB:02:53:87:4C:0D:73:5F
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         14:3a:a6:f8:86:88:7c:db:9b:ce:b1:59:57:de:3e:e0:34:7d:
+         ce:a3:95:15:f8:89:54:e3:d4:02:0e:b8:51:35:14:4d:e9:31:
+         21:25:3c:77:55:d4:b2:9b:f0:d5:b1:80:6d:ef:e7:86:f4:e7:
+         e9:03:5a:12:c2:5b:42:e5:90:8a:8e:e5:f9:83:13:6d:60:43:
+         aa:13:1f:f2:99:3d:66:84:ec:21:1f:68:a6:b5:64:ad:c3:e2:
+         d0:6f:96:9f:eb:37:94:12:a7:89:94:de:5c:69:4c:8f:f8:75:
+         b8:76:c7:81:c7:88:81:34:6d:cf:ea:23:eb:05:87:a1:fd:d7:
+         e8:88:a0:34:81:f4:15:a6:cb:ff:53:47:10:e6:04:86:49:09:
+         7e:0f:ed:0c:47:5a:df:bc:a3:23:ed:80:4d:e0:88:81:be:32:
+         1c:0f:16:c6:c0:6e:0c:d7:24:63:1e:88:e2:82:e7:00:f2:a6:
+         0c:01:b1:a6:7e:4d:69:4e:9f:8a:e3:78:12:cb:fa:d2:b9:a6:
+         b7:ac:07:98:9e:38:aa:a8:56:81:9b:06:c2:11:ec:f1:4f:e5:
+         5a:21:45:ed:8f:b1:a0:48:21:e7:ba:7b:5f:5b:a9:7a:51:ca:
+         6d:84:1b:b9:78:38:18:91:9c:e0:ca:0e:97:e0:e7:bd:36:10:
+         ed:c9:80:0a:73:c1:ae:0c:d6:b1:dd:be:fc:7b:a7:83:4f:0d:
+         b6:7c:2f:15:4b:b6:e1:b0:5f:81:bb:c5:4d:3e:fd:84:82:65:
+         65:8a:4e:f5:66:19:e4:4d:9f:31:9d:d2:21:44:7c:9e:ff:55:
+         1f:f3:17:bc:d4:d3:e2:c4:51:fd:f9:f6:b8:b8:53:42:11:94:
+         f0:aa:df:6e:0f:07:0a:1d:2f:31:7a:6e:28:32:63:1d:a7:fa:
+         da:93:9d:37:25:3e:53:f7:f4:f2:e8:97:23:d9:39:dd:1d:39:
+         c1:1c:03:b6:b1:b9:21:6f:ed:a6:c9:b8:e4:aa:f5:6f:d6:33:
+         94:d4:70:e6:c7:e2:38:6c:33:3c:d9:19:4e:af:90:0c:13:f5:
+         b3:d8:fc:7a:21:8a:3e:43:e5:14:3f:4f:72:de:2a:71:13:db:
+         7e:b6:d9:aa:1c:d1:f9:ed:f6:cc:c1:ae:c9:c1:4e:4e:f8:dd:
+         85:ec:4f:b7:7a:7a:90:26:44:8b:a7:8d:67:26:0e:82:02:92:
+         14:d4:ad:38:28:ff:36:e8:59:3e:dc:1a:76:bb:b6:cc:b1:32:
+         d9:44:85:f5:c4:45:db:92:55:54:78:05:88:db:0a:fb:42:17:
+         e0:b7:76:0f:c2:c8:69:67:ed:fb:b4:e8:72:e7:ee:6a:03:d9:
+         8b:4d:22:d5:ed:00:68:6d
+-----BEGIN CERTIFICATE-----
+MIIHPjCCBSagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMjM3MTZaFw0zODAyMDYxMjM3MTZaMIGjMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEWMBQGA1UEAxMNVlBOLUFLLXNl
+cnZlcjEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMPlxupIi6wKA3l1
+OFvwSkLrMK8x/s2BJSl963z7Lf5z8zq9/PoJxzY63FIi038B0z3DhgHA7HZqiQxJ
+6RJBco5BsDUj0DVfIQA/voADrOL4BTq8GQpIE4pWTWXqmo0AUVJPjB+K+r05QeJ+
+ptlcQqZAKohZVJFbbWnsIYSq+kF1e40IH3r5cWBzYJsxczInXDQuf//4vibr3arB
+tsJw0ZC1R+PJLtO8PRFpWKo2kxoRtZTK4kQam007BGPN2ChXjPY1cL3+u++MlYKR
+qMEqjdR3V2SlzFfzsYovUtjYjeLhPCFJv7BCcTpxz09aGJl5RNFyBkp9MCn+p0Ms
+kiObaS/SiDxsydGOzdNdJD7J87WLYJlI/5C/rfP3O8Z9J4/SuIgCCgORij08JVNt
+B1lssQ345ZMCWFRgCykIOZJxAdwNjbKUh0sIOSDPp+U7ZpHFARU8LN9qnUtItV76
+P21JESuSvHpGcLDPzXm+kOHOQfpDMc27tzRfx3GAdYNu9kWg7qe03kPx/N8Z2G0A
+ta5ZF/d9Gc3It0qS2m2tPNWw225buC1i1V/kI7BljLXa2CcKNJ4yAn68iTmqf7IH
+Ji45CiHG2k7Sz1NFn8Kc0MaGNyBgnH0UOi8cXFA2XdMVLpTxBLgiS8mFauxZ7OIB
+48nhAlZAwY8BYWgmconeuikvFY/VAgMBAAGjggGAMIIBfDAJBgNVHRMEAjAAMBEG
+CWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJh
+dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUP8D6lUPGiKMuGI5DPLoc
+ly9wx1kwgdEGA1UdIwSByTCBxoAU6meVlB1GjkS/l6QJvUA9ANnT7kChgaKkgZ8w
+gZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxp
+bjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8w
+DQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEdMBsGCSqGSIb3DQEJARYO
+YXJndXNAb29wZW4uZGWCCQDrAlOHTA1zXzATBgNVHSUEDDAKBggrBgEFBQcDATAL
+BgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IC
+AQAUOqb4hoh825vOsVlX3j7gNH3Oo5UV+IlU49QCDrhRNRRN6TEhJTx3VdSym/DV
+sYBt7+eG9OfpA1oSwltC5ZCKjuX5gxNtYEOqEx/ymT1mhOwhH2imtWStw+LQb5af
+6zeUEqeJlN5caUyP+HW4dseBx4iBNG3P6iPrBYeh/dfoiKA0gfQVpsv/U0cQ5gSG
+SQl+D+0MR1rfvKMj7YBN4IiBvjIcDxbGwG4M1yRjHojigucA8qYMAbGmfk1pTp+K
+43gSy/rSuaa3rAeYnjiqqFaBmwbCEezxT+VaIUXtj7GgSCHnuntfW6l6UcpthBu5
+eDgYkZzgyg6X4Oe9NhDtyYAKc8GuDNax3b78e6eDTw22fC8VS7bhsF+Bu8VNPv2E
+gmVlik71ZhnkTZ8xndIhRHye/1Uf8xe81NPixFH9+fa4uFNCEZTwqt9uDwcKHS8x
+em4oMmMdp/rak503JT5T9/Ty6Jcj2TndHTnBHAO2sbkhb+2mybjkqvVv1jOU1HDm
+x+I4bDM82RlOr5AME/Wz2Px6IYo+Q+UUP09y3ipxE9t+ttmqHNH57fbMwa7JwU5O
++N2F7E+3enqQJkSLp41nJg6CApIU1K04KP826Fk+3Bp2u7bMsTLZRIX1xEXbklVU
+eAWI2wr7Qhfgt3YPwshpZ+37tOhy5+5qA9mLTSLV7QBobQ==
+-----END CERTIFICATE-----

AK/openvpn/ak/keys/02.pem

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 13:37:54 2018 GMT
+            Not After : Feb  6 13:37:54 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-chris/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:9b:da:37:61:00:41:6d:0b:56:e3:cb:c8:56:28:
+                    0a:db:be:7b:7d:e8:91:7a:3e:3a:b7:89:91:c4:01:
+                    11:48:1d:c9:f9:70:28:a2:40:b2:ae:8b:8f:b2:56:
+                    75:79:5f:b2:6f:96:1f:e2:b8:83:c1:75:b3:f9:d2:
+                    42:44:a2:c6:03:48:c5:09:17:fc:77:13:cf:3a:a7:
+                    b2:73:39:10:07:b9:3b:a0:28:e8:da:82:07:87:17:
+                    86:93:95:bf:fa:5d:2a:39:68:8c:6e:d5:8e:fd:9b:
+                    ce:6c:28:13:8a:33:f0:6a:b4:17:07:3f:d1:7d:a5:
+                    a5:fc:a0:e3:26:73:49:0a:ba:d7:84:6f:a4:53:ec:
+                    ef:e7:17:3b:ca:b6:9d:d2:88:42:16:dc:c0:50:de:
+                    5e:d2:c5:88:b9:28:f0:03:d7:5e:86:cd:bc:59:7e:
+                    e2:d6:d5:a3:ed:cf:97:de:da:e0:cd:c8:0d:96:fa:
+                    06:c5:bc:6d:79:d0:65:ab:6e:f5:ee:a9:88:dd:8e:
+                    fb:2c:76:48:73:10:b7:5a:8b:05:ac:92:df:ce:a7:
+                    c8:98:e2:c4:10:a1:4a:f7:9b:b8:c0:b9:59:94:9d:
+                    a8:95:59:49:e1:c9:29:d6:9e:19:f7:b4:a8:aa:9e:
+                    92:04:ba:65:11:48:bb:f8:2e:ec:08:a4:b3:37:2e:
+                    2e:d2:d6:4a:ce:fc:de:15:18:78:34:97:b9:96:e3:
+                    c1:98:f9:0f:67:7d:ea:4d:12:ba:f2:7f:f4:9e:61:
+                    81:e4:61:df:ee:55:d6:17:b3:4b:c0:1b:af:30:9f:
+                    7f:a7:93:81:66:14:2d:08:7e:83:5d:d7:57:5c:21:
+                    f2:43:49:df:50:9a:58:2d:f8:b3:cb:d5:5a:91:0c:
+                    90:47:59:e3:5e:78:82:93:6c:db:82:7e:22:72:5c:
+                    47:8e:d9:49:2a:69:9e:d8:f1:70:37:d0:69:82:05:
+                    42:12:02:d7:f2:78:b9:88:ea:fe:92:9a:d5:20:b4:
+                    db:8a:e8:54:eb:61:26:05:dd:31:59:b2:e1:93:9a:
+                    43:82:c0:55:ff:d4:8c:d0:ba:bd:f6:c4:9a:58:73:
+                    14:3b:96:aa:01:fe:2d:c9:7f:f7:b5:93:2e:a7:19:
+                    7f:60:ab:01:e7:b1:2a:1a:a2:4e:85:a6:d9:7b:92:
+                    7a:ce:e3:de:50:ac:8f:65:d5:6d:9d:5e:2b:d1:86:
+                    de:07:22:56:18:05:52:57:85:ca:ce:25:80:69:2f:
+                    37:74:dc:ca:3e:42:d9:05:f7:c4:5a:77:26:d3:ec:
+                    52:2e:02:52:61:00:c4:06:a8:fa:4d:23:42:83:76:
+                    30:6f:3d:4e:7a:a6:17:fe:5e:06:a5:87:a1:37:da:
+                    fb:bc:87
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                2E:C4:A7:97:A0:8C:78:B9:B3:25:0E:B0:C4:AE:A4:40:6A:82:A7:3F
+            X509v3 Authority Key Identifier: 
+                keyid:EA:67:95:94:1D:46:8E:44:BF:97:A4:09:BD:40:3D:00:D9:D3:EE:40
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:EB:02:53:87:4C:0D:73:5F
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         67:e7:39:57:e2:ee:56:68:74:6d:54:4f:0d:1d:c1:c3:21:3a:
+         4c:ef:e3:31:40:ae:9b:e7:af:1c:23:ea:58:e2:fa:97:fe:e3:
+         01:b8:32:ba:0b:0b:19:49:03:92:d3:86:df:e5:57:d7:d5:51:
+         00:28:51:11:fd:23:e8:a1:51:47:28:06:29:4a:17:c5:93:3a:
+         b8:5f:91:58:a9:4d:af:90:7d:ca:15:e0:03:3e:a0:2e:1b:89:
+         ba:cb:91:8f:ed:50:7a:7b:a7:8e:54:48:54:36:92:1d:81:6b:
+         07:8b:fa:73:e1:16:30:3c:ad:2a:92:b7:15:03:78:81:27:99:
+         36:be:f7:cd:91:64:25:90:27:2b:76:70:77:ff:a4:c8:c8:79:
+         2d:8d:39:1c:6c:56:c5:7b:5c:b2:0a:e6:77:e2:14:2e:21:6e:
+         c5:61:08:37:9e:89:e8:e2:c2:06:9c:ce:93:b6:2b:82:e9:db:
+         ee:d9:1c:1e:ce:1b:40:a1:c9:b1:a7:76:ba:96:80:2a:36:40:
+         e2:f0:3d:68:cb:cc:8e:b3:0f:62:14:95:0c:c7:34:cf:e0:b8:
+         94:d2:79:32:a0:ba:07:d9:a7:10:be:84:fb:4a:dd:d0:40:07:
+         5f:8f:bb:52:70:4f:46:be:73:cf:0e:29:11:2a:52:b3:e3:57:
+         b0:72:6e:a3:47:62:1f:53:d5:c7:8a:32:54:13:0b:68:8e:d6:
+         8f:ff:2d:43:6c:0b:ac:38:d6:81:6f:a4:57:69:3c:27:28:da:
+         60:42:01:aa:b9:4e:31:8a:de:47:c5:5c:b2:1c:9f:94:8e:93:
+         b8:3e:85:f0:d6:a6:45:49:3a:14:d7:ae:d2:f3:57:c0:04:95:
+         b8:0d:82:f1:f5:a4:90:c6:32:2e:72:b2:b4:5c:56:9e:fb:7a:
+         16:a5:21:ac:8e:e3:c2:48:98:73:04:da:73:b9:04:14:09:7d:
+         55:b9:53:71:62:94:4a:ee:49:7a:73:6c:4b:5e:02:5d:8d:ef:
+         6d:60:d9:e9:69:29:10:97:a9:fd:4d:9d:d0:9c:c8:a7:26:0d:
+         7f:c2:b2:e9:95:17:7b:31:25:7e:43:e6:2f:ee:23:c3:b1:7c:
+         d5:0e:1c:5c:5c:49:f2:ca:1d:06:e6:ec:eb:40:21:8a:8c:59:
+         b4:e0:9a:08:fa:f5:35:34:bd:1c:c5:e8:dd:f4:d5:ff:7b:ac:
+         5b:19:15:d7:5d:09:1c:fe:25:07:e7:b0:7e:ad:4a:e0:78:05:
+         8d:2a:b8:7c:d2:9a:4d:19:0b:d5:15:03:f9:c6:fe:bd:2f:6c:
+         de:26:3b:1e:38:44:6f:77:13:7b:b5:09:3a:b3:bc:54:fa:38:
+         56:05:ae:58:35:58:53:85
+-----BEGIN CERTIFICATE-----
+MIIHIjCCBQqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzM3NTRaFw0zODAyMDYxMzM3NTRaMIGiMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEVMBMGA1UEAxMMVlBOLUFLLWNo
+cmlzMQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm9o3YQBBbQtW48vI
+VigK2757feiRej46t4mRxAERSB3J+XAookCyrouPslZ1eV+yb5Yf4riDwXWz+dJC
+RKLGA0jFCRf8dxPPOqeyczkQB7k7oCjo2oIHhxeGk5W/+l0qOWiMbtWO/ZvObCgT
+ijPwarQXBz/RfaWl/KDjJnNJCrrXhG+kU+zv5xc7yrad0ohCFtzAUN5e0sWIuSjw
+A9dehs28WX7i1tWj7c+X3trgzcgNlvoGxbxtedBlq2717qmI3Y77LHZIcxC3WosF
+rJLfzqfImOLEEKFK95u4wLlZlJ2olVlJ4ckp1p4Z97Soqp6SBLplEUi7+C7sCKSz
+Ny4u0tZKzvzeFRh4NJe5luPBmPkPZ33qTRK68n/0nmGB5GHf7lXWF7NLwBuvMJ9/
+p5OBZhQtCH6DXddXXCHyQ0nfUJpYLfizy9VakQyQR1njXniCk2zbgn4iclxHjtlJ
+Kmme2PFwN9BpggVCEgLX8ni5iOr+kprVILTbiuhU62EmBd0xWbLhk5pDgsBV/9SM
+0Lq99sSaWHMUO5aqAf4tyX/3tZMupxl/YKsB57EqGqJOhabZe5J6zuPeUKyPZdVt
+nV4r0YbeByJWGAVSV4XKziWAaS83dNzKPkLZBffEWncm0+xSLgJSYQDEBqj6TSNC
+g3Ywbz1OeqYX/l4GpYehN9r7vIcCAwEAAaOCAWUwggFhMAkGA1UdEwQCMAAwLQYJ
+YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
+HQ4EFgQULsSnl6CMeLmzJQ6wxK6kQGqCpz8wgdEGA1UdIwSByTCBxoAU6meVlB1G
+jkS/l6QJvUA9ANnT7kChgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
+ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
+ExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQ
+TiBBSzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDrAlOHTA1zXzAT
+BgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEAYDVR0RBAkwB4IFY2hy
+aXMwDQYJKoZIhvcNAQELBQADggIBAGfnOVfi7lZodG1UTw0dwcMhOkzv4zFArpvn
+rxwj6lji+pf+4wG4MroLCxlJA5LTht/lV9fVUQAoURH9I+ihUUcoBilKF8WTOrhf
+kVipTa+QfcoV4AM+oC4bibrLkY/tUHp7p45USFQ2kh2BaweL+nPhFjA8rSqStxUD
+eIEnmTa+982RZCWQJyt2cHf/pMjIeS2NORxsVsV7XLIK5nfiFC4hbsVhCDeeieji
+wgaczpO2K4Lp2+7ZHB7OG0ChybGndrqWgCo2QOLwPWjLzI6zD2IUlQzHNM/guJTS
+eTKgugfZpxC+hPtK3dBAB1+Pu1JwT0a+c88OKREqUrPjV7BybqNHYh9T1ceKMlQT
+C2iO1o//LUNsC6w41oFvpFdpPCco2mBCAaq5TjGK3kfFXLIcn5SOk7g+hfDWpkVJ
+OhTXrtLzV8AElbgNgvH1pJDGMi5ysrRcVp77ehalIayO48JImHME2nO5BBQJfVW5
+U3FilEruSXpzbEteAl2N721g2elpKRCXqf1NndCcyKcmDX/CsumVF3sxJX5D5i/u
+I8OxfNUOHFxcSfLKHQbm7OtAIYqMWbTgmgj69TU0vRzF6N301f97rFsZFdddCRz+
+JQfnsH6tSuB4BY0quHzSmk0ZC9UVA/nG/r0vbN4mOx44RG93E3u1CTqzvFT6OFYF
+rlg1WFOF
+-----END CERTIFICATE-----

AK/openvpn/ak/keys/ca.crt

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGxjCCBK6gAwIBAgIJAOsCU4dMDXNfMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMG
+VlBOLUFLMQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
+cGVuLmRlMCAXDTE4MDIwNjEyMTIxNVoYDzIwNTAwMjA2MTIxMjE1WjCBnDELMAkG
+A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYD
+VQQKEwZvLm9wZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMT
+BlZQTi1BSzEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
+b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKYNRn3v3bgu
+7yd9rSSHGfKeKuCoT/KQg8054E0HB7zOjCpI3HMrK+UaA/BB47k82aj4zrGBz179
+Gw3E7EqlMXUeUfWa46FADakj6QrimSzaIctCy5bCHCogBV0HhVaMnTO6+GCoPuLP
+D779zJ/YzIO3476pWIVuK5AAgqobyGaJ5OPR0rUWrl1yQK48yYQfSbnU0IcchDny
+VS42E64k+TbOixg5dRHxr/8JQ6UbPHJWE5oePbm5Rx345jV2dU3QjfJTe8HtoUeL
+TwHsSE+JilWxq1ID4sEIY7+5bvaQCsjVUwim5XHg/8iv0ekHlwmFmz/ycQ1+xMcz
+NzBqpuZCqkY4NJHclZGwS5L1dEfaLLEAKueUbqFURsyMSoKb0N5S78Gf96E6PgJV
+De+YtbdxM3S3EAa0Y0NkukBHUGOPiBd9g2EnbW4GfKhsPPWMOWFANl22xupgt5SU
+HnqF71ofKCNi2Zkc32lJzbHQNIO86N52wI2E8F8iy9SJ2+969SsCxNhBKP8pRFaG
+9HSeRoi8nTsDcYczERlEb5qhA8+rWho4XpWgDXE4qrT0wmuMqoo1bTPCDsGSkzUe
+CdUD5/m174RVrnc0o+SyHLIGuS2XpU9KuPBLV4d8CzKakGLudUG/4ikntBZBW7hL
+IJOOGAv3kaWOj3GbfF/zNza2lC/WvMiXAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU
+6meVlB1GjkS/l6QJvUA9ANnT7kAwgdEGA1UdIwSByTCBxoAU6meVlB1GjkS/l6QJ
+vUA9ANnT7kChgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
+DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3
+b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEd
+MBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDrAlOHTA1zXzAMBgNVHRME
+BTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAMzcwewxPfcS4H5YYlvYgmy4iCUson
+vz4RVsyQxinlmnBDMZc7YrkERSQ8O9GWq2Qzge0c0xaEMZxhrkosQi7mAL4JrFjr
+i1fWYYsocBd/6ZXNkro3uJ231RyOiNWGaFNc3kkorWeGlQmlJsYSK2jtEZtezTGu
+4yEHZwDLK7ArI1IydUAJ1K4k/P0YLsQw4fcMXtJF5GRpunwy2VGXBOF2WlIMHaMU
+XKpFDOZGlvnbshIoDuNhdTSVZ3UWkNQSfMnVjv1UDNsxleeJWIjpvB/wNDsIgMmd
+y4DWJzYO8p9w4bBq4GEdvhiL5tNFdHPRS3v42zAmsjvyJChUbFWApXRdb8p8dmtP
+qneRvgUKTc+03nv5z7bO653yzuxRCk/4g8SqMKC6qIMeKEOcG9ZDEGs3YJ3d2NMg
+OHSEkfXSJKGkQfaM3vORjF3zuC6ZFpNSYMMVctAwLfwu7q0YdOfIWPsUFgAtaePp
+JRDpVjbWGk+/WDVIWO/tVEFmy1xT7CPMEMgMbTGl1mGPezPBeAqgs4LXWlYgQfox
+K2BhLOD+YwlfvDUaJPhp10oJ6rhfnveTPhmhGslTZzaLYShP1Bg5J21gZf7+Wou7
+fwpliRLlB8gFk6czpGspmyGdTPjqXOvVxIqffmxRtzsMZJSEJWV/6023AxQdnFz2
+U7OFfF99B7LFVw==
+-----END CERTIFICATE-----

AK/openvpn/ak/keys/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCmDUZ97924Lu8n
+fa0khxnynirgqE/ykIPNOeBNBwe8zowqSNxzKyvlGgPwQeO5PNmo+M6xgc9e/RsN
+xOxKpTF1HlH1muOhQA2pI+kK4pks2iHLQsuWwhwqIAVdB4VWjJ0zuvhgqD7izw++
+/cyf2MyDt+O+qViFbiuQAIKqG8hmieTj0dK1Fq5dckCuPMmEH0m51NCHHIQ58lUu
+NhOuJPk2zosYOXUR8a//CUOlGzxyVhOaHj25uUcd+OY1dnVN0I3yU3vB7aFHi08B
+7EhPiYpVsatSA+LBCGO/uW72kArI1VMIpuVx4P/Ir9HpB5cJhZs/8nENfsTHMzcw
+aqbmQqpGODSR3JWRsEuS9XRH2iyxACrnlG6hVEbMjEqCm9DeUu/Bn/ehOj4CVQ3v
+mLW3cTN0txAGtGNDZLpAR1Bjj4gXfYNhJ21uBnyobDz1jDlhQDZdtsbqYLeUlB56
+he9aHygjYtmZHN9pSc2x0DSDvOjedsCNhPBfIsvUidvvevUrAsTYQSj/KURWhvR0
+nkaIvJ07A3GHMxEZRG+aoQPPq1oaOF6VoA1xOKq09MJrjKqKNW0zwg7BkpM1HgnV
+A+f5te+EVa53NKPkshyyBrktl6VPSrjwS1eHfAsympBi7nVBv+IpJ7QWQVu4SyCT
+jhgL95Gljo9xm3xf8zc2tpQv1rzIlwIDAQABAoICAA4dhMeB02QrwTKnMUewoFkK
+bvSn+hvRgxK3/8Qse9Dl8e5KQUsc+V9BReJvh28gqBQACnn2Ye1eMKWL/tYdksW0
+7RymrQDxE/gz0ESXnJO+ey7vH6VSHNjL3gjZcdE4pMhX9XMp+iaHmXwP0QwpfsEX
+qal0dczp35QfJvxU3kUxJZ7kIDg6lFnnM25cRnkPu9GrMIq7ttXCLtF90VB1XiX1
+isdlYvlChUZ1wCVR2mKRxJrORUr7X/tBRDh5OGGD//0Acb27eIE/a1jrf/4a4AKG
+1txi7iygjPIoTjFxbylBUQykO07h5Hxnzb00YvdxPxBBiLCv/QQ960wXVNawBg9M
+9TH/PZ2nx2xYdTbz6YNMAjkTfAXkMnkBiHGtxSWjLfAKNg0CvBT+7dOJUO4MWD6H
+rg3Q3HKTPl7qLq3I47YB/Buc4FfRg6YPmzhTzlqfzpOeAsLlZSZgKu4MMT8jh+FZ
+swvAfVshdRDlWH0A1v+QcOaXq3WHFjzmyvRs+IuR5bR6cVfzkBywSPygsIxDi3gq
+9Y74CIlywJdwuLQc7owJ/wjrzVanerwlTXe1u8YGCOsE/NkjHOhfLqQAD2RE8pee
+q0qfqqUKNhDRCWae9HMd65teX9XQ+yg/+LIEGyisKAuLpx5Xpcnqhu8RRorrTUIx
+FzjkQxcqFRveeNsDLUUpAoIBAQDWhbV2+mSBYTCveVeSA1tBII3mO4/RQ/GlHM0u
+8XLY0NhKk+TTSPYXOpZlVdcMwnuEVKPY1y8+/H0sdjdLPKbX3qAebus8jQc8Xvcr
+p8FM/TAr3g4KfyjGWtuYns5f0msiuDwu8Bc8T8dlw40Ba+m3mhxxW8wtS0LiCjtp
+iaJV3A4OOmRAL2UH/okd9DBLxi4X2AjY0EqH8o+GaMD8b6VUfpROENV3KfsRMaYo
+z6ep7v0QWwxK5L2XIJy7tQQEXumHBbt0P6TaiV4rBFEpQ9wpdfUnk8oEkXHRvu44
+jV7EYOBfqVGVIdzYol7pGcmznCBWd6SM/lAkOGxu0Alcw20DAoIBAQDGKGgeH0tD
+i2UU+Cmf3OggTCZpRDy+Io2E6XW5wkRy1Xg8/Bp57mWqAV8Hss25HixYtSjqbHGJ
+XkQdB9nZKD7NhlomFYBEm2subgLVWSE01XzrzjZxJXQPgf24jETC6xHsNAt6ONyP
+tiUftIskoHVkjpFmkVksAypyBALVaGJgemUwabFubq0xUPSRl3W1RnOyIDqXe/jQ
+tKMB9/r8i3mBoC5oK3Vwp6o3rQf3M6FBa7FAzapYXDCqHCBmjjStthNfvAUX31Kw
+a1kLzvpIpo8BhXXsy91pdhy6nxfCHv5bAbwLJdWYDARUifzw1ROhjj408v56nnBB
+IMwLuCJuYY/dAoIBAEU+T36iAAMK/g4F2tBUqQXynhrsqtVfWwZyr4Axi2KUttwL
+tNbGPDjvPlBjTtDdjcT/FQwPGT75fOX3Go38e9Y+E+z+3Itk8ir4dEvxECHrr7rZ
+KCsXNHAiL7Opvu+LGe3RDgwQj092aOReJIuK65vJ8NheSx9rpaEUsGy2cmHIb/kD
+vAxDwBa+gD/c7CHpTEOCBgkF4qjTEKTP90sENpd5bCFuqZiXQmUgY4PU00e0zpaS
+7PrXrqKzciPcn/lRMYvVu9YgHPQ1VuIHuLLbJptzabhmqdSjpduQB5DVgPteUc5O
+9vhuP7zlXEFdg4+oG4ANil3AUNoAJG/4Uq1Qn0UCggEBAKAUHmBPKY8MOgFhpMan
+P8Jvogwh+uwin67Cpr8EyCT4fGTPyFe+FdTrvKhMctLcJDkZSE9wgZvWUjIdmIhM
+cce4hHUFo5RI9aIRbyqJEUFMQdmAwgxPlF2+xofikN3h5p2pQahf7RYPsBfX0xwo
+oA02+xEf1Ciw+gYXZW6fH/IOjlY43AR5VmJjot9GuulRW7+HN64OkWeQtaqueMyx
+o9vq2fJ/QSVb3S+TEb9KrzdZV10hiD5PY2TYyffvY3D9iNMq4fZyC6vHXK0kbJ5q
+J1a0SRqdamV67CR6x0ejoBlG4nEjBFULSCg/PN4VVAGMFobR0nCeM9L5Or0w6GfB
+WuUCggEAckvTl30f7e+8hEq6GyXmc8445JxoDOWtVpUMO0wfKQFjBctIX4LDRuHx
+lssvyoVzZAPvcZxSC0vAOz3vB+QqDrPZBUT76uFYmuwmtOyu5bylwFfj52cwYciZ
+4Capr7HRwA8Q8/fDFZNey1vmw1paCEsr6Javw3wW6jz1ojMANQfwxcNrWlVAyxOM
+fMhIkAvgV6x2YLwurmMPxUnmnEuo6KIRy0oMpPIVTCghjU2nygTkB+DISzPTd53m
+ln8pIUtg5vyDpMQnt0KgCT7xwaYdHdkokzrXWi01pZtp/n7A0Rh3uLCFUmtV4OTj
+4Oj5DBZmk/i6ez4YnL7/SoQRfBdtlw==
+-----END PRIVATE KEY-----

AK/openvpn/ak/keys/chris.crt

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 13:37:54 2018 GMT
+            Not After : Feb  6 13:37:54 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-chris/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:9b:da:37:61:00:41:6d:0b:56:e3:cb:c8:56:28:
+                    0a:db:be:7b:7d:e8:91:7a:3e:3a:b7:89:91:c4:01:
+                    11:48:1d:c9:f9:70:28:a2:40:b2:ae:8b:8f:b2:56:
+                    75:79:5f:b2:6f:96:1f:e2:b8:83:c1:75:b3:f9:d2:
+                    42:44:a2:c6:03:48:c5:09:17:fc:77:13:cf:3a:a7:
+                    b2:73:39:10:07:b9:3b:a0:28:e8:da:82:07:87:17:
+                    86:93:95:bf:fa:5d:2a:39:68:8c:6e:d5:8e:fd:9b:
+                    ce:6c:28:13:8a:33:f0:6a:b4:17:07:3f:d1:7d:a5:
+                    a5:fc:a0:e3:26:73:49:0a:ba:d7:84:6f:a4:53:ec:
+                    ef:e7:17:3b:ca:b6:9d:d2:88:42:16:dc:c0:50:de:
+                    5e:d2:c5:88:b9:28:f0:03:d7:5e:86:cd:bc:59:7e:
+                    e2:d6:d5:a3:ed:cf:97:de:da:e0:cd:c8:0d:96:fa:
+                    06:c5:bc:6d:79:d0:65:ab:6e:f5:ee:a9:88:dd:8e:
+                    fb:2c:76:48:73:10:b7:5a:8b:05:ac:92:df:ce:a7:
+                    c8:98:e2:c4:10:a1:4a:f7:9b:b8:c0:b9:59:94:9d:
+                    a8:95:59:49:e1:c9:29:d6:9e:19:f7:b4:a8:aa:9e:
+                    92:04:ba:65:11:48:bb:f8:2e:ec:08:a4:b3:37:2e:
+                    2e:d2:d6:4a:ce:fc:de:15:18:78:34:97:b9:96:e3:
+                    c1:98:f9:0f:67:7d:ea:4d:12:ba:f2:7f:f4:9e:61:
+                    81:e4:61:df:ee:55:d6:17:b3:4b:c0:1b:af:30:9f:
+                    7f:a7:93:81:66:14:2d:08:7e:83:5d:d7:57:5c:21:
+                    f2:43:49:df:50:9a:58:2d:f8:b3:cb:d5:5a:91:0c:
+                    90:47:59:e3:5e:78:82:93:6c:db:82:7e:22:72:5c:
+                    47:8e:d9:49:2a:69:9e:d8:f1:70:37:d0:69:82:05:
+                    42:12:02:d7:f2:78:b9:88:ea:fe:92:9a:d5:20:b4:
+                    db:8a:e8:54:eb:61:26:05:dd:31:59:b2:e1:93:9a:
+                    43:82:c0:55:ff:d4:8c:d0:ba:bd:f6:c4:9a:58:73:
+                    14:3b:96:aa:01:fe:2d:c9:7f:f7:b5:93:2e:a7:19:
+                    7f:60:ab:01:e7:b1:2a:1a:a2:4e:85:a6:d9:7b:92:
+                    7a:ce:e3:de:50:ac:8f:65:d5:6d:9d:5e:2b:d1:86:
+                    de:07:22:56:18:05:52:57:85:ca:ce:25:80:69:2f:
+                    37:74:dc:ca:3e:42:d9:05:f7:c4:5a:77:26:d3:ec:
+                    52:2e:02:52:61:00:c4:06:a8:fa:4d:23:42:83:76:
+                    30:6f:3d:4e:7a:a6:17:fe:5e:06:a5:87:a1:37:da:
+                    fb:bc:87
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                2E:C4:A7:97:A0:8C:78:B9:B3:25:0E:B0:C4:AE:A4:40:6A:82:A7:3F
+            X509v3 Authority Key Identifier: 
+                keyid:EA:67:95:94:1D:46:8E:44:BF:97:A4:09:BD:40:3D:00:D9:D3:EE:40
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:EB:02:53:87:4C:0D:73:5F
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         67:e7:39:57:e2:ee:56:68:74:6d:54:4f:0d:1d:c1:c3:21:3a:
+         4c:ef:e3:31:40:ae:9b:e7:af:1c:23:ea:58:e2:fa:97:fe:e3:
+         01:b8:32:ba:0b:0b:19:49:03:92:d3:86:df:e5:57:d7:d5:51:
+         00:28:51:11:fd:23:e8:a1:51:47:28:06:29:4a:17:c5:93:3a:
+         b8:5f:91:58:a9:4d:af:90:7d:ca:15:e0:03:3e:a0:2e:1b:89:
+         ba:cb:91:8f:ed:50:7a:7b:a7:8e:54:48:54:36:92:1d:81:6b:
+         07:8b:fa:73:e1:16:30:3c:ad:2a:92:b7:15:03:78:81:27:99:
+         36:be:f7:cd:91:64:25:90:27:2b:76:70:77:ff:a4:c8:c8:79:
+         2d:8d:39:1c:6c:56:c5:7b:5c:b2:0a:e6:77:e2:14:2e:21:6e:
+         c5:61:08:37:9e:89:e8:e2:c2:06:9c:ce:93:b6:2b:82:e9:db:
+         ee:d9:1c:1e:ce:1b:40:a1:c9:b1:a7:76:ba:96:80:2a:36:40:
+         e2:f0:3d:68:cb:cc:8e:b3:0f:62:14:95:0c:c7:34:cf:e0:b8:
+         94:d2:79:32:a0:ba:07:d9:a7:10:be:84:fb:4a:dd:d0:40:07:
+         5f:8f:bb:52:70:4f:46:be:73:cf:0e:29:11:2a:52:b3:e3:57:
+         b0:72:6e:a3:47:62:1f:53:d5:c7:8a:32:54:13:0b:68:8e:d6:
+         8f:ff:2d:43:6c:0b:ac:38:d6:81:6f:a4:57:69:3c:27:28:da:
+         60:42:01:aa:b9:4e:31:8a:de:47:c5:5c:b2:1c:9f:94:8e:93:
+         b8:3e:85:f0:d6:a6:45:49:3a:14:d7:ae:d2:f3:57:c0:04:95:
+         b8:0d:82:f1:f5:a4:90:c6:32:2e:72:b2:b4:5c:56:9e:fb:7a:
+         16:a5:21:ac:8e:e3:c2:48:98:73:04:da:73:b9:04:14:09:7d:
+         55:b9:53:71:62:94:4a:ee:49:7a:73:6c:4b:5e:02:5d:8d:ef:
+         6d:60:d9:e9:69:29:10:97:a9:fd:4d:9d:d0:9c:c8:a7:26:0d:
+         7f:c2:b2:e9:95:17:7b:31:25:7e:43:e6:2f:ee:23:c3:b1:7c:
+         d5:0e:1c:5c:5c:49:f2:ca:1d:06:e6:ec:eb:40:21:8a:8c:59:
+         b4:e0:9a:08:fa:f5:35:34:bd:1c:c5:e8:dd:f4:d5:ff:7b:ac:
+         5b:19:15:d7:5d:09:1c:fe:25:07:e7:b0:7e:ad:4a:e0:78:05:
+         8d:2a:b8:7c:d2:9a:4d:19:0b:d5:15:03:f9:c6:fe:bd:2f:6c:
+         de:26:3b:1e:38:44:6f:77:13:7b:b5:09:3a:b3:bc:54:fa:38:
+         56:05:ae:58:35:58:53:85
+-----BEGIN CERTIFICATE-----
+MIIHIjCCBQqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzM3NTRaFw0zODAyMDYxMzM3NTRaMIGiMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEVMBMGA1UEAxMMVlBOLUFLLWNo
+cmlzMQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm9o3YQBBbQtW48vI
+VigK2757feiRej46t4mRxAERSB3J+XAookCyrouPslZ1eV+yb5Yf4riDwXWz+dJC
+RKLGA0jFCRf8dxPPOqeyczkQB7k7oCjo2oIHhxeGk5W/+l0qOWiMbtWO/ZvObCgT
+ijPwarQXBz/RfaWl/KDjJnNJCrrXhG+kU+zv5xc7yrad0ohCFtzAUN5e0sWIuSjw
+A9dehs28WX7i1tWj7c+X3trgzcgNlvoGxbxtedBlq2717qmI3Y77LHZIcxC3WosF
+rJLfzqfImOLEEKFK95u4wLlZlJ2olVlJ4ckp1p4Z97Soqp6SBLplEUi7+C7sCKSz
+Ny4u0tZKzvzeFRh4NJe5luPBmPkPZ33qTRK68n/0nmGB5GHf7lXWF7NLwBuvMJ9/
+p5OBZhQtCH6DXddXXCHyQ0nfUJpYLfizy9VakQyQR1njXniCk2zbgn4iclxHjtlJ
+Kmme2PFwN9BpggVCEgLX8ni5iOr+kprVILTbiuhU62EmBd0xWbLhk5pDgsBV/9SM
+0Lq99sSaWHMUO5aqAf4tyX/3tZMupxl/YKsB57EqGqJOhabZe5J6zuPeUKyPZdVt
+nV4r0YbeByJWGAVSV4XKziWAaS83dNzKPkLZBffEWncm0+xSLgJSYQDEBqj6TSNC
+g3Ywbz1OeqYX/l4GpYehN9r7vIcCAwEAAaOCAWUwggFhMAkGA1UdEwQCMAAwLQYJ
+YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
+HQ4EFgQULsSnl6CMeLmzJQ6wxK6kQGqCpz8wgdEGA1UdIwSByTCBxoAU6meVlB1G
+jkS/l6QJvUA9ANnT7kChgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
+ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
+ExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQ
+TiBBSzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDrAlOHTA1zXzAT
+BgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEAYDVR0RBAkwB4IFY2hy
+aXMwDQYJKoZIhvcNAQELBQADggIBAGfnOVfi7lZodG1UTw0dwcMhOkzv4zFArpvn
+rxwj6lji+pf+4wG4MroLCxlJA5LTht/lV9fVUQAoURH9I+ihUUcoBilKF8WTOrhf
+kVipTa+QfcoV4AM+oC4bibrLkY/tUHp7p45USFQ2kh2BaweL+nPhFjA8rSqStxUD
+eIEnmTa+982RZCWQJyt2cHf/pMjIeS2NORxsVsV7XLIK5nfiFC4hbsVhCDeeieji
+wgaczpO2K4Lp2+7ZHB7OG0ChybGndrqWgCo2QOLwPWjLzI6zD2IUlQzHNM/guJTS
+eTKgugfZpxC+hPtK3dBAB1+Pu1JwT0a+c88OKREqUrPjV7BybqNHYh9T1ceKMlQT
+C2iO1o//LUNsC6w41oFvpFdpPCco2mBCAaq5TjGK3kfFXLIcn5SOk7g+hfDWpkVJ
+OhTXrtLzV8AElbgNgvH1pJDGMi5ysrRcVp77ehalIayO48JImHME2nO5BBQJfVW5
+U3FilEruSXpzbEteAl2N721g2elpKRCXqf1NndCcyKcmDX/CsumVF3sxJX5D5i/u
+I8OxfNUOHFxcSfLKHQbm7OtAIYqMWbTgmgj69TU0vRzF6N301f97rFsZFdddCRz+
+JQfnsH6tSuB4BY0quHzSmk0ZC9UVA/nG/r0vbN4mOx44RG93E3u1CTqzvFT6OFYF
+rlg1WFOF
+-----END CERTIFICATE-----

AK/openvpn/ak/keys/chris.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE6DCCAtACAQAwgaIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRUwEwYDVQQDEwxWUE4tQUstY2hyaXMxDzANBgNVBCkTBlZQTiBB
+SzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCb2jdhAEFtC1bjy8hWKArbvnt96JF6Pjq3iZHEARFI
+Hcn5cCiiQLKui4+yVnV5X7Jvlh/iuIPBdbP50kJEosYDSMUJF/x3E886p7JzORAH
+uTugKOjaggeHF4aTlb/6XSo5aIxu1Y79m85sKBOKM/BqtBcHP9F9paX8oOMmc0kK
+uteEb6RT7O/nFzvKtp3SiEIW3MBQ3l7SxYi5KPAD116GzbxZfuLW1aPtz5fe2uDN
+yA2W+gbFvG150GWrbvXuqYjdjvssdkhzELdaiwWskt/Op8iY4sQQoUr3m7jAuVmU
+naiVWUnhySnWnhn3tKiqnpIEumURSLv4LuwIpLM3Li7S1krO/N4VGHg0l7mW48GY
++Q9nfepNErryf/SeYYHkYd/uVdYXs0vAG68wn3+nk4FmFC0IfoNd11dcIfJDSd9Q
+mlgt+LPL1VqRDJBHWeNeeIKTbNuCfiJyXEeO2UkqaZ7Y8XA30GmCBUISAtfyeLmI
+6v6SmtUgtNuK6FTrYSYF3TFZsuGTmkOCwFX/1IzQur32xJpYcxQ7lqoB/i3Jf/e1
+ky6nGX9gqwHnsSoaok6Fptl7knrO495QrI9l1W2dXivRht4HIlYYBVJXhcrOJYBp
+Lzd03Mo+QtkF98RadybT7FIuAlJhAMQGqPpNI0KDdjBvPU56phf+Xgalh6E32vu8
+hwIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAGhjr8r2wIjgRUBCHjdtz8PpAiCs
+EcsgSy8gPqueiora4B6IVMtHu1x/SahQRUASzBDrwaRuo+6nppiVfNOEa2ep63Gb
+AKnn1RzhPLAUpSkUBeFW0yNdbaNTReDUvlNTLNMxqQDL1DcWWer1GjIz3+lw7E5w
+mzwDOhyIh4LYCnRCC5wzeOABys5XDgo/KJsBQSbMRRsvsE/Q52GS0+giVZ6RZydu
+efkugGAAocvxPGlYSMScjwZVwqvbjTMnjq4NKMp38Z0RjwzBqZJ2UMEx4ZRUrlke
+SFvRT7m8zLe9fdBJLD+tVEBVyeyhNooGMSf0EKtqp78WpEfSIoFDg/CAXJi5+CCE
+MeelEI6bh6H7YTyNGsqgVJokFq/SYwiPBRSOty0yVn4HY1TMGPVT245ytnyJ1IaA
+e3eBF7RK4okXyVmsCsVYHM1qLroLOKcJvNVXkVuVw2FsyAooSmGHENRYTeYseGIo
+CmZOMuHc2CeimB8rHcZEN8aVyeE34EqNNAALQD+wL46XcdkO/P2MRbvBbCnc/7hH
+ocs8vL7idg14wk0bZTJI2Cb8RHdbUaFBRoUHGU+bwM7FK2J+KVRrTNAJBx0eeNQ3
+cvR6MRCl9Qt3/Ug/QmCWzxkmJ1b9oXWRR9YZBGyli0ODGKAJReo/q3tg1MOQosB5
+e90Bda4vLDdfzUk5
+-----END CERTIFICATE REQUEST-----

AK/openvpn/ak/keys/chris.key

@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI8D+IDkooTeUCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECOeFJGd9/t0cBIIJSBRyHxbI/0Jv
+mraoNvyjbi4l27LhE8fsI6p7f5YIg2kMATDHyrnt4uPUnv8d1ah+C39TdNpu9Sbt
+HPEljwfULWlkWQbkCvvESfIufjhdiIphA4krzxTdofs/afR24v6HehYa2F9rnWoH
+iEb+c0El8YV+AvWU7mp1Mr3l6DYGvnioSGm6a+G1Ww2RouKFKAOSsKE2ozUNGAsr
+jXROHfpk4MdlsZBySHuMfmatoDyPYEYcnvJ67n378aShBb4OXP15Q4qY3O4nnwe4
+/QeBSjiuumcJE3Xu+QpiyftnaPH4jgOiCKqUQtXIgTzR0MbosE5epsvZHj0BeCGF
+VUq52VV6sFnsOphairq186juiFs3HRIfW1xcjk8uQVk88gKf/JswYDeBvXxRfOde
+gO2LhE9Q1Jej4buqet0xWuVe4r3YAcittfesXrsVjx+9NJPujBm5Iz/wbW72xo0J
++OqLQiq9DOcO/K7Gzt6x6TJ1VfG1bbAii52YyOK5acCzJFPp/C385jTv7yF8NGDY
+E6ROoGzU5jMkLs0WYiJvQimMeX4rPWXxVyCCerSyBFAfSDkY++9yXjjtgWICDYzd
+GJKOSnp52T1gHEf+IPdxUwPm6MrVcbY+dQqyXXSeKZdGkPuRK5WVz8qtAIAMvoKo
+jjSI55MLhxSGdJFX0nYOfbzU4LTlnKeTzSby929dyWwDu1/tRVzhWkiyDCBxUVkA
+MXc6csOSRm9gV4lgILQlc+XLTa+5mOdCz//sP49DdoiPuosclRfJPQp1LIXGoKm6
+s0Qwvw6hpa5aPUrzDpAtgA6j59YZU1QSE57vYUNVoyDJo/6X/bk0hwh+LE18XC6l
+KchLtOWf3D8Ca2TLWpIsUWuW7zuySG35A5OQhmzJXe7Fbx02MW1ppvDDRP6t366a
+qMlIQgQYhN9Bj3lNYdrMragqURfUQhCTWQG5CXfbKXgQHSQsA8F0XnpmtXq9gtaq
+7foW3ecw6asOfTM2imgTfLGFtkybRfA0ZInUgz2WSikZwrG7wIjeSJ0OIg4ckI9y
+bKLDMwNJGeyGZcdcsJVBxjaKje0Il9UZJxJGQ+p+BAj82cWrMFbloVNgnHEcOu5v
+KI88ucMUTOaPS/bPSo2Orj5UQIID/2lqymoqXvFLqX2ftYQT/xkGFdm2cjB/7x3T
+jsvFZezPjUcWp5t0oJncER0vWM29aTSwWyybyeGX1TWrvul85aRBr3RU4OZ2e/9P
+/W4g/pDXDuuYxqIWkxwAlcuncmcb0OfR+GBKelIPKsItlyoBS2tRFAaUCjItV4PJ
+PAopqedq4QT4mypmw+5MKObRqfdpxDoKCHzJhakDmw77miXdON2V1M7xWk+kfD9B
+H8t1QdJyzB87FQwsXlrMVh1jF+m0PIytM3l4DNqIft8AYEulbinkeB67XAhWGIqo
+IAmxhYpFfhWxmECDwUQ+nrrz6jW0LJtZKwUITH5C42BBw0I5OmVJhYNlStj8VayR
+ykkAeoiC361DKvlqHabh6KRZT/yhNtQ2TH13UGgOBDeXUQMGaKhYmdUiEjnuek4P
+lbu4cG1BtjIHtpD1LRON29rvRGw44FEEeuxmd+KyJfLdJWJQ/zjXg3owM/cZzAum
+t1qbMwxEE/EZJdRhD5cyVoWiAiFmgRfjPpv3CUCPP88QvdueRURe+i53TbqFGVqR
+dRs5hC6gjJ/nTnmF5ZjsbYqy+IKWCiGNjZA8P3pKzgXY4J45y6rRD8HNVZqWzIen
+rD2OOpvchPVCJPJUk5L7AreaMZENAyciKuLtBOp+D2INo+exE+IVaBtM5NeNnKXn
+7veiczJguLkUXMQXyxYLv7J49RbAA2WQNRcbLGuJklFVkyWYdtB+nGejMdiHjkri
+bVJcGazlJmFXhBhwEHROEJW3SOLcPwsfxjDE7LmzF80uCZbG6HFDVjPkyGZGz6y5
+g9+Kh4dQuboCT+3nhGYTUxcRe6FzHWBplq/tBPmyJNeTCvNBpOD8xVlNOi/2PUTx
+FsaIE3XGnJH9E5GpLoYA9K6oHW0w1rb7U5P0Z9arTKhPyeQYlUJwNjrLUAw++pgl
+QfY3MR8VMLAzZ/jbp0k30JE2SPAE8Bnoe3U0oQOwhGJCS36hQnMsWtW+CF+OIeV1
+Uwz+OysJKWQbB1QLUDYN36D5XRIwwcDyt3+RIl34hSai8PWC/IA52SytS8d0z+bc
+L4bavw/5JNVgGTmrMYYvFa2vY2f5VHoLnfdB7hnZJzHfbkpziuD4qB9Q/bxmywDF
+lYnZq19t2LHtE+z8Arv+NEhJULUz86O7bZq2PjWe46FhNwzVxZdtsJWH/KSg137S
+DcdAc7a4yNk3602EFBUTIKWeEuEr6SsPG9IjBq6gZbCiPbSRj8EhH8pk2d40/64B
+1ZMS/7Qd1qES1G/ggC7Xby0ggRGR9D8Uu9Ismd6EOZ1pnNP8bfeajnCyNo17MAsH
+I/2W2ZF847wjoC8kmPHxWiN3pbGaHeZb4bwNw5PxuQboGxY4nR8yf7qxOgv4ST7T
+08V+nDawKDL43vSz9cWK6Q0Cdhpsc6H72rv3eMXcQ9+6oOrsG/VsqNtUxXX0dAUB
+nqlgPLfmyneVJwBfRboDEicxEvsJtxLDNe5PKyYk1ilCmD1vi8hWu9JPp4LBmLgm
+wr9HEL0qNz8E8QLQkBPxmdOXH4bx9bagN2/TMd7As9h2klZ1gru+Vq9VZ7/gE+gh
+kbG5VlmhGQycNP2b0JZauA9fsNwAFEqsHczGw7fKdtAscm4b09DJe3o8gpdVqIFe
+qi+zdZl9NhUyvcNU67hfoTxe7hmy2Ht7hkrNnlUfCPPLIip6a75TiEOUsZMpEHBV
+h2NNoWmnOBiFT8ptA9vSAuJZifrsjK3DPDuLIN6Le/XAMLOMA2mYdxA/fB6A67Vc
+9Sr/DgK6DCTZ1Z3PaND6W+tY6LM73LfolSPOGYGcL10F0exEcIkWDEF9z3lqfUrg
+mPnbi3GzA/zFz0HE8+4wcb9zUzmfunaZGSemPXVtDkco/UgsTOfduyV7C2FDYhTQ
+yXlrj+lZYazKF2wu7kDvho4kmudkKTmfsv6/1k2+GybWisNIQmxCe8KsjZVB+f9E
+dQq6AzY/4SWMmC2h0E9ou5x4qWiVZPyX6l5dN9kmkwleGZQf/kTJaL5SKcR8RFy7
+v0RsRna9sOxc6YrsiqAeGg==
+-----END ENCRYPTED PRIVATE KEY-----

AK/openvpn/ak/keys/crl.pem

@@ -0,0 +1 @@
+../crl.pem

AK/openvpn/ak/keys/dh4096.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAmxffquckZfZCrGEUJ5w3NnbbyHYlpyaqhZw9HumlHGhKq2K8bnIq
+fTwPNvpUqYK14yJxjbw2ZZIEQhP5qacYeWVLHGOegjqgWgGzZZUgnbBzfrvzFVEQ
+ewif3TFNpFN9k53or+MyWyORs/XdpOO0TalkTdwWprk3fAPJBgE3ExXremHp7qgI
+KfLWHTF1vGPuzgLYnYFSymcEgJhbt6VoS3LmwccoTkycvyXoz0M5w9gwMao0rJJh
+mCeLE1vgbQBJkMw6EU59HS68TmNvAEzwzg7MWWORVzl047/8MukFGqWbdJdhVqd3
+TilZWOdv44r0d0R+TdlT/+zMrDwYOfh/E72ofxGcf7awz4AekmL4kEg1yUX2biiF
+Ex2A09wGklSJWrGr/k2zTSx0I6gBso2Y/8MFaUnTsBM6XEPD+CpDvEc1y++aDUyP
+UvBdL9tqwNZ44u8ijWjxyqdUmUKo+wBCK0ztH2yl07bL5CJxqIGFjZpoIj4WKskI
+OM5bIoyDEcK5qVJxfCBmuszhcQh254iS7xZkzZ/sDyN2L3B6v+rYgK8OUAK0gIOY
+f4iHtiPVG9Xxpt4XniAcvs9VB/aYOhgCMdTg5CVQXyK66fnTgicslU9smMOoGDew
+ARruSU55xTFZb9Fi6nu7XZbodP1ANUGZROvl0V8zyoq89LLoMSVtIvsCAQI=
+-----END DH PARAMETERS-----

AK/openvpn/ak/keys/index.txt

@@ -0,0 +1,2 @@
+V	380206123716Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de
+V	380206133754Z		02	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK-chris/name=VPN AK/emailAddress=argus@oopen.de

AK/openvpn/ak/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

AK/openvpn/ak/keys/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

AK/openvpn/ak/keys/index.txt.old

@@ -0,0 +1 @@
+V	380206123716Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de

AK/openvpn/ak/keys/serial

@@ -0,0 +1 @@
+03

AK/openvpn/ak/keys/serial.old

@@ -0,0 +1 @@
+02

AK/openvpn/ak/keys/server.crt

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 12:37:16 2018 GMT
+            Not After : Feb  6 12:37:16 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:c3:e5:c6:ea:48:8b:ac:0a:03:79:75:38:5b:f0:
+                    4a:42:eb:30:af:31:fe:cd:81:25:29:7d:eb:7c:fb:
+                    2d:fe:73:f3:3a:bd:fc:fa:09:c7:36:3a:dc:52:22:
+                    d3:7f:01:d3:3d:c3:86:01:c0:ec:76:6a:89:0c:49:
+                    e9:12:41:72:8e:41:b0:35:23:d0:35:5f:21:00:3f:
+                    be:80:03:ac:e2:f8:05:3a:bc:19:0a:48:13:8a:56:
+                    4d:65:ea:9a:8d:00:51:52:4f:8c:1f:8a:fa:bd:39:
+                    41:e2:7e:a6:d9:5c:42:a6:40:2a:88:59:54:91:5b:
+                    6d:69:ec:21:84:aa:fa:41:75:7b:8d:08:1f:7a:f9:
+                    71:60:73:60:9b:31:73:32:27:5c:34:2e:7f:ff:f8:
+                    be:26:eb:dd:aa:c1:b6:c2:70:d1:90:b5:47:e3:c9:
+                    2e:d3:bc:3d:11:69:58:aa:36:93:1a:11:b5:94:ca:
+                    e2:44:1a:9b:4d:3b:04:63:cd:d8:28:57:8c:f6:35:
+                    70:bd:fe:bb:ef:8c:95:82:91:a8:c1:2a:8d:d4:77:
+                    57:64:a5:cc:57:f3:b1:8a:2f:52:d8:d8:8d:e2:e1:
+                    3c:21:49:bf:b0:42:71:3a:71:cf:4f:5a:18:99:79:
+                    44:d1:72:06:4a:7d:30:29:fe:a7:43:2c:92:23:9b:
+                    69:2f:d2:88:3c:6c:c9:d1:8e:cd:d3:5d:24:3e:c9:
+                    f3:b5:8b:60:99:48:ff:90:bf:ad:f3:f7:3b:c6:7d:
+                    27:8f:d2:b8:88:02:0a:03:91:8a:3d:3c:25:53:6d:
+                    07:59:6c:b1:0d:f8:e5:93:02:58:54:60:0b:29:08:
+                    39:92:71:01:dc:0d:8d:b2:94:87:4b:08:39:20:cf:
+                    a7:e5:3b:66:91:c5:01:15:3c:2c:df:6a:9d:4b:48:
+                    b5:5e:fa:3f:6d:49:11:2b:92:bc:7a:46:70:b0:cf:
+                    cd:79:be:90:e1:ce:41:fa:43:31:cd:bb:b7:34:5f:
+                    c7:71:80:75:83:6e:f6:45:a0:ee:a7:b4:de:43:f1:
+                    fc:df:19:d8:6d:00:b5:ae:59:17:f7:7d:19:cd:c8:
+                    b7:4a:92:da:6d:ad:3c:d5:b0:db:6e:5b:b8:2d:62:
+                    d5:5f:e4:23:b0:65:8c:b5:da:d8:27:0a:34:9e:32:
+                    02:7e:bc:89:39:aa:7f:b2:07:26:2e:39:0a:21:c6:
+                    da:4e:d2:cf:53:45:9f:c2:9c:d0:c6:86:37:20:60:
+                    9c:7d:14:3a:2f:1c:5c:50:36:5d:d3:15:2e:94:f1:
+                    04:b8:22:4b:c9:85:6a:ec:59:ec:e2:01:e3:c9:e1:
+                    02:56:40:c1:8f:01:61:68:26:72:89:de:ba:29:2f:
+                    15:8f:d5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                3F:C0:FA:95:43:C6:88:A3:2E:18:8E:43:3C:BA:1C:97:2F:70:C7:59
+            X509v3 Authority Key Identifier: 
+                keyid:EA:67:95:94:1D:46:8E:44:BF:97:A4:09:BD:40:3D:00:D9:D3:EE:40
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:EB:02:53:87:4C:0D:73:5F
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         14:3a:a6:f8:86:88:7c:db:9b:ce:b1:59:57:de:3e:e0:34:7d:
+         ce:a3:95:15:f8:89:54:e3:d4:02:0e:b8:51:35:14:4d:e9:31:
+         21:25:3c:77:55:d4:b2:9b:f0:d5:b1:80:6d:ef:e7:86:f4:e7:
+         e9:03:5a:12:c2:5b:42:e5:90:8a:8e:e5:f9:83:13:6d:60:43:
+         aa:13:1f:f2:99:3d:66:84:ec:21:1f:68:a6:b5:64:ad:c3:e2:
+         d0:6f:96:9f:eb:37:94:12:a7:89:94:de:5c:69:4c:8f:f8:75:
+         b8:76:c7:81:c7:88:81:34:6d:cf:ea:23:eb:05:87:a1:fd:d7:
+         e8:88:a0:34:81:f4:15:a6:cb:ff:53:47:10:e6:04:86:49:09:
+         7e:0f:ed:0c:47:5a:df:bc:a3:23:ed:80:4d:e0:88:81:be:32:
+         1c:0f:16:c6:c0:6e:0c:d7:24:63:1e:88:e2:82:e7:00:f2:a6:
+         0c:01:b1:a6:7e:4d:69:4e:9f:8a:e3:78:12:cb:fa:d2:b9:a6:
+         b7:ac:07:98:9e:38:aa:a8:56:81:9b:06:c2:11:ec:f1:4f:e5:
+         5a:21:45:ed:8f:b1:a0:48:21:e7:ba:7b:5f:5b:a9:7a:51:ca:
+         6d:84:1b:b9:78:38:18:91:9c:e0:ca:0e:97:e0:e7:bd:36:10:
+         ed:c9:80:0a:73:c1:ae:0c:d6:b1:dd:be:fc:7b:a7:83:4f:0d:
+         b6:7c:2f:15:4b:b6:e1:b0:5f:81:bb:c5:4d:3e:fd:84:82:65:
+         65:8a:4e:f5:66:19:e4:4d:9f:31:9d:d2:21:44:7c:9e:ff:55:
+         1f:f3:17:bc:d4:d3:e2:c4:51:fd:f9:f6:b8:b8:53:42:11:94:
+         f0:aa:df:6e:0f:07:0a:1d:2f:31:7a:6e:28:32:63:1d:a7:fa:
+         da:93:9d:37:25:3e:53:f7:f4:f2:e8:97:23:d9:39:dd:1d:39:
+         c1:1c:03:b6:b1:b9:21:6f:ed:a6:c9:b8:e4:aa:f5:6f:d6:33:
+         94:d4:70:e6:c7:e2:38:6c:33:3c:d9:19:4e:af:90:0c:13:f5:
+         b3:d8:fc:7a:21:8a:3e:43:e5:14:3f:4f:72:de:2a:71:13:db:
+         7e:b6:d9:aa:1c:d1:f9:ed:f6:cc:c1:ae:c9:c1:4e:4e:f8:dd:
+         85:ec:4f:b7:7a:7a:90:26:44:8b:a7:8d:67:26:0e:82:02:92:
+         14:d4:ad:38:28:ff:36:e8:59:3e:dc:1a:76:bb:b6:cc:b1:32:
+         d9:44:85:f5:c4:45:db:92:55:54:78:05:88:db:0a:fb:42:17:
+         e0:b7:76:0f:c2:c8:69:67:ed:fb:b4:e8:72:e7:ee:6a:03:d9:
+         8b:4d:22:d5:ed:00:68:6d
+-----BEGIN CERTIFICATE-----
+MIIHPjCCBSagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMjM3MTZaFw0zODAyMDYxMjM3MTZaMIGjMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEWMBQGA1UEAxMNVlBOLUFLLXNl
+cnZlcjEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMPlxupIi6wKA3l1
+OFvwSkLrMK8x/s2BJSl963z7Lf5z8zq9/PoJxzY63FIi038B0z3DhgHA7HZqiQxJ
+6RJBco5BsDUj0DVfIQA/voADrOL4BTq8GQpIE4pWTWXqmo0AUVJPjB+K+r05QeJ+
+ptlcQqZAKohZVJFbbWnsIYSq+kF1e40IH3r5cWBzYJsxczInXDQuf//4vibr3arB
+tsJw0ZC1R+PJLtO8PRFpWKo2kxoRtZTK4kQam007BGPN2ChXjPY1cL3+u++MlYKR
+qMEqjdR3V2SlzFfzsYovUtjYjeLhPCFJv7BCcTpxz09aGJl5RNFyBkp9MCn+p0Ms
+kiObaS/SiDxsydGOzdNdJD7J87WLYJlI/5C/rfP3O8Z9J4/SuIgCCgORij08JVNt
+B1lssQ345ZMCWFRgCykIOZJxAdwNjbKUh0sIOSDPp+U7ZpHFARU8LN9qnUtItV76
+P21JESuSvHpGcLDPzXm+kOHOQfpDMc27tzRfx3GAdYNu9kWg7qe03kPx/N8Z2G0A
+ta5ZF/d9Gc3It0qS2m2tPNWw225buC1i1V/kI7BljLXa2CcKNJ4yAn68iTmqf7IH
+Ji45CiHG2k7Sz1NFn8Kc0MaGNyBgnH0UOi8cXFA2XdMVLpTxBLgiS8mFauxZ7OIB
+48nhAlZAwY8BYWgmconeuikvFY/VAgMBAAGjggGAMIIBfDAJBgNVHRMEAjAAMBEG
+CWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJh
+dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUP8D6lUPGiKMuGI5DPLoc
+ly9wx1kwgdEGA1UdIwSByTCBxoAU6meVlB1GjkS/l6QJvUA9ANnT7kChgaKkgZ8w
+gZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxp
+bjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8w
+DQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEdMBsGCSqGSIb3DQEJARYO
+YXJndXNAb29wZW4uZGWCCQDrAlOHTA1zXzATBgNVHSUEDDAKBggrBgEFBQcDATAL
+BgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IC
+AQAUOqb4hoh825vOsVlX3j7gNH3Oo5UV+IlU49QCDrhRNRRN6TEhJTx3VdSym/DV
+sYBt7+eG9OfpA1oSwltC5ZCKjuX5gxNtYEOqEx/ymT1mhOwhH2imtWStw+LQb5af
+6zeUEqeJlN5caUyP+HW4dseBx4iBNG3P6iPrBYeh/dfoiKA0gfQVpsv/U0cQ5gSG
+SQl+D+0MR1rfvKMj7YBN4IiBvjIcDxbGwG4M1yRjHojigucA8qYMAbGmfk1pTp+K
+43gSy/rSuaa3rAeYnjiqqFaBmwbCEezxT+VaIUXtj7GgSCHnuntfW6l6UcpthBu5
+eDgYkZzgyg6X4Oe9NhDtyYAKc8GuDNax3b78e6eDTw22fC8VS7bhsF+Bu8VNPv2E
+gmVlik71ZhnkTZ8xndIhRHye/1Uf8xe81NPixFH9+fa4uFNCEZTwqt9uDwcKHS8x
+em4oMmMdp/rak503JT5T9/Ty6Jcj2TndHTnBHAO2sbkhb+2mybjkqvVv1jOU1HDm
+x+I4bDM82RlOr5AME/Wz2Px6IYo+Q+UUP09y3ipxE9t+ttmqHNH57fbMwa7JwU5O
++N2F7E+3enqQJkSLp41nJg6CApIU1K04KP826Fk+3Bp2u7bMsTLZRIX1xEXbklVU
+eAWI2wr7Qhfgt3YPwshpZ+37tOhy5+5qA9mLTSLV7QBobQ==
+-----END CERTIFICATE-----

AK/openvpn/ak/keys/server.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE6TCCAtECAQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRYwFAYDVQQDEw1WUE4tQUstc2VydmVyMQ8wDQYDVQQpEwZWUE4g
+QUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAw+XG6kiLrAoDeXU4W/BKQuswrzH+zYElKX3rfPst
+/nPzOr38+gnHNjrcUiLTfwHTPcOGAcDsdmqJDEnpEkFyjkGwNSPQNV8hAD++gAOs
+4vgFOrwZCkgTilZNZeqajQBRUk+MH4r6vTlB4n6m2VxCpkAqiFlUkVttaewhhKr6
+QXV7jQgfevlxYHNgmzFzMidcNC5///i+JuvdqsG2wnDRkLVH48ku07w9EWlYqjaT
+GhG1lMriRBqbTTsEY83YKFeM9jVwvf6774yVgpGowSqN1HdXZKXMV/Oxii9S2NiN
+4uE8IUm/sEJxOnHPT1oYmXlE0XIGSn0wKf6nQyySI5tpL9KIPGzJ0Y7N010kPsnz
+tYtgmUj/kL+t8/c7xn0nj9K4iAIKA5GKPTwlU20HWWyxDfjlkwJYVGALKQg5knEB
+3A2NspSHSwg5IM+n5TtmkcUBFTws32qdS0i1Xvo/bUkRK5K8ekZwsM/Neb6Q4c5B
++kMxzbu3NF/HcYB1g272RaDup7TeQ/H83xnYbQC1rlkX930Zzci3SpLaba081bDb
+blu4LWLVX+QjsGWMtdrYJwo0njICfryJOap/sgcmLjkKIcbaTtLPU0WfwpzQxoY3
+IGCcfRQ6LxxcUDZd0xUulPEEuCJLyYVq7Fns4gHjyeECVkDBjwFhaCZyid66KS8V
+j9UCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQC5aW3rFx5zyYIB//RCPRps8/Mk
+6kVL28rh6PWtHgiftPEc06Zk5eKK9E/4yefavu+vqQXC2ZbhjG/YNUyMeyEOGnmn
+LXXnMSdx/xHvv3LlB6AJC5knkNjtKllXez+t49Q4siB9TFIPUI/6dLZnGNNoWhZk
++HNvcGkXeMKgUxje6B9t7p80PdFJkwSLGinydCWwMU3a9yXKE3Bc/NA6JL2P1flJ
+Pfql2037CgUeOTCuej7mJ0Qfs0kheVjAdJg94A8Yg+Szl3ycmU12UFl3us23Aw30
+R9fF+KFeQsb0OV/IvWwvSgnpKfHUMM+M1SNQezd3fA4d8YC8ayBTXS3VFFzefd12
+x8e58j1fUVpvCDG4+uVfnL3jh4Wndp/t3RQKu8i+VPeuAD80FaH7wsFtPVGtI7UZ
+0NOrC69914a/sMC5MQNTBj4ed9+Lux4Q8afk1UOfBf7vL9CoLpkJINu5MXFz3tGA
+oqtDRLHbcanDoEvveFx8DcYNy6UFpiyqSbxKLBjSlvIfzJJzBmLfinS6JGxOwLv5
+JpqxtEtrG+f18GxThQT8I/57HU6VH1VQ3rUKjN6b3syQVFCdFuNhy6LzgIzHd3wa
+hVlJwrbidnTVxv/69vsAicdwAdPDOmxvZXN4hOj+tMCI8Ez3iiPl8UlJrecC4efh
+sepxiWMN9PHGwj58wA==
+-----END CERTIFICATE REQUEST-----

AK/openvpn/ak/keys/server.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDD5cbqSIusCgN5
+dThb8EpC6zCvMf7NgSUpfet8+y3+c/M6vfz6Ccc2OtxSItN/AdM9w4YBwOx2aokM
+SekSQXKOQbA1I9A1XyEAP76AA6zi+AU6vBkKSBOKVk1l6pqNAFFST4wfivq9OUHi
+fqbZXEKmQCqIWVSRW21p7CGEqvpBdXuNCB96+XFgc2CbMXMyJ1w0Ln//+L4m692q
+wbbCcNGQtUfjyS7TvD0RaViqNpMaEbWUyuJEGptNOwRjzdgoV4z2NXC9/rvvjJWC
+kajBKo3Ud1dkpcxX87GKL1LY2I3i4TwhSb+wQnE6cc9PWhiZeUTRcgZKfTAp/qdD
+LJIjm2kv0og8bMnRjs3TXSQ+yfO1i2CZSP+Qv63z9zvGfSeP0riIAgoDkYo9PCVT
+bQdZbLEN+OWTAlhUYAspCDmScQHcDY2ylIdLCDkgz6flO2aRxQEVPCzfap1LSLVe
++j9tSRErkrx6RnCwz815vpDhzkH6QzHNu7c0X8dxgHWDbvZFoO6ntN5D8fzfGdht
+ALWuWRf3fRnNyLdKktptrTzVsNtuW7gtYtVf5COwZYy12tgnCjSeMgJ+vIk5qn+y
+ByYuOQohxtpO0s9TRZ/CnNDGhjcgYJx9FDovHFxQNl3TFS6U8QS4IkvJhWrsWezi
+AePJ4QJWQMGPAWFoJnKJ3ropLxWP1QIDAQABAoICAGSW9FEQ90dbzPTtEAeFl1xN
+UC5lyaTUj7SCiA0hHTjvaRHcxK3Pn49lIgS7BUbONR4d7A2ydrlHcx/wQ9Gv8ZbC
+fCyNOzhspJFwKe2p9XiGSokiVOlGoWIDdrLCiKGmbBuL5TO9NYs8f2xCBILQMRkV
+EcH5vMb233PoYD2zXdWG8e41IZUPyPvxwsVt2u0B8QKKbgeOPnXV33jzB1lIfROF
+QmjgwT7QBbuPEIw2gcp9FXRVyWGXF+/MQjDNXhU4/5TdVAr7Zp1W3t6w1Kp7o2BZ
+93IjAI6Y/60pJ61ZZWH+rdWZ/OgQ9ftAvWbNqJwF/SRfHIPbTIQD0vdXR6MpBhU2
+PeqFBVA1+FEuZMqEwCoRqG7+HK0XyT2dpxqwnEn5+JGGC2bn1VvWZJY4iXwNQpMf
+lJj3ybj4WVN4sSiIBsTrNasMomzacwHALxfNkjo945I5U4VMxuBP1ZofBf0gunDT
+Qb9kBXmNN0sveZSRYLq2innU79Tl7cfMvCD8n0in4mhE4dKBifZYOIElYDVKghSj
+No6dzkRXzgesOxH7iiNyCXEe8UD9Flq8/LLb78GEcFR2CmA4l9CgC2w9XvDi3dsM
+BCUZok1eKcOLoD9R5KLDOQPxSgjIl1wKmHqysJEcBBrBiCaN49ebDAyztUAsvZLh
+MU80aau8N2sF+pHZl5/xAoIBAQDmepHNcx+VeNub6HDtW2RYwyuTPM/5seWH6RUq
+414cNmQeY0NSZXun6Zr5tSWka5WNJ2gVjF8EPFMM1HrIEBF6JxtsteMKiy37rKdA
+vgaB2EEO6bn4ZwpHHVhE45eH+qve+cttWoWQ2TjuHEry8XDpKSnkeI24ZJs2TfNZ
+Gv9sbyYMX1SF+Hgs9dZ6NEQj8j1zA3GF/POLNjyBwgbttY5mhkhJOp8AD0gTnrvT
+TJMLuwHag62Y647BgfgeHyhAvEisw9DJZDVmSXLxfoP1UzE95gRNMpcXJju3iH8Q
+s6K0ba1jJTAK8jXoYOitzFeJTpWkI/nwvnS5+KdLtufPqlMfAoIBAQDZlu0mBOR2
+FlIbzlf/gdbMSxUcjYIV/tCUtwPJUBKBgw6RqxhYPt3pEP5OoDfO+el6n/KJdKbO
+LGgeHBVt+m0NV0R2UFhX/n4rRq0KUFyk4ksWPp9vIyLcXVBH/udCv+LEM/sXANN/
+lD8PCtFCEFSX20w9abmBqf9hV5EdP6430myyrHY6SuBxSnZojZD0IAsAWy1WEvas
+8dIXlrG+VtfNLIPv3j7pEzjbDCIRv9/pxOp3NhrJDwG5tDUUymv8JdG5TI5srsSm
+l+8L2BCVyi+ld+KvAY2X+D5KRz6xahcNLBfRmWCfDzvp/N4oOniv5x6d3JkRivDx
+0qcLWQGANdKLAoIBAAeho1ZEK5WNbOgaqDKTxhzSSY0UhGZmJ416gELtSF5yxpni
++4Ws6o1CxOjjwJ1TGp6T4XRlM3g2byGLn40kSw/aX6QX2a6tsRYWP2t7X0fJW04d
+GxVIhCSaqiONzaSo/ivh5YR3bNjA+IuZ0Dl/GRf/Tu3LuBWU7za7GgWnSTHT9FSQ
+i4HsGj6S3Ukqld8C1FoMkSO4nm/LmfFJ9WTFkDOA2r/h+wXLe716kgmLDYtj48nS
+dlsL4awym36T1YdfNKDT0wP4F3SNlgq8/62N1aGRDi9oL2yKzYtkL6Dj8c07nHQd
+9RtHrdVF8C5hB7z6JyZKMqpwA/lsbE2rfr13jE0CggEAXs42+AjLrnQdRIZMq0Rc
+XdkdErrJgmHradCwMqfT2GBNGcUtr019DQ7db0654lHbnBVS7PdJsq2AlBXydF/X
+4icy6kYpp/V37c02mjbXlvQOeVvBxf/OMavqzePPybKn0ItBjQ1MGdty+k/hS2Ko
+KR5hAqUtMcTrQ/OOg+r6MtJZkCQ6wz1au6IRI48DKItJn9caUtWia0pWGvcK7P8T
+ug76UapJSO6aKD8KHSe4HTgyXMzTMOV7//j3494q3MtxrMYhjFM91cR/YG69Ezbs
+ObGZsF0B38RHB8AxHcY20wNyQV4NzmAp39LQzUBk02flXC0A+LbMMuFw7S3TzJQm
+7wKCAQALfyxJuegfxtmOViXFMp5jedBH+KnKegSJVpA70zIF3aNZmZJxoEt6ycq5
+DdsyyGBXeyO8+ezMnarjH78mjYjkBzQ7rjT9UDsVurHe/G7iRiZOqprHLG8doDq0
+EKQY3Tv7Me/gxNtMfK4bbFSMNHmnAGdN694eWMdK+vHmWTsIV8nmnKLnuvtEqjJL
+mOQVKpjYHwuI1UvT5fx8nrSXjAAZgzbhJ4PRyeLcauD+2HexvYlVdJCw6is4F3p3
+hmWdl5ymlriQCeklYGHOB4GTi7vYtqUCluBgAXAG+IqxZyNcHl9bnr+/AZiEza1T
+eLSf7Xmij6hlGsHXShHU2/Rq5iar
+-----END PRIVATE KEY-----

AK/openvpn/ak/keys/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+6ba2290fe261ac9beea46806d40e5667
+f5f0149c4b65bbad8c2c5ee859b29c49
+ea7edf2232bd81b43f1e9409d4c39d92
+de7d1d585330fdf6a617531896bff6af
+7cb96947de1e4153efc626fa93641f60
+7f3ce648d309155f2724318b119e6212
+d8f736d8997ee84ed55050d526c2849e
+685c531da93df302ee6ec2cf6c32c2c7
+0a08aee8d9efc3ef0a2a3611b92dcc88
+13aba6c2a566f297bbb63470b4cc098a
+e8631344b68825a1299101e3d0995274
+f0b404ed4a34579ceb3235a7f7597158
+ed052b0d74f3fca57344151330858dd4
+741deb038c30416db61b6ebd984957f2
+f5483a7dc8ac95c5d5a0ca9fa8f26901
+f85d64bac4b39ed010e52c07f0d30b68
+-----END OpenVPN Static key V1-----

AK/openvpn/gw-ckubu/ccd/server-gw-ckubu/VPN-AK-gw-ckubu

@@ -0,0 +1,3 @@
+ifconfig-push 10.1.0.2 255.255.255.0
+iroute 192.168.63.0 255.255.255.0
+iroute 192.168.64.0 255.255.255.0

AK/openvpn/gw-ckubu/crl.pem

@@ -0,0 +1,18 @@
+-----BEGIN X509 CRL-----
+MIIC5TCBzjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUxDzANBgNVBAgT
+BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4xGTAXBgNV
+BAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEPMA0GA1UEKRMG
+VlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZRcNMTgwMjA2MTMz
+MDQ3WhgPMjA1MDAyMDYxMzMwNDdaMA0GCSqGSIb3DQEBCwUAA4ICAQCg8eMriESd
+fkBH1MRBGj3H7adLmuaI2h3eOMvzFo2wr6jR6JKBwBSzcA/ySEr+bHZkJ0fPgOCJ
+wmyajWh7gQhtdzJYCxVPca3l7g/sd9i62+mRKCvEj3LSHXIMt3oQYAXzWQsSRxX6
+/oggV5fthr6t7Eu8a9FwBbzJDf6UGMYpqlLolO1N1CsyEVKQT3WogvlOSn5qjXDq
+fKMBqKdN4Ni8/1RT7UGRlGHaRx3J84xhn68njNAxWjcAA21KqNXH3JLMC0G62HSb
+4jWNH9yKpSw8GQ0O3qpXeZwLblCyWVmMSlh/o2QgOqBskEjR0qPD7mqfBXVj4YJl
+pGoiEsSgmeMHeqs24VuIU051+yAmJeI9E9F85C2ExUqkCR6NdfE0SI5SfgC7KN65
+RlCC/mIFB5vLXJRRriEjEIhP7iaj43GlL+f86ZIUhKEn3zjFDvj0cba1D5CFMq2v
+jhkbd6cGVUcS0ebqdca2FdVMUumXC+AmXQswfbBVAR4lYNDkenacxm2F7Uljlmdp
+FQmAfLUBOXkSnU7Yy9Sz+9CANc+xQn854+WTATkjx8B2UckEsYB1ZI7qwWODs8M0
+5gupokTLmOta7sDk1ghS/iL+1rx8dadrLaniQczgtN5Izicu6zXdfqv/w0a8lbGr
+JhhqczL4Gu3WW4FTmkwAmq7wArJil1zLaA==
+-----END X509 CRL-----

AK/openvpn/gw-ckubu/easy-rsa/build-ca

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-ca

AK/openvpn/gw-ckubu/easy-rsa/build-dh

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-dh

AK/openvpn/gw-ckubu/easy-rsa/build-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-inter

AK/openvpn/gw-ckubu/easy-rsa/build-key

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key

AK/openvpn/gw-ckubu/easy-rsa/build-key-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pass

AK/openvpn/gw-ckubu/easy-rsa/build-key-pkcs12

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pkcs12

AK/openvpn/gw-ckubu/easy-rsa/build-key-server

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-server

AK/openvpn/gw-ckubu/easy-rsa/build-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req

AK/openvpn/gw-ckubu/easy-rsa/build-req-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req-pass

AK/openvpn/gw-ckubu/easy-rsa/clean-all

@@ -0,0 +1 @@
+/usr/share/easy-rsa/clean-all

AK/openvpn/gw-ckubu/easy-rsa/inherit-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/inherit-inter

AK/openvpn/gw-ckubu/easy-rsa/list-crl

@@ -0,0 +1 @@
+/usr/share/easy-rsa/list-crl

AK/openvpn/gw-ckubu/easy-rsa/openssl-0.9.6.cnf

@@ -0,0 +1,268 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

AK/openvpn/gw-ckubu/easy-rsa/openssl-0.9.8.cnf

@@ -0,0 +1,293 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

AK/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf

@@ -0,0 +1,290 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+#default_days	= 3650			# how long to certify for
+default_days   = 11688
+#default_crl_days= 30			# how long before next CRL
+default_crl_days   = 11688
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

AK/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf.ORIG

@@ -0,0 +1,288 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

AK/openvpn/gw-ckubu/easy-rsa/openssl.cnf

@@ -0,0 +1 @@
+/etc/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf

AK/openvpn/gw-ckubu/easy-rsa/pkitool

@@ -0,0 +1 @@
+/usr/share/easy-rsa/pkitool

AK/openvpn/gw-ckubu/easy-rsa/revoke-full

@@ -0,0 +1 @@
+/usr/share/easy-rsa/revoke-full

AK/openvpn/gw-ckubu/easy-rsa/sign-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/sign-req

AK/openvpn/gw-ckubu/easy-rsa/vars

@@ -0,0 +1,96 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+export BASE_DIR="/etc/openvpn/gw-ckubu"
+export EASY_RSA="$BASE_DIR/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="$BASE_DIR/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+##export KEY_SIZE=2048
+export KEY_SIZE=4096
+
+# In how many days should the root CA key expire?
+##export CA_EXPIRE=3650
+export CA_EXPIRE=11688
+
+# In how many days should certificates expire?
+##export KEY_EXPIRE=3650
+export KEY_EXPIRE=7305
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+export KEY_COUNTRY="DE"
+##export KEY_PROVINCE="CA"
+export KEY_PROVINCE="Berlin"
+##export KEY_CITY="SanFrancisco"
+export KEY_CITY="Berlin"
+##export KEY_ORG="Fort-Funston"
+export KEY_ORG="o.open"
+##export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL="argus@oopen.de"
+##export KEY_OU="MyOrganizationalUnit"
+export KEY_OU="Network Services"
+
+# X509 Subject Field
+##export KEY_NAME="EasyRSA"
+export KEY_NAME="VPN AK"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+## export KEY_CN="CommonName"
+export KEY_CN="VPN-AK"
+
+export KEY_ALTNAMES="VPN AK"

AK/openvpn/gw-ckubu/easy-rsa/vars.2018-02-06-1337

@@ -0,0 +1,80 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
+export KEY_EMAIL="me@myhost.mydomain"
+export KEY_OU="MyOrganizationalUnit"
+
+# X509 Subject Field
+export KEY_NAME="EasyRSA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"

AK/openvpn/gw-ckubu/easy-rsa/whichopensslcnf

@@ -0,0 +1 @@
+/usr/share/easy-rsa/whichopensslcnf

AK/openvpn/gw-ckubu/gw-ckubu.conf

@@ -0,0 +1,257 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote gw-ak.oopen.de 1195
+
+topology subnet
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Server CA
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIGxjCCBK6gAwIBAgIJALRp90TzgA00MA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMG
+VlBOLUFLMQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
+cGVuLmRlMCAXDTE4MDIwNjEyNDAwN1oYDzIwNTAwMjA2MTI0MDA3WjCBnDELMAkG
+A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYD
+VQQKEwZvLm9wZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMT
+BlZQTi1BSzEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
+b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOMNalpNk0cB
+wPdZemz4r4TIhtRSxZEEg9yhTRo9LdMa6oNo1gpg3/60n9nBtA0cDnllx7Z37PvC
+Pg4RJksrB2ZYOB3oSo8LoMzlA0lZl4AMKnxau1ZJI8OB9Ia+6uJxBnpwVULsL4sx
+ds9pHsnXU74UWgdZPAHsfWhogMtk8TsikLFv7P6oxg3fXeVriWP/SUETTWHgSD3x
+gPsnrcGqlCPcfb/mH5SU+v+ge+iue0BXe/1OZkJDHdj5vLZ4MiUCiVVslX36uqti
+sI3Jt2OyF9XQwu5wms3ioW3XydpPmbisRuI7qrTdnmT1iVhbk29eQK/yHrXvuuXQ
+i6PQAirBtMYD8tx5FbMJ6ueDcm0jTVedfHtdkWkBY84bBnecF7ys000fDzJs1YH2
+SP3cb0KbREG2RE5BE1OgUgg8odbJ7/K+Tp0VKEbJAZCwpaw+qAU9xfH3pDoSX+iD
+N+SXxnjSpamwGYmx+PGpwIe3RnlEx8XUcMbEBq5grq7aR7tYd5qh1NKTUKleGucD
+1izZeGLLkh81Gpx+KFXNm7lk3WDx3dqUXc3tJgpZsZJc3VI3UjO5WaYlrdTc6IQs
+3rD0rOGrETI/utLQI9PNFSis00h2LmcPVnEL0N/W71kHeOuytr1Tg1FyFGY7Wbth
+bei4c14kNkVUk1Ncfl07pMR+/i9yee3DAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU
+EHXXKayMfThSNCInVWJK275Iub8wgdEGA1UdIwSByTCBxoAUEHXXKayMfThSNCIn
+VWJK275Iub+hgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
+DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3
+b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEd
+MBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQC0afdE84ANNDAMBgNVHRME
+BTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBIgCBt6v6t2HSqwkLKjgR1c2cDViPe
+WmX8E8maqaDIUopyvNzsZCXjqZ1RNnIHgFKZyZqXSzXRGHbUiohJ4WkkOy+QV64L
+/LUizsZkMJasjYQgcDcXu5sN9mIzGW6C5myjwtSYBWITPxLsedOQLIhYulLrCBa0
+A/gs/gfODm0opsCOuvQn33psUyLda/k9BE/9EHmOg37IRh/rQi3dyQaW2DGfCgZc
+GSIMsxobp4QbdUTJyyIoJW/ZK20Mam+IWNhptqCX/SXlx0pzakkdAulwMtUCPwyD
+8IJEy5ST+qBoctg1mSLts14ZYM63NRYKPfnSUN1JfQE5Sl624c8koVJcKjFnPdII
+cFwo9R+SQFDfTva/xRC8Ydwp1C8V+wnXtM9B1aigule5MXe8CQE4PZjG1Bh7992x
+GcKGBCWR/8JmfipvH4EJ9brS4ZsQ5snfJImBtmmVxSjXn1aE77UYNEp8GF2vW8CV
+7j+neVQtQdA16tXYH4bWy4MCpVCuoBj2ffTkN/5cp9xWHt9D1w73LxXHMEWoQojF
+cOeUda1VSwR17SiEy/lo3mRnWoT6AzLVwYzVQg0W8dc9wPcJ2EiVzQu6ccs2gIJV
+RtdV9iX+oAkwK3/lPB68LvfMEw3Qcy3OY9DmjZNajlv8HCTirBuGNaUwR6pZGqiG
+JN2zjAizahwZgQ==
+-----END CERTIFICATE-----
+</ca>
+
+# Client Certificate
+<cert>
+-----BEGIN CERTIFICATE-----
+MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzM2NTRaFw0zODAyMDYxMzM2NTRaMIGlMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLUFLLWd3
+LWNrdWJ1MQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
+cGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1iJXRCsnhrkw
+vrvWg11+tAy89uYWXSt5lDxBVwuqoTEacmhnhfOT9yEDQys1jSm8u4FET2UUzI9g
+SNYFigYnKoVjjKKxGtlK2Bt9qgu36WlfzlnqNiKvUO2aHnxNwRNvI7b4YI2/uk3V
+gZAAQdH4DiR0rFSDNmBKyvMQKP6ix1dy4+riACIP22n/bltEp9KmYkoU5XomS+DM
+Fqd5wvCt/A18n3x5Ijw1Z8EGz7YCzMqGrt2HA+zRL8r0d//DS3KfHrZH+5qrrrbl
+j8aHydvklLxDqqn+ZgbxKIRjOJ+DXG3MbGvk4gaUj/+fR5nfoBDxIxlA2wn+hXAX
+v6r/eVSPPs6kGqYLNJsw8qjtuG89PggyhkuNsCoOLY/JvtXMRzadcz3RIS5nnwQe
+EoLDtn+E9NbQlrj9XyKYbzCW2EMJANoNmHsCW/IZ0aKhd7C7lMNxaYGARAssNo+r
+gUXj1bUbJQBpHZOJj4AZV9um1YM4ef9v9hb0slYolHw6YS1ys3Ur38+/005gVFtR
+daFQLsUXvLavCALJRuWfFv6k6Vp/HyDlRiwL3kDCsy+ul+ll9DC42rMb6y7WxAnK
+7lN6I5mWLkL7aWY4Qj9Fa+OeavGweSSYOaEzGHhNulQ9pIsw9f3XEKGh1XhSojpK
+hHM40wuTmGMwb53GhX5jB3UPijMdbgECAwEAAaOCAWgwggFkMAkGA1UdEwQCMAAw
+LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
+BgNVHQ4EFgQUBYLo1mtxM1jb3ogF+1KEvfNNZDowgdEGA1UdIwSByTCBxoAUEHXX
+KayMfThSNCInVWJK275Iub+hgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
+EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
+VQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkT
+BlZQTiBBSzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQC0afdE84AN
+NDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0RBAwwCoII
+Z3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAHe1NvTTAE32RzjFyUZz72suEVrk
+OChnbtlokfhencfOZ+241jMswpg5aQDA2jY+lmEQW5tK4N+2hglTFHM4gW4b362b
+rJFEe0fCMl3r/cqdmZbDNXSm9xR7pSoIWt/2vo4ucZQzQEqN6CXA0/rOx84yPDj+
+UFHqvoOAAUbdBZOWqZ4Q+Qni5Y4QmUsGWaoK3LApKSEdfNxiKZkNZ6joWkjJiE45
+pdYd5qeUR1plixNhl5dITH0VfeM+85IXS6y9Tm4kb6tbLPO7KPu9vF/7UD0+Z+zM
+hA8nDu4CjQtN3aSq6Hazi17lDbjpYEWid2LQ0Epvh0c8PHcdNzpf3343/+fun+qH
+xKcEM/7BzyHtVaqPMRqLIMVx4+jAN2k9Lj7oswzTZa526G85kStfwZ5EzuHZ+53s
+2cH6ado+SZDbV2agrcjPri3Bmve36Ed0jLcAA0KcNVOKGfUuY/UR08j/0NbG12ZZ
+IZACPxtIiRcd97cvPXJIxn60LqvBkiRX9rRWA0se//hkCEbUC/w9YekDzDtKU5vw
+JdHjdPVX1NZgXOWom9lUFmWTzeTWC81iAG/YNw271yZ5be8RysAhx+u8ql5AuHL3
+tRsHj1TUbdBINePBvWexL2XdddojjwC3h42N7AvnMNW7ukSxzCog9eGxXmhKkTt9
+En3pD1oBbG67z5tL
+-----END CERTIFICATE-----
+</cert>
+
+# Client Key
+<key>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI62QkbYGv0EYCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECM5hsq05gmbkBIIJSJV6xZtsAe56
+teLN4Bl1fR+qUAfmKm3q94RgI1f9Rc4MpBf64b61IgkVWnQ4ec4CAPnhe2FeUExh
+HGRoeBWR88WaTgNBo6+VUhTCYPAelLvGjhG9TUjn4sigSU3/nQos9NTEMiZjv4+j
+zQxhAxcdjWHOtUkScKz9EDAmU5EAais87VSg4a0AORgHNp88SOdTf56EqzZ5nh06
+NQwiUN4zlrTs2X3mnL9Xx9OPqkha4Ij2efr7eKN9Oex/IpQndH/5AUpNcjfn1sQw
+pokSOQK85AulhRVD9BMD+PTVsOy7xIrQkusv80NsZyqdCAGZLaRzw1aQv5tTLsD+
+pukAzv8rdaFX+k3+Pa3IZbjDGibPTw6Jy+2RY1XEOn7KD/PaULhWnNqioWG93Prh
+ShsAYUeAJaAmiY61D5ORiHVw0D3lUwBjuENd8AQ+y6ofIpdMnsJGzyfomswxSpz9
+CjwXUgdd99A+eeS/IDzDVECeAM0X/ugJ/gILa3ntK/DVVjap5UfCch6wpYnCYoIc
+p3aRYc5TeMR1U1DDrWt9c/4hB22dn5On0mSyC0K/eYdFYqZq+jDCNkMbvGRqFfCl
+qUP+SO+h6miAjakBymIZ/X4i82PucHqC+HXvcYbY4LttKEsztl+WcK8qXWxhgljv
+8dJLEqD6l4FmcdP1CCIpnMnYmjJLVmOVxhusWnSsbj9se55nL+mjtOCdWCMlAMr1
+06sz34Ujq1lfsB7nn+z7O+1ZuMU3qcgPigHXQYJRwpD+eCCUsKbKAPvCHqZxjtOR
+k9eDTQvJMsHFA0TCQ1sMPFhuMAkH+ZhW5Fn1Qguc52aG5oT+ABjhvtN1qKQhhu88
+AwfAPME60+1rmUwu75OZ22lDBVCmqu1MHQEtI7QoJqIXP9fY8bZk9XjgrqzYeQqV
+ls5DVJ48uY9BoMHYNFCwnSVmMFHIVPySSjZNN7LoEICevbr1iL3la8BtGaEFPo6V
+0u+xZMDB8uRoX4sc/yBavu85FWUEKP3P/IZ0Q7qhVd27Y+gZqGqm4HZ6SWMNx3qv
+zNfnfx8ChYWhMbZOAuurEJ/ge0lN5pHJQYPaHJ7J5UIXHclAXPKUJXiSam6XiIyo
+NAlxHvHItk5xnvgqq0m5jRkyhU+LcPplee7AIFptpk1Snrxv7weofqrUrRP0XPMr
+YUxQHbqq+P1XDJQzS/fk/CE3hvwoIPTcnsazvaymaMCN4f+yAIkIur26FoN1Egz0
+ed9zMuE/Q+Uy2wctVDf7ckcAvUJVmQO8ZeM81JO8qak424so9K+VK/1c5+nmwPx+
+HbzSzGCLvT/AsAsgAWuSnqSpfNkK78YHsZ0166CZgsuUxbr2QncU88m4u+nxvPhV
+88MTibkCopYa0fLgrdmM0KbgY0wCGBmMIgrSd77kKuKZuqtKKPvPClK8XeI5I1Kg
+vaeZslPTCFJQAmABLcbtZi5GejUlh3zxPXWwr0xHWt9QMxqXIbKz9w98ZVxB6JgG
+dc2eXN6Y53GWS2rPMCj57JnJzSOY7cH3mUcEAn8sZj3tfnhvjyjrLoVW6DS9DxH6
++hrYeEH2SB4VFo9LAkQf8nXGmf6Drc2CuHBggdL6E7eiqJwpFxJyWZF9cAyUIKNY
+3QGe01nD7/FJ2OdQ3TewwJdO6VM9MCacCg5Tu3CCaBn/ROMDeJ6waxCAaWC0a3ye
+/qF72uUPBnGmepCL8UNty5EHGJEQdLsFUqcz6esBd5QsJQFd4a6Dj+6dygHA5pFS
+imsM3CvEucQLinv14T2MlSfEHGKG838XcNz45z55C6LRWmDo8YhGJpyWLTRanOPO
+YgzRW64jjoowmCOYN+dHMu2N8TuHJaGtNywwzJS/hAmGywn8nQjm2hBBgmzbP4Z9
+mv/j3sym/S43HLgoxFXdyy+A4mWhC6DYyqctC5stUb7LWhDDH1q3/vIpbGzNOlIU
+64RU7tnb73tfNAvP27wok1Y5QulkrcgmGhT1mEXC2Dmd6UNU53cPKC2L9mSYwpLY
+oI0S5LrNfvcJbv1T+Q+6tl4JOviv9c1pxHrGU5QiUC9iWHQAqABewDQcvZHCgkv3
+n1GU2n/Cw3FJN5VKZvsEsL3uLt0iPNsq+gXt1O1+72vnsU9WGb3cLpei+69NaWC2
+Y1eYROJUwvISYh5Fj3AbQHkeaoMBnlD65MtCC27e4wQ08f1WK9yqD9RuF0/AyoMq
+eKuacUkDdRsGtv/EPw+2Y4TVZU8NCx/bklwzfti9d5Gvl13dVKH2rNxNzfU2uwN9
+VMylBtSPKy0M7mIneZmpAFRDUzcVAV/+1u8khfWG0L6AX9jD3m/9/kKZIsVRuxLP
+RW8OcSkZ38Y8LachhEToEyr1s0iPWOa2Uo6/nPpBswk8yI5CGETSvsL0+imcnykU
+GJJGLNRg8QZRAXzB/CadLZ2YLSp+VbwY1RI9MUnOIQy4nDJYmqtrlFtFlbkgYign
+eI6NycS8iTSQkGJHJCxftPW5HU/rOFoVmDkdpZ8lMBJsjqsrWxuMhZdYhd12SYRz
+c8MUarMyTCNYOA/U3avP3wcMWlIBGXnDhCSJWuP4TgekL8YeXIZlpqfLNSbjjzjK
+Qjr1QWrFcheKFtcN+RwxjmEH9VIx/Gl+j39GKjuVE6qFv8ydf5pO6hNlpUhdPwbw
+AfnY26813nPRQszCSKXgT6ZzLExlOdGEtcsLdVgNhqTG/YLSOWOzLogqbbIGBXrP
+iDenjXgL+KWWVx68rLIkX6uXp7ECyJuIzHdA4rz4BJ2E8N07RWIB4UIJqDkb+SmB
+uBjHA/lnnF1NgTaF1YfGTBYJBh9A5De0lWs7f/4FBuQ6cudLHw1TWFzXNYrBUvIi
+JVi3wm1MZYiLz5uWvf4hqS6kuxtHlkxmZeOjawxyNAaESesM3LiuGNa4wlAdLqrb
+Re9jzz6n7OyL+7NEjpDgxS7kx2UjgZfrH3+FhGAGJaaqfeC1Gz21jXNc4S+zHxP2
+Qt3/qm027TN1TARpTxDK4eGRFgOLyDbb+8aeaywjcqUWRN5tWutFNavSn/Amgugh
+mSxJJvyf0WKnh6cbX5mGQFzKiaAqz22IgtcSovZt0K13KR6IExQZW1N2QbpchjWM
+NFwD7jxGsOPeukul9fpANrZk+qXZqjSX58bEbMax+th1WNpnEqG470FvcJv8z72e
+6YP6NW+YmJhshYOCv/q6Ng==
+-----END ENCRYPTED PRIVATE KEY-----
+</key>
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-serve
+ns-cert-type server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+#
+# Don't forget to set the 'key-direction' Parameter if using
+# Inline Key. Usualy , sever has key direction '0', while client
+# has ke direction '1'.
+#
+key-direction 1
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+9b6729c5c91b466a2bf7a494c2773f66
+6f580c49cf669c267b408d4e69b47554
+eb9a77dc00111f2ffb3be09c38a34c29
+441ed188e45a20a0bc31e28f0740ee28
+10a36049da14f04a4efdfbfc15e492c4
+e8c6cc0e07b5ad43f8a7f9685edf07cc
+3764e44b091a1277195ff52cad66574b
+b9396a38e10445255a387a4c510ad5c9
+9376d6cfe2aee6b4970faadbe8b4b581
+cd01a751bd07d53d984cdbd82c357820
+0251066db57e5863fc96e6ccc4ac9ebf
+b06231f21e93d1934a9ed0352ff0d3cc
+e1fc4269821572b858b3461c4eacacd0
+0eb309b692e49ea3cd9683ff4ae85161
+790f3ff5bc0d7dba51015e182d88a09c
+9389557003a462a4c57467320c9913a8
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 1
+
+# Setting 'pull' on the client takes care to get the 'push' durectives
+# from the server
+pull

AK/openvpn/gw-ckubu/ipp.txt

@@ -0,0 +1 @@
+VPN-AK-gw-ckubu,10.1.0.2

AK/openvpn/gw-ckubu/keys-created.txt

@@ -0,0 +1,4 @@
+
+key...............: gw-ckubu.key
+common name.......: VPN-AK-gw-ckubu
+password..........: oot4yoociepaPuumahlieyie

AK/openvpn/gw-ckubu/keys/01.pem

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 13:30:43 2018 GMT
+            Not After : Feb  6 13:30:43 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:d6:54:ff:ed:31:40:93:d3:2e:da:0a:e2:7a:f6:
+                    51:83:c6:15:03:62:aa:59:e9:71:20:a3:af:4d:94:
+                    30:3e:23:30:18:f2:02:91:03:7a:6c:fe:ea:d2:8f:
+                    22:c7:19:10:5c:d2:ea:93:7e:5e:88:7b:9b:db:23:
+                    8c:b2:85:d7:d1:b1:ac:8d:3c:59:30:ec:2a:63:b5:
+                    56:32:e7:7d:af:bd:0c:05:74:30:a2:7f:42:8c:2b:
+                    b3:cc:e2:f2:5f:73:52:d4:27:44:87:1e:fb:c9:a4:
+                    0e:0d:1c:f9:b0:b9:dd:49:62:af:c8:1c:9e:7b:70:
+                    7c:21:ea:f1:fc:45:45:c6:f0:c8:36:c1:b6:b8:c4:
+                    b4:e6:78:45:8e:cb:e9:1e:33:41:f2:20:30:5f:3a:
+                    ba:b5:37:67:a1:b7:85:90:1f:19:3f:8b:42:a2:40:
+                    02:ba:67:25:92:58:57:dd:cc:af:92:c5:f4:99:a1:
+                    7a:f9:1c:cb:4b:4d:66:0c:9f:45:b0:5d:85:df:3d:
+                    cc:a9:77:73:d9:a1:ee:bc:d8:ee:8c:cd:91:96:2c:
+                    70:fb:4f:f1:cb:3d:90:aa:73:d6:ab:4b:b0:a5:f1:
+                    41:a3:f1:ea:8a:f3:20:5f:c1:88:cf:68:66:c3:65:
+                    eb:ef:b9:ed:ec:2c:8c:96:b7:eb:70:e5:c3:7b:52:
+                    c5:89:40:39:53:a1:ca:fc:84:05:2f:63:d3:5d:67:
+                    8d:94:26:1f:a8:fd:ae:9b:4e:64:87:8f:38:76:fc:
+                    06:30:49:ff:23:19:d6:a3:06:9d:3f:2b:1e:4f:42:
+                    44:6b:66:1f:55:88:19:23:40:9b:01:32:96:22:87:
+                    fa:9c:8e:0a:41:6b:e1:cf:a3:68:db:80:e1:5d:86:
+                    72:e0:33:0b:cd:30:5e:aa:c7:8a:20:19:0a:6e:2c:
+                    c9:01:36:57:bc:2d:c7:95:aa:3f:9c:40:47:e1:34:
+                    03:90:d0:9f:11:4e:f3:d4:3c:a9:fe:63:81:db:f0:
+                    bd:27:4c:4a:6d:89:a4:95:1a:f1:ed:b8:b8:a2:71:
+                    52:91:ff:e0:8b:b6:9e:31:fc:b7:c4:0e:07:84:29:
+                    20:79:57:99:5b:7e:5f:be:eb:a2:bb:73:9d:ef:f2:
+                    1e:8b:24:c6:86:91:68:cd:71:bd:35:05:d5:9f:cf:
+                    e7:5f:b4:9a:2f:12:9c:b5:3f:8a:7f:c7:b0:cf:d7:
+                    70:ea:28:63:65:6d:7c:64:ad:06:4d:1d:17:30:ca:
+                    0f:54:76:21:90:16:a0:49:0a:87:ae:b3:ff:dd:e0:
+                    71:17:0d:71:ee:96:8a:2d:86:14:fb:99:5f:ec:9f:
+                    5f:25:79:cf:42:7a:13:0c:66:cc:7a:60:83:43:77:
+                    f4:b6:f1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                C6:1E:B3:D8:34:53:70:7C:82:D3:64:78:9C:4C:33:01:71:8A:67:66
+            X509v3 Authority Key Identifier: 
+                keyid:10:75:D7:29:AC:8C:7D:38:52:34:22:27:55:62:4A:DB:BE:48:B9:BF
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:B4:69:F7:44:F3:80:0D:34
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         91:4a:bc:3a:35:78:e5:e5:66:b6:36:5a:66:0d:da:e3:01:7c:
+         07:be:0e:0e:2e:61:1a:c0:74:90:83:f7:39:8b:2d:0a:06:92:
+         ca:75:d3:ac:a6:94:66:10:41:30:2c:dd:77:c3:12:e0:5c:97:
+         e6:5d:c3:ef:2f:63:65:d0:f7:c3:9f:72:6f:54:07:e8:80:af:
+         35:53:74:6f:4d:ea:33:0a:86:8c:1d:79:f1:22:76:97:f4:43:
+         34:01:0e:8c:79:8e:23:60:67:89:ad:eb:48:4a:d4:50:a7:09:
+         bf:00:ce:d6:d6:6c:e8:f1:06:b0:f9:1c:de:1d:d9:32:2c:8a:
+         02:dd:0f:31:a7:0f:f7:92:e5:f6:7d:37:7f:a8:5f:bc:87:93:
+         4d:58:1a:6b:e0:84:a0:7b:6d:f7:6e:84:e6:94:87:70:59:3a:
+         9d:07:c4:1a:21:96:8c:04:51:e4:f1:01:49:0d:3f:7d:d4:65:
+         5b:ae:dc:40:4b:63:71:0d:ef:bc:e3:f6:ab:11:2c:b8:2f:df:
+         5a:bd:70:21:03:d0:54:b0:3f:ce:70:d4:4e:f2:ec:1d:54:b6:
+         1a:53:ea:e7:2c:82:83:74:98:52:41:0e:4b:cd:03:02:9e:4f:
+         7c:85:45:13:6c:ec:a2:ba:18:ca:62:39:3c:45:f4:83:86:74:
+         77:0c:b4:fb:f7:50:f6:77:a2:91:db:5a:3c:d9:3b:75:2e:3c:
+         8a:68:dd:f3:fe:9a:4c:1a:d6:a6:46:d6:3f:9d:c2:f7:06:0f:
+         4a:5b:9a:de:27:39:a1:e9:19:8a:82:86:de:5f:86:82:f0:cc:
+         5c:47:64:fd:bf:8b:6a:f9:a2:ce:a8:75:12:1a:97:20:01:fa:
+         a3:22:7d:1f:5d:66:09:f0:51:97:ff:e0:b0:89:e4:2b:33:de:
+         c2:7e:86:24:34:28:6f:6a:5b:e7:f4:f8:4f:29:f5:06:9d:26:
+         a5:f4:e6:69:cb:dc:22:e6:3d:ae:65:da:41:f0:23:aa:58:93:
+         38:1e:14:fd:df:6e:af:9b:56:a4:d3:91:b7:33:a2:2d:5e:38:
+         6c:e3:16:de:91:f1:4e:f3:5a:37:1f:a7:6b:d4:97:7f:1e:a9:
+         34:a9:e3:db:38:7c:59:38:aa:c7:08:0b:89:46:42:c5:57:65:
+         a1:26:f2:57:0d:33:d1:25:24:da:b3:f6:2c:ac:b7:71:18:df:
+         20:06:90:89:78:f1:c4:7f:b6:48:78:f4:29:82:01:09:29:9c:
+         21:34:b3:e8:06:71:61:9c:da:34:38:4c:c3:ad:73:15:da:0a:
+         92:51:71:aa:67:87:44:3e:9b:b8:10:aa:06:d2:f6:a0:85:b0:
+         8b:64:1d:68:35:c6:44:00
+-----BEGIN CERTIFICATE-----
+MIIHPjCCBSagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzMwNDNaFw0zODAyMDYxMzMwNDNaMIGjMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEWMBQGA1UEAxMNVlBOLUFLLXNl
+cnZlcjEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANZU/+0xQJPTLtoK
+4nr2UYPGFQNiqlnpcSCjr02UMD4jMBjyApEDemz+6tKPIscZEFzS6pN+Xoh7m9sj
+jLKF19GxrI08WTDsKmO1VjLnfa+9DAV0MKJ/Qowrs8zi8l9zUtQnRIce+8mkDg0c
++bC53Ulir8gcnntwfCHq8fxFRcbwyDbBtrjEtOZ4RY7L6R4zQfIgMF86urU3Z6G3
+hZAfGT+LQqJAArpnJZJYV93Mr5LF9Jmhevkcy0tNZgyfRbBdhd89zKl3c9mh7rzY
+7ozNkZYscPtP8cs9kKpz1qtLsKXxQaPx6orzIF/BiM9oZsNl6++57ewsjJa363Dl
+w3tSxYlAOVOhyvyEBS9j011njZQmH6j9rptOZIePOHb8BjBJ/yMZ1qMGnT8rHk9C
+RGtmH1WIGSNAmwEyliKH+pyOCkFr4c+jaNuA4V2GcuAzC80wXqrHiiAZCm4syQE2
+V7wtx5WqP5xAR+E0A5DQnxFO89Q8qf5jgdvwvSdMSm2JpJUa8e24uKJxUpH/4Iu2
+njH8t8QOB4QpIHlXmVt+X77rortzne/yHoskxoaRaM1xvTUF1Z/P51+0mi8SnLU/
+in/HsM/XcOooY2VtfGStBk0dFzDKD1R2IZAWoEkKh66z/93gcRcNce6Wii2GFPuZ
+X+yfXyV5z0J6EwxmzHpgg0N39LbxAgMBAAGjggGAMIIBfDAJBgNVHRMEAjAAMBEG
+CWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJh
+dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxh6z2DRTcHyC02R4nEwz
+AXGKZ2YwgdEGA1UdIwSByTCBxoAUEHXXKayMfThSNCInVWJK275Iub+hgaKkgZ8w
+gZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxp
+bjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8w
+DQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEdMBsGCSqGSIb3DQEJARYO
+YXJndXNAb29wZW4uZGWCCQC0afdE84ANNDATBgNVHSUEDDAKBggrBgEFBQcDATAL
+BgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IC
+AQCRSrw6NXjl5Wa2NlpmDdrjAXwHvg4OLmEawHSQg/c5iy0KBpLKddOsppRmEEEw
+LN13wxLgXJfmXcPvL2Nl0PfDn3JvVAfogK81U3RvTeozCoaMHXnxInaX9EM0AQ6M
+eY4jYGeJretIStRQpwm/AM7W1mzo8Qaw+RzeHdkyLIoC3Q8xpw/3kuX2fTd/qF+8
+h5NNWBpr4ISge233boTmlIdwWTqdB8QaIZaMBFHk8QFJDT991GVbrtxAS2NxDe+8
+4/arESy4L99avXAhA9BUsD/OcNRO8uwdVLYaU+rnLIKDdJhSQQ5LzQMCnk98hUUT
+bOyiuhjKYjk8RfSDhnR3DLT791D2d6KR21o82Tt1LjyKaN3z/ppMGtamRtY/ncL3
+Bg9KW5reJzmh6RmKgobeX4aC8MxcR2T9v4tq+aLOqHUSGpcgAfqjIn0fXWYJ8FGX
+/+CwieQrM97CfoYkNChvalvn9PhPKfUGnSal9OZpy9wi5j2uZdpB8COqWJM4HhT9
+326vm1ak05G3M6ItXjhs4xbekfFO81o3H6dr1Jd/Hqk0qePbOHxZOKrHCAuJRkLF
+V2WhJvJXDTPRJSTas/YsrLdxGN8gBpCJePHEf7ZIePQpggEJKZwhNLPoBnFhnNo0
+OEzDrXMV2gqSUXGqZ4dEPpu4EKoG0vaghbCLZB1oNcZEAA==
+-----END CERTIFICATE-----

AK/openvpn/gw-ckubu/keys/02.pem

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 13:36:54 2018 GMT
+            Not After : Feb  6 13:36:54 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-gw-ckubu/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:d6:22:57:44:2b:27:86:b9:30:be:bb:d6:83:5d:
+                    7e:b4:0c:bc:f6:e6:16:5d:2b:79:94:3c:41:57:0b:
+                    aa:a1:31:1a:72:68:67:85:f3:93:f7:21:03:43:2b:
+                    35:8d:29:bc:bb:81:44:4f:65:14:cc:8f:60:48:d6:
+                    05:8a:06:27:2a:85:63:8c:a2:b1:1a:d9:4a:d8:1b:
+                    7d:aa:0b:b7:e9:69:5f:ce:59:ea:36:22:af:50:ed:
+                    9a:1e:7c:4d:c1:13:6f:23:b6:f8:60:8d:bf:ba:4d:
+                    d5:81:90:00:41:d1:f8:0e:24:74:ac:54:83:36:60:
+                    4a:ca:f3:10:28:fe:a2:c7:57:72:e3:ea:e2:00:22:
+                    0f:db:69:ff:6e:5b:44:a7:d2:a6:62:4a:14:e5:7a:
+                    26:4b:e0:cc:16:a7:79:c2:f0:ad:fc:0d:7c:9f:7c:
+                    79:22:3c:35:67:c1:06:cf:b6:02:cc:ca:86:ae:dd:
+                    87:03:ec:d1:2f:ca:f4:77:ff:c3:4b:72:9f:1e:b6:
+                    47:fb:9a:ab:ae:b6:e5:8f:c6:87:c9:db:e4:94:bc:
+                    43:aa:a9:fe:66:06:f1:28:84:63:38:9f:83:5c:6d:
+                    cc:6c:6b:e4:e2:06:94:8f:ff:9f:47:99:df:a0:10:
+                    f1:23:19:40:db:09:fe:85:70:17:bf:aa:ff:79:54:
+                    8f:3e:ce:a4:1a:a6:0b:34:9b:30:f2:a8:ed:b8:6f:
+                    3d:3e:08:32:86:4b:8d:b0:2a:0e:2d:8f:c9:be:d5:
+                    cc:47:36:9d:73:3d:d1:21:2e:67:9f:04:1e:12:82:
+                    c3:b6:7f:84:f4:d6:d0:96:b8:fd:5f:22:98:6f:30:
+                    96:d8:43:09:00:da:0d:98:7b:02:5b:f2:19:d1:a2:
+                    a1:77:b0:bb:94:c3:71:69:81:80:44:0b:2c:36:8f:
+                    ab:81:45:e3:d5:b5:1b:25:00:69:1d:93:89:8f:80:
+                    19:57:db:a6:d5:83:38:79:ff:6f:f6:16:f4:b2:56:
+                    28:94:7c:3a:61:2d:72:b3:75:2b:df:cf:bf:d3:4e:
+                    60:54:5b:51:75:a1:50:2e:c5:17:bc:b6:af:08:02:
+                    c9:46:e5:9f:16:fe:a4:e9:5a:7f:1f:20:e5:46:2c:
+                    0b:de:40:c2:b3:2f:ae:97:e9:65:f4:30:b8:da:b3:
+                    1b:eb:2e:d6:c4:09:ca:ee:53:7a:23:99:96:2e:42:
+                    fb:69:66:38:42:3f:45:6b:e3:9e:6a:f1:b0:79:24:
+                    98:39:a1:33:18:78:4d:ba:54:3d:a4:8b:30:f5:fd:
+                    d7:10:a1:a1:d5:78:52:a2:3a:4a:84:73:38:d3:0b:
+                    93:98:63:30:6f:9d:c6:85:7e:63:07:75:0f:8a:33:
+                    1d:6e:01
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                05:82:E8:D6:6B:71:33:58:DB:DE:88:05:FB:52:84:BD:F3:4D:64:3A
+            X509v3 Authority Key Identifier: 
+                keyid:10:75:D7:29:AC:8C:7D:38:52:34:22:27:55:62:4A:DB:BE:48:B9:BF
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:B4:69:F7:44:F3:80:0D:34
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         77:b5:36:f4:d3:00:4d:f6:47:38:c5:c9:46:73:ef:6b:2e:11:
+         5a:e4:38:28:67:6e:d9:68:91:f8:5e:9d:c7:ce:67:ed:b8:d6:
+         33:2c:c2:98:39:69:00:c0:da:36:3e:96:61:10:5b:9b:4a:e0:
+         df:b6:86:09:53:14:73:38:81:6e:1b:df:ad:9b:ac:91:44:7b:
+         47:c2:32:5d:eb:fd:ca:9d:99:96:c3:35:74:a6:f7:14:7b:a5:
+         2a:08:5a:df:f6:be:8e:2e:71:94:33:40:4a:8d:e8:25:c0:d3:
+         fa:ce:c7:ce:32:3c:38:fe:50:51:ea:be:83:80:01:46:dd:05:
+         93:96:a9:9e:10:f9:09:e2:e5:8e:10:99:4b:06:59:aa:0a:dc:
+         b0:29:29:21:1d:7c:dc:62:29:99:0d:67:a8:e8:5a:48:c9:88:
+         4e:39:a5:d6:1d:e6:a7:94:47:5a:65:8b:13:61:97:97:48:4c:
+         7d:15:7d:e3:3e:f3:92:17:4b:ac:bd:4e:6e:24:6f:ab:5b:2c:
+         f3:bb:28:fb:bd:bc:5f:fb:50:3d:3e:67:ec:cc:84:0f:27:0e:
+         ee:02:8d:0b:4d:dd:a4:aa:e8:76:b3:8b:5e:e5:0d:b8:e9:60:
+         45:a2:77:62:d0:d0:4a:6f:87:47:3c:3c:77:1d:37:3a:5f:df:
+         7e:37:ff:e7:ee:9f:ea:87:c4:a7:04:33:fe:c1:cf:21:ed:55:
+         aa:8f:31:1a:8b:20:c5:71:e3:e8:c0:37:69:3d:2e:3e:e8:b3:
+         0c:d3:65:ae:76:e8:6f:39:91:2b:5f:c1:9e:44:ce:e1:d9:fb:
+         9d:ec:d9:c1:fa:69:da:3e:49:90:db:57:66:a0:ad:c8:cf:ae:
+         2d:c1:9a:f7:b7:e8:47:74:8c:b7:00:03:42:9c:35:53:8a:19:
+         f5:2e:63:f5:11:d3:c8:ff:d0:d6:c6:d7:66:59:21:90:02:3f:
+         1b:48:89:17:1d:f7:b7:2f:3d:72:48:c6:7e:b4:2e:ab:c1:92:
+         24:57:f6:b4:56:03:4b:1e:ff:f8:64:08:46:d4:0b:fc:3d:61:
+         e9:03:cc:3b:4a:53:9b:f0:25:d1:e3:74:f5:57:d4:d6:60:5c:
+         e5:a8:9b:d9:54:16:65:93:cd:e4:d6:0b:cd:62:00:6f:d8:37:
+         0d:bb:d7:26:79:6d:ef:11:ca:c0:21:c7:eb:bc:aa:5e:40:b8:
+         72:f7:b5:1b:07:8f:54:d4:6d:d0:48:35:e3:c1:bd:67:b1:2f:
+         65:dd:75:da:23:8f:00:b7:87:8d:8d:ec:0b:e7:30:d5:bb:ba:
+         44:b1:cc:2a:20:f5:e1:b1:5e:68:4a:91:3b:7d:12:7d:e9:0f:
+         5a:01:6c:6e:bb:cf:9b:4b
+-----BEGIN CERTIFICATE-----
+MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzM2NTRaFw0zODAyMDYxMzM2NTRaMIGlMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLUFLLWd3
+LWNrdWJ1MQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
+cGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1iJXRCsnhrkw
+vrvWg11+tAy89uYWXSt5lDxBVwuqoTEacmhnhfOT9yEDQys1jSm8u4FET2UUzI9g
+SNYFigYnKoVjjKKxGtlK2Bt9qgu36WlfzlnqNiKvUO2aHnxNwRNvI7b4YI2/uk3V
+gZAAQdH4DiR0rFSDNmBKyvMQKP6ix1dy4+riACIP22n/bltEp9KmYkoU5XomS+DM
+Fqd5wvCt/A18n3x5Ijw1Z8EGz7YCzMqGrt2HA+zRL8r0d//DS3KfHrZH+5qrrrbl
+j8aHydvklLxDqqn+ZgbxKIRjOJ+DXG3MbGvk4gaUj/+fR5nfoBDxIxlA2wn+hXAX
+v6r/eVSPPs6kGqYLNJsw8qjtuG89PggyhkuNsCoOLY/JvtXMRzadcz3RIS5nnwQe
+EoLDtn+E9NbQlrj9XyKYbzCW2EMJANoNmHsCW/IZ0aKhd7C7lMNxaYGARAssNo+r
+gUXj1bUbJQBpHZOJj4AZV9um1YM4ef9v9hb0slYolHw6YS1ys3Ur38+/005gVFtR
+daFQLsUXvLavCALJRuWfFv6k6Vp/HyDlRiwL3kDCsy+ul+ll9DC42rMb6y7WxAnK
+7lN6I5mWLkL7aWY4Qj9Fa+OeavGweSSYOaEzGHhNulQ9pIsw9f3XEKGh1XhSojpK
+hHM40wuTmGMwb53GhX5jB3UPijMdbgECAwEAAaOCAWgwggFkMAkGA1UdEwQCMAAw
+LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
+BgNVHQ4EFgQUBYLo1mtxM1jb3ogF+1KEvfNNZDowgdEGA1UdIwSByTCBxoAUEHXX
+KayMfThSNCInVWJK275Iub+hgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
+EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
+VQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkT
+BlZQTiBBSzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQC0afdE84AN
+NDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0RBAwwCoII
+Z3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAHe1NvTTAE32RzjFyUZz72suEVrk
+OChnbtlokfhencfOZ+241jMswpg5aQDA2jY+lmEQW5tK4N+2hglTFHM4gW4b362b
+rJFEe0fCMl3r/cqdmZbDNXSm9xR7pSoIWt/2vo4ucZQzQEqN6CXA0/rOx84yPDj+
+UFHqvoOAAUbdBZOWqZ4Q+Qni5Y4QmUsGWaoK3LApKSEdfNxiKZkNZ6joWkjJiE45
+pdYd5qeUR1plixNhl5dITH0VfeM+85IXS6y9Tm4kb6tbLPO7KPu9vF/7UD0+Z+zM
+hA8nDu4CjQtN3aSq6Hazi17lDbjpYEWid2LQ0Epvh0c8PHcdNzpf3343/+fun+qH
+xKcEM/7BzyHtVaqPMRqLIMVx4+jAN2k9Lj7oswzTZa526G85kStfwZ5EzuHZ+53s
+2cH6ado+SZDbV2agrcjPri3Bmve36Ed0jLcAA0KcNVOKGfUuY/UR08j/0NbG12ZZ
+IZACPxtIiRcd97cvPXJIxn60LqvBkiRX9rRWA0se//hkCEbUC/w9YekDzDtKU5vw
+JdHjdPVX1NZgXOWom9lUFmWTzeTWC81iAG/YNw271yZ5be8RysAhx+u8ql5AuHL3
+tRsHj1TUbdBINePBvWexL2XdddojjwC3h42N7AvnMNW7ukSxzCog9eGxXmhKkTt9
+En3pD1oBbG67z5tL
+-----END CERTIFICATE-----

AK/openvpn/gw-ckubu/keys/ca.crt

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGxjCCBK6gAwIBAgIJALRp90TzgA00MA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMG
+VlBOLUFLMQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
+cGVuLmRlMCAXDTE4MDIwNjEyNDAwN1oYDzIwNTAwMjA2MTI0MDA3WjCBnDELMAkG
+A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYD
+VQQKEwZvLm9wZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMT
+BlZQTi1BSzEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
+b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOMNalpNk0cB
+wPdZemz4r4TIhtRSxZEEg9yhTRo9LdMa6oNo1gpg3/60n9nBtA0cDnllx7Z37PvC
+Pg4RJksrB2ZYOB3oSo8LoMzlA0lZl4AMKnxau1ZJI8OB9Ia+6uJxBnpwVULsL4sx
+ds9pHsnXU74UWgdZPAHsfWhogMtk8TsikLFv7P6oxg3fXeVriWP/SUETTWHgSD3x
+gPsnrcGqlCPcfb/mH5SU+v+ge+iue0BXe/1OZkJDHdj5vLZ4MiUCiVVslX36uqti
+sI3Jt2OyF9XQwu5wms3ioW3XydpPmbisRuI7qrTdnmT1iVhbk29eQK/yHrXvuuXQ
+i6PQAirBtMYD8tx5FbMJ6ueDcm0jTVedfHtdkWkBY84bBnecF7ys000fDzJs1YH2
+SP3cb0KbREG2RE5BE1OgUgg8odbJ7/K+Tp0VKEbJAZCwpaw+qAU9xfH3pDoSX+iD
+N+SXxnjSpamwGYmx+PGpwIe3RnlEx8XUcMbEBq5grq7aR7tYd5qh1NKTUKleGucD
+1izZeGLLkh81Gpx+KFXNm7lk3WDx3dqUXc3tJgpZsZJc3VI3UjO5WaYlrdTc6IQs
+3rD0rOGrETI/utLQI9PNFSis00h2LmcPVnEL0N/W71kHeOuytr1Tg1FyFGY7Wbth
+bei4c14kNkVUk1Ncfl07pMR+/i9yee3DAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU
+EHXXKayMfThSNCInVWJK275Iub8wgdEGA1UdIwSByTCBxoAUEHXXKayMfThSNCIn
+VWJK275Iub+hgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
+DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3
+b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEd
+MBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQC0afdE84ANNDAMBgNVHRME
+BTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBIgCBt6v6t2HSqwkLKjgR1c2cDViPe
+WmX8E8maqaDIUopyvNzsZCXjqZ1RNnIHgFKZyZqXSzXRGHbUiohJ4WkkOy+QV64L
+/LUizsZkMJasjYQgcDcXu5sN9mIzGW6C5myjwtSYBWITPxLsedOQLIhYulLrCBa0
+A/gs/gfODm0opsCOuvQn33psUyLda/k9BE/9EHmOg37IRh/rQi3dyQaW2DGfCgZc
+GSIMsxobp4QbdUTJyyIoJW/ZK20Mam+IWNhptqCX/SXlx0pzakkdAulwMtUCPwyD
+8IJEy5ST+qBoctg1mSLts14ZYM63NRYKPfnSUN1JfQE5Sl624c8koVJcKjFnPdII
+cFwo9R+SQFDfTva/xRC8Ydwp1C8V+wnXtM9B1aigule5MXe8CQE4PZjG1Bh7992x
+GcKGBCWR/8JmfipvH4EJ9brS4ZsQ5snfJImBtmmVxSjXn1aE77UYNEp8GF2vW8CV
+7j+neVQtQdA16tXYH4bWy4MCpVCuoBj2ffTkN/5cp9xWHt9D1w73LxXHMEWoQojF
+cOeUda1VSwR17SiEy/lo3mRnWoT6AzLVwYzVQg0W8dc9wPcJ2EiVzQu6ccs2gIJV
+RtdV9iX+oAkwK3/lPB68LvfMEw3Qcy3OY9DmjZNajlv8HCTirBuGNaUwR6pZGqiG
+JN2zjAizahwZgQ==
+-----END CERTIFICATE-----

AK/openvpn/gw-ckubu/keys/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDjDWpaTZNHAcD3
+WXps+K+EyIbUUsWRBIPcoU0aPS3TGuqDaNYKYN/+tJ/ZwbQNHA55Zce2d+z7wj4O
+ESZLKwdmWDgd6EqPC6DM5QNJWZeADCp8WrtWSSPDgfSGvuricQZ6cFVC7C+LMXbP
+aR7J11O+FFoHWTwB7H1oaIDLZPE7IpCxb+z+qMYN313la4lj/0lBE01h4Eg98YD7
+J63BqpQj3H2/5h+UlPr/oHvorntAV3v9TmZCQx3Y+by2eDIlAolVbJV9+rqrYrCN
+ybdjshfV0MLucJrN4qFt18naT5m4rEbiO6q03Z5k9YlYW5NvXkCv8h6177rl0Iuj
+0AIqwbTGA/LceRWzCerng3JtI01XnXx7XZFpAWPOGwZ3nBe8rNNNHw8ybNWB9kj9
+3G9Cm0RBtkROQRNToFIIPKHWye/yvk6dFShGyQGQsKWsPqgFPcXx96Q6El/ogzfk
+l8Z40qWpsBmJsfjxqcCHt0Z5RMfF1HDGxAauYK6u2ke7WHeaodTSk1CpXhrnA9Ys
+2Xhiy5IfNRqcfihVzZu5ZN1g8d3alF3N7SYKWbGSXN1SN1IzuVmmJa3U3OiELN6w
+9KzhqxEyP7rS0CPTzRUorNNIdi5nD1ZxC9Df1u9ZB3jrsra9U4NRchRmO1m7YW3o
+uHNeJDZFVJNTXH5dO6TEfv4vcnntwwIDAQABAoICAQCAYVWBOdvMinFRaoaOlw6n
+Rbr20tZi6OqmFY5DB9ShSNbQ9rYPqDb/DaJUvfHQd8y3V5VU1vpoX6w2x/ufBPVq
+KPeR8YY225xQPi1djArdnANpzOOgJjrSkOhySAEHiGDhWiLbdDBtw8op/IYsGlR/
+ZYKCJTKI4+8E2hH471p21VR6/45Bb6yMq3+r+OH2aKJC6WcXsHkojSUg3Y6hspGQ
+tVtk5fl1SceiQlvNdNq7xruUvn+Td9+oj4zkn5G623RLmNnuIZbq0SKDCUtoU4qm
+myOdLo5ZW4trUFgR2HBSuxZZVONw4N5ut2axTxZOIjzxPzWeKa7Dwucx+KtBAcX0
+IBykYOrlwTQfaOI+yNCB+u6RqC3prURtx73eEvVUOKMbhSc/lSFvex6vgQ5xW4iF
+5gdeiR+Fwu3NQqGBR1auXNjBLtTiKBaYZ0jCNliw4AEnu92Mb0tZbH5xFyC+NmKt
+qV75/fpolDN9Yx6d8onhWSWnAeTn+3oDupd/vQ5HbnYLP0rhfyIciAYfOW70Fv1E
+2H9FhDDnvmiZqGQKw/7s/ngdQTEs56y2lIbplzVSCjGKX4lrYYKV9yLM9qJ/UoAb
+j74ww1olFW40lA1rNTSA7zCL7+pwuK2iN5nHOMjHXkzyfxOM+vwLk52ZS27kBFfb
+FQ0KVo8NHZvl61yDr/HcAQKCAQEA9HBG7FJT4w16tC2ghfYVYPs/sWvpbDY8bSus
+rgQvuiktRsnc6GgGQtboJDaPfl9fhmd3DDg4RC2dppbAApS6hYMB8qNppElt40nx
+Tf39nZIOEKfUB6HMzzjomWBYXrxhai2U7o1wqR1Xs2w0+KjlxeWGzN9wNGdXAbDe
+rqXrcxPp/YmheLggiQXd1Xe95Ien1zFx91CEBeKBulRhNrtfFOPNZTlJ03gRImjV
+s/46TPqlJflr8FiUdbyx03++10fQkFRE3pvh/zI7ZfWUKa4+191Wm1Dv9yC3+QAu
+3A8zniWg7/eK1jJpjp5NbVGaF0QQwBi/moPwLpqX+9ISaLkdqwKCAQEA7cqfSzh+
+PTxCmxWogPAqSBt0HALjUadpzWMnOKoM2fbq86ocEFvEA9FK/9zT+8aWQldIR+Gi
+3AHRRUAedIKkMMmhRbzmAdcVHEXHU4SeclEEpC+hM0FdMkieHFdjf58yFTLlh8+a
+i7fYwcewgOcHKlm6m4w0ON2tQhKzZvV3fsxym19X2r/gRmbOzDHZee7cd4bNpy+A
+iphVLBk50SzBX9QB51PlDOadhE9cB1CYJ9B+AcdYtdx8XBoCfbK7cTFopmE+yhrl
++toDz3lX34PDKWzByW/LYEK6AFnLvjniwEd3Y5AsNOXWW5ck9UzElLZMlmmPFyLb
+Rx587piOI+loSQKCAQEA3JNQvMJR5orsVhjySNBWXGx8/lp1ieurPYxyx5kJhIDR
+1ZYlHSd5tuj9FGiTtiLULZHCEKnOxF8xavmQDQQvCHm+0Th7BQAqBDdeY9W1/XGl
+9YusvrJYAgrFglo5hEuT0F+PjHDf4AuVb1hOuLCYn6rOqKNcOj2ieukjGRCqVe77
+cIm4xxnIaj17/7yNA+MSJxL8V4M1j6XlEMJB80TDuTMTzqsSnpwzQgy+Ay1/aKWp
+T4oyx/D3DwOWqFcXXGb2orcYapTaLBIlHY2tBKuzE9Is6/zufd/tg+mRX4zsNGKa
+RtDnXQCi1kqtbd98IFCQmPf8Nq+mljd0vI3FhPC+/wKCAQEAkyBMIPlqOi8fst7a
+rDRspMK/u1kaFvpzXw3bRZcJbo703iBBTunIROho9BhI3L4JWDCy2y7DWkaRmbxL
+W6E9P6ZxbzmqQjc2q5CM/KLQekCgk4mYvqLRq/v8P+LeACeakD02gSo1H/93UKZi
+Ec9fwpdT+0vrP8gAnCH/+FMmRUDwJCwAqqsPc9/GUdcCDQx6QkYY1jlw2c/Y2vkc
+qcx8NPNy3hMtZCcIDMYhVbFLA09ft3AE9jjehQnewrEkgqukaVU/yUKNSwE7XFJi
+yTu4M9hDqoPOHNgMR41Hn4InRvqw5txcTbprP64rws5lzvFgP6w+SX1amQ1HFUU0
+pQmUaQKCAQBYUJ2kMy3bR7RjLl0oAnpXmcPWXk+SlVPj31sxapOAenz307I1oM9v
+LQCgIybzrD89N3h/O0bX72Y4FOJcPoh0uOGANLqX4WWY2wR+LOeP5NxOErf+/3WP
+YQE9e7iNwZk7Ry38yw46tG51Dljx8iQhmob43RZvjZvm6QZrXYQbNNsEIw/zq2fl
+Gs1tMMQf2Y01WRXtFYQ7TeAPc5T1jYcDz2eLt4WCL3Lb9lUWoC0mCy7FhKy7Dt+2
+WXe5GaTy/o49Cg2MwTkome3Cy4HyDFVBetAvjD7d8/b+XZkwKVo68Rmd8YtcEEXg
+Jp649vsetKoo2N2qc9eBZi5ZLagTDqqw
+-----END PRIVATE KEY-----

AK/openvpn/gw-ckubu/keys/crl.pem

@@ -0,0 +1 @@
+../crl.pem

AK/openvpn/gw-ckubu/keys/dh4096.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAyDMZgIXRmjastcz0cYwyb1JhrpcrE0RCzHtlq+J4L53bBukEzfKD
+/BJVRJ4PdKpWQJMbz+D/5WVSU8Br82G8tyys9Ba0eZ+58dhxBLyNo6NGXQ7DluQ4
+TZZvtm/fUTyU2fZfzwGQLAN3NBgP9jIMdOYwa8BA4WvTXzAf1bcuhiy3wXAfxQAV
+WJMhp8yY3hSq9KnemqS/AuZgueoVhP6StOX/tujmhIsoC0qn1BoHIwt7UH+llUnL
+6J+Evbffp+buMDNzmaqL+jbbgSdwYBFKmFeuF8V4hjJ7FZ9p0tOsom8Sg2+sBwfK
+0c+ZaBoC29PYBvXuMlECKCOiqarmCjhXKnVu32QnOTOLb51LqpCdBkdZupYvN1fF
+Mm8SkdPRwXYzp6r9NhGgroi1mcs6p6GoT1CzgMrTn0aa28C5bzbfOgHKCHbpPjvc
+yQFfG1iynp3uBpGa5MUPIL5ydpNl+HKi/iOonXu1zynd4fiszvw7DF8AJirx1O0l
+YGIpYfXAoledPfMFQq6yTQea+rNhP19V/9ToVdwIdqj1CUN0LvGZbZiZWddfuJrK
+FxJGyF5ntt7TXkmUpQsVibgVJR7EVxzc/7byywjx265v/f0GdKgpYH03NkhhDJxd
+kfypAH8jTiKCTEkZpyMPT1RwVYyjp/Z1UjmohFRTvvdGVLXRLP6T9HMCAQI=
+-----END DH PARAMETERS-----

AK/openvpn/gw-ckubu/keys/gw-ckubu.crt

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 13:36:54 2018 GMT
+            Not After : Feb  6 13:36:54 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-gw-ckubu/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:d6:22:57:44:2b:27:86:b9:30:be:bb:d6:83:5d:
+                    7e:b4:0c:bc:f6:e6:16:5d:2b:79:94:3c:41:57:0b:
+                    aa:a1:31:1a:72:68:67:85:f3:93:f7:21:03:43:2b:
+                    35:8d:29:bc:bb:81:44:4f:65:14:cc:8f:60:48:d6:
+                    05:8a:06:27:2a:85:63:8c:a2:b1:1a:d9:4a:d8:1b:
+                    7d:aa:0b:b7:e9:69:5f:ce:59:ea:36:22:af:50:ed:
+                    9a:1e:7c:4d:c1:13:6f:23:b6:f8:60:8d:bf:ba:4d:
+                    d5:81:90:00:41:d1:f8:0e:24:74:ac:54:83:36:60:
+                    4a:ca:f3:10:28:fe:a2:c7:57:72:e3:ea:e2:00:22:
+                    0f:db:69:ff:6e:5b:44:a7:d2:a6:62:4a:14:e5:7a:
+                    26:4b:e0:cc:16:a7:79:c2:f0:ad:fc:0d:7c:9f:7c:
+                    79:22:3c:35:67:c1:06:cf:b6:02:cc:ca:86:ae:dd:
+                    87:03:ec:d1:2f:ca:f4:77:ff:c3:4b:72:9f:1e:b6:
+                    47:fb:9a:ab:ae:b6:e5:8f:c6:87:c9:db:e4:94:bc:
+                    43:aa:a9:fe:66:06:f1:28:84:63:38:9f:83:5c:6d:
+                    cc:6c:6b:e4:e2:06:94:8f:ff:9f:47:99:df:a0:10:
+                    f1:23:19:40:db:09:fe:85:70:17:bf:aa:ff:79:54:
+                    8f:3e:ce:a4:1a:a6:0b:34:9b:30:f2:a8:ed:b8:6f:
+                    3d:3e:08:32:86:4b:8d:b0:2a:0e:2d:8f:c9:be:d5:
+                    cc:47:36:9d:73:3d:d1:21:2e:67:9f:04:1e:12:82:
+                    c3:b6:7f:84:f4:d6:d0:96:b8:fd:5f:22:98:6f:30:
+                    96:d8:43:09:00:da:0d:98:7b:02:5b:f2:19:d1:a2:
+                    a1:77:b0:bb:94:c3:71:69:81:80:44:0b:2c:36:8f:
+                    ab:81:45:e3:d5:b5:1b:25:00:69:1d:93:89:8f:80:
+                    19:57:db:a6:d5:83:38:79:ff:6f:f6:16:f4:b2:56:
+                    28:94:7c:3a:61:2d:72:b3:75:2b:df:cf:bf:d3:4e:
+                    60:54:5b:51:75:a1:50:2e:c5:17:bc:b6:af:08:02:
+                    c9:46:e5:9f:16:fe:a4:e9:5a:7f:1f:20:e5:46:2c:
+                    0b:de:40:c2:b3:2f:ae:97:e9:65:f4:30:b8:da:b3:
+                    1b:eb:2e:d6:c4:09:ca:ee:53:7a:23:99:96:2e:42:
+                    fb:69:66:38:42:3f:45:6b:e3:9e:6a:f1:b0:79:24:
+                    98:39:a1:33:18:78:4d:ba:54:3d:a4:8b:30:f5:fd:
+                    d7:10:a1:a1:d5:78:52:a2:3a:4a:84:73:38:d3:0b:
+                    93:98:63:30:6f:9d:c6:85:7e:63:07:75:0f:8a:33:
+                    1d:6e:01
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                05:82:E8:D6:6B:71:33:58:DB:DE:88:05:FB:52:84:BD:F3:4D:64:3A
+            X509v3 Authority Key Identifier: 
+                keyid:10:75:D7:29:AC:8C:7D:38:52:34:22:27:55:62:4A:DB:BE:48:B9:BF
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:B4:69:F7:44:F3:80:0D:34
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         77:b5:36:f4:d3:00:4d:f6:47:38:c5:c9:46:73:ef:6b:2e:11:
+         5a:e4:38:28:67:6e:d9:68:91:f8:5e:9d:c7:ce:67:ed:b8:d6:
+         33:2c:c2:98:39:69:00:c0:da:36:3e:96:61:10:5b:9b:4a:e0:
+         df:b6:86:09:53:14:73:38:81:6e:1b:df:ad:9b:ac:91:44:7b:
+         47:c2:32:5d:eb:fd:ca:9d:99:96:c3:35:74:a6:f7:14:7b:a5:
+         2a:08:5a:df:f6:be:8e:2e:71:94:33:40:4a:8d:e8:25:c0:d3:
+         fa:ce:c7:ce:32:3c:38:fe:50:51:ea:be:83:80:01:46:dd:05:
+         93:96:a9:9e:10:f9:09:e2:e5:8e:10:99:4b:06:59:aa:0a:dc:
+         b0:29:29:21:1d:7c:dc:62:29:99:0d:67:a8:e8:5a:48:c9:88:
+         4e:39:a5:d6:1d:e6:a7:94:47:5a:65:8b:13:61:97:97:48:4c:
+         7d:15:7d:e3:3e:f3:92:17:4b:ac:bd:4e:6e:24:6f:ab:5b:2c:
+         f3:bb:28:fb:bd:bc:5f:fb:50:3d:3e:67:ec:cc:84:0f:27:0e:
+         ee:02:8d:0b:4d:dd:a4:aa:e8:76:b3:8b:5e:e5:0d:b8:e9:60:
+         45:a2:77:62:d0:d0:4a:6f:87:47:3c:3c:77:1d:37:3a:5f:df:
+         7e:37:ff:e7:ee:9f:ea:87:c4:a7:04:33:fe:c1:cf:21:ed:55:
+         aa:8f:31:1a:8b:20:c5:71:e3:e8:c0:37:69:3d:2e:3e:e8:b3:
+         0c:d3:65:ae:76:e8:6f:39:91:2b:5f:c1:9e:44:ce:e1:d9:fb:
+         9d:ec:d9:c1:fa:69:da:3e:49:90:db:57:66:a0:ad:c8:cf:ae:
+         2d:c1:9a:f7:b7:e8:47:74:8c:b7:00:03:42:9c:35:53:8a:19:
+         f5:2e:63:f5:11:d3:c8:ff:d0:d6:c6:d7:66:59:21:90:02:3f:
+         1b:48:89:17:1d:f7:b7:2f:3d:72:48:c6:7e:b4:2e:ab:c1:92:
+         24:57:f6:b4:56:03:4b:1e:ff:f8:64:08:46:d4:0b:fc:3d:61:
+         e9:03:cc:3b:4a:53:9b:f0:25:d1:e3:74:f5:57:d4:d6:60:5c:
+         e5:a8:9b:d9:54:16:65:93:cd:e4:d6:0b:cd:62:00:6f:d8:37:
+         0d:bb:d7:26:79:6d:ef:11:ca:c0:21:c7:eb:bc:aa:5e:40:b8:
+         72:f7:b5:1b:07:8f:54:d4:6d:d0:48:35:e3:c1:bd:67:b1:2f:
+         65:dd:75:da:23:8f:00:b7:87:8d:8d:ec:0b:e7:30:d5:bb:ba:
+         44:b1:cc:2a:20:f5:e1:b1:5e:68:4a:91:3b:7d:12:7d:e9:0f:
+         5a:01:6c:6e:bb:cf:9b:4b
+-----BEGIN CERTIFICATE-----
+MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzM2NTRaFw0zODAyMDYxMzM2NTRaMIGlMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLUFLLWd3
+LWNrdWJ1MQ8wDQYDVQQpEwZWUE4gQUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
+cGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1iJXRCsnhrkw
+vrvWg11+tAy89uYWXSt5lDxBVwuqoTEacmhnhfOT9yEDQys1jSm8u4FET2UUzI9g
+SNYFigYnKoVjjKKxGtlK2Bt9qgu36WlfzlnqNiKvUO2aHnxNwRNvI7b4YI2/uk3V
+gZAAQdH4DiR0rFSDNmBKyvMQKP6ix1dy4+riACIP22n/bltEp9KmYkoU5XomS+DM
+Fqd5wvCt/A18n3x5Ijw1Z8EGz7YCzMqGrt2HA+zRL8r0d//DS3KfHrZH+5qrrrbl
+j8aHydvklLxDqqn+ZgbxKIRjOJ+DXG3MbGvk4gaUj/+fR5nfoBDxIxlA2wn+hXAX
+v6r/eVSPPs6kGqYLNJsw8qjtuG89PggyhkuNsCoOLY/JvtXMRzadcz3RIS5nnwQe
+EoLDtn+E9NbQlrj9XyKYbzCW2EMJANoNmHsCW/IZ0aKhd7C7lMNxaYGARAssNo+r
+gUXj1bUbJQBpHZOJj4AZV9um1YM4ef9v9hb0slYolHw6YS1ys3Ur38+/005gVFtR
+daFQLsUXvLavCALJRuWfFv6k6Vp/HyDlRiwL3kDCsy+ul+ll9DC42rMb6y7WxAnK
+7lN6I5mWLkL7aWY4Qj9Fa+OeavGweSSYOaEzGHhNulQ9pIsw9f3XEKGh1XhSojpK
+hHM40wuTmGMwb53GhX5jB3UPijMdbgECAwEAAaOCAWgwggFkMAkGA1UdEwQCMAAw
+LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
+BgNVHQ4EFgQUBYLo1mtxM1jb3ogF+1KEvfNNZDowgdEGA1UdIwSByTCBxoAUEHXX
+KayMfThSNCInVWJK275Iub+hgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
+EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
+VQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQUsxDzANBgNVBCkT
+BlZQTiBBSzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQC0afdE84AN
+NDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0RBAwwCoII
+Z3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAHe1NvTTAE32RzjFyUZz72suEVrk
+OChnbtlokfhencfOZ+241jMswpg5aQDA2jY+lmEQW5tK4N+2hglTFHM4gW4b362b
+rJFEe0fCMl3r/cqdmZbDNXSm9xR7pSoIWt/2vo4ucZQzQEqN6CXA0/rOx84yPDj+
+UFHqvoOAAUbdBZOWqZ4Q+Qni5Y4QmUsGWaoK3LApKSEdfNxiKZkNZ6joWkjJiE45
+pdYd5qeUR1plixNhl5dITH0VfeM+85IXS6y9Tm4kb6tbLPO7KPu9vF/7UD0+Z+zM
+hA8nDu4CjQtN3aSq6Hazi17lDbjpYEWid2LQ0Epvh0c8PHcdNzpf3343/+fun+qH
+xKcEM/7BzyHtVaqPMRqLIMVx4+jAN2k9Lj7oswzTZa526G85kStfwZ5EzuHZ+53s
+2cH6ado+SZDbV2agrcjPri3Bmve36Ed0jLcAA0KcNVOKGfUuY/UR08j/0NbG12ZZ
+IZACPxtIiRcd97cvPXJIxn60LqvBkiRX9rRWA0se//hkCEbUC/w9YekDzDtKU5vw
+JdHjdPVX1NZgXOWom9lUFmWTzeTWC81iAG/YNw271yZ5be8RysAhx+u8ql5AuHL3
+tRsHj1TUbdBINePBvWexL2XdddojjwC3h42N7AvnMNW7ukSxzCog9eGxXmhKkTt9
+En3pD1oBbG67z5tL
+-----END CERTIFICATE-----

AK/openvpn/gw-ckubu/keys/gw-ckubu.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE6zCCAtMCAQAwgaUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRgwFgYDVQQDEw9WUE4tQUstZ3ctY2t1YnUxDzANBgNVBCkTBlZQ
+TiBBSzEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDWIldEKyeGuTC+u9aDXX60DLz25hZdK3mUPEFX
+C6qhMRpyaGeF85P3IQNDKzWNKby7gURPZRTMj2BI1gWKBicqhWOMorEa2UrYG32q
+C7fpaV/OWeo2Iq9Q7ZoefE3BE28jtvhgjb+6TdWBkABB0fgOJHSsVIM2YErK8xAo
+/qLHV3Lj6uIAIg/baf9uW0Sn0qZiShTleiZL4MwWp3nC8K38DXyffHkiPDVnwQbP
+tgLMyoau3YcD7NEvyvR3/8NLcp8etkf7mquutuWPxofJ2+SUvEOqqf5mBvEohGM4
+n4Ncbcxsa+TiBpSP/59Hmd+gEPEjGUDbCf6FcBe/qv95VI8+zqQapgs0mzDyqO24
+bz0+CDKGS42wKg4tj8m+1cxHNp1zPdEhLmefBB4SgsO2f4T01tCWuP1fIphvMJbY
+QwkA2g2YewJb8hnRoqF3sLuUw3FpgYBECyw2j6uBRePVtRslAGkdk4mPgBlX26bV
+gzh5/2/2FvSyViiUfDphLXKzdSvfz7/TTmBUW1F1oVAuxRe8tq8IAslG5Z8W/qTp
+Wn8fIOVGLAveQMKzL66X6WX0MLjasxvrLtbECcruU3ojmZYuQvtpZjhCP0Vr455q
+8bB5JJg5oTMYeE26VD2kizD1/dcQoaHVeFKiOkqEczjTC5OYYzBvncaFfmMHdQ+K
+Mx1uAQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBABfDR6XX9PyMssjRv+hUUEUZ
+ixinvBHgziFQ4ZyFqz+hNfAmvX0qUT6VwJasIY6ajCH05lKTY+lrBoNEFfqL0yyV
+azYHhhDqe0HDMW+F0uzs4gC4eIEk7TDzctPtgr3HdpVICeWCv1gGZHkO6dYLiYV2
+YrIbSN2axQzzpFxRLEPrdUtxKEuECwPV3+xxdSIZsXXvLJpJamW5/Jd1A5yFzvCm
+esAucNcblF76Rz15MXQ7lnSEPKu+OlabezsjjUoSV9n1UHBQrxYyuaOP6WBRjwd3
+bUED7fQsRbd9SzADfcUEXrSzkrDUyDSxLPCcSzuPC/juT/FfM/DtRN437/lpNwm6
+vPzOwyPqDvgNUL6St84y695Ivl/kVwMAq8Rmbldj1fmEfz9vzlbjjjeS+4tyNHfr
+8SpzUtG+SBAzzLPizAo8WiMJqh565YdVwgthmpg8u0ZrBVoDCgcP7dkJ5xDHI3M2
+MwddoncLd2qwF6fJ0wWs5sv9ydjRkF4oSjcI1xtobJnBnIlDweALdqvspwPmKPMe
+yfZrW8DbU/MRgfAK85e1ChUTL+mBB/nX2/1xQUb9ltZn7Q9divdAAUFE5ogRngX0
+fkN6SZ2vp7rm7CA3X5Z+ynbolZOFfRaj0h42PvE4ja6Zbcg0PNgx1R6BH9ggDjlR
+V40gst/0d+nEcC9u2Wx6
+-----END CERTIFICATE REQUEST-----

AK/openvpn/gw-ckubu/keys/gw-ckubu.key

@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI62QkbYGv0EYCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECM5hsq05gmbkBIIJSJV6xZtsAe56
+teLN4Bl1fR+qUAfmKm3q94RgI1f9Rc4MpBf64b61IgkVWnQ4ec4CAPnhe2FeUExh
+HGRoeBWR88WaTgNBo6+VUhTCYPAelLvGjhG9TUjn4sigSU3/nQos9NTEMiZjv4+j
+zQxhAxcdjWHOtUkScKz9EDAmU5EAais87VSg4a0AORgHNp88SOdTf56EqzZ5nh06
+NQwiUN4zlrTs2X3mnL9Xx9OPqkha4Ij2efr7eKN9Oex/IpQndH/5AUpNcjfn1sQw
+pokSOQK85AulhRVD9BMD+PTVsOy7xIrQkusv80NsZyqdCAGZLaRzw1aQv5tTLsD+
+pukAzv8rdaFX+k3+Pa3IZbjDGibPTw6Jy+2RY1XEOn7KD/PaULhWnNqioWG93Prh
+ShsAYUeAJaAmiY61D5ORiHVw0D3lUwBjuENd8AQ+y6ofIpdMnsJGzyfomswxSpz9
+CjwXUgdd99A+eeS/IDzDVECeAM0X/ugJ/gILa3ntK/DVVjap5UfCch6wpYnCYoIc
+p3aRYc5TeMR1U1DDrWt9c/4hB22dn5On0mSyC0K/eYdFYqZq+jDCNkMbvGRqFfCl
+qUP+SO+h6miAjakBymIZ/X4i82PucHqC+HXvcYbY4LttKEsztl+WcK8qXWxhgljv
+8dJLEqD6l4FmcdP1CCIpnMnYmjJLVmOVxhusWnSsbj9se55nL+mjtOCdWCMlAMr1
+06sz34Ujq1lfsB7nn+z7O+1ZuMU3qcgPigHXQYJRwpD+eCCUsKbKAPvCHqZxjtOR
+k9eDTQvJMsHFA0TCQ1sMPFhuMAkH+ZhW5Fn1Qguc52aG5oT+ABjhvtN1qKQhhu88
+AwfAPME60+1rmUwu75OZ22lDBVCmqu1MHQEtI7QoJqIXP9fY8bZk9XjgrqzYeQqV
+ls5DVJ48uY9BoMHYNFCwnSVmMFHIVPySSjZNN7LoEICevbr1iL3la8BtGaEFPo6V
+0u+xZMDB8uRoX4sc/yBavu85FWUEKP3P/IZ0Q7qhVd27Y+gZqGqm4HZ6SWMNx3qv
+zNfnfx8ChYWhMbZOAuurEJ/ge0lN5pHJQYPaHJ7J5UIXHclAXPKUJXiSam6XiIyo
+NAlxHvHItk5xnvgqq0m5jRkyhU+LcPplee7AIFptpk1Snrxv7weofqrUrRP0XPMr
+YUxQHbqq+P1XDJQzS/fk/CE3hvwoIPTcnsazvaymaMCN4f+yAIkIur26FoN1Egz0
+ed9zMuE/Q+Uy2wctVDf7ckcAvUJVmQO8ZeM81JO8qak424so9K+VK/1c5+nmwPx+
+HbzSzGCLvT/AsAsgAWuSnqSpfNkK78YHsZ0166CZgsuUxbr2QncU88m4u+nxvPhV
+88MTibkCopYa0fLgrdmM0KbgY0wCGBmMIgrSd77kKuKZuqtKKPvPClK8XeI5I1Kg
+vaeZslPTCFJQAmABLcbtZi5GejUlh3zxPXWwr0xHWt9QMxqXIbKz9w98ZVxB6JgG
+dc2eXN6Y53GWS2rPMCj57JnJzSOY7cH3mUcEAn8sZj3tfnhvjyjrLoVW6DS9DxH6
++hrYeEH2SB4VFo9LAkQf8nXGmf6Drc2CuHBggdL6E7eiqJwpFxJyWZF9cAyUIKNY
+3QGe01nD7/FJ2OdQ3TewwJdO6VM9MCacCg5Tu3CCaBn/ROMDeJ6waxCAaWC0a3ye
+/qF72uUPBnGmepCL8UNty5EHGJEQdLsFUqcz6esBd5QsJQFd4a6Dj+6dygHA5pFS
+imsM3CvEucQLinv14T2MlSfEHGKG838XcNz45z55C6LRWmDo8YhGJpyWLTRanOPO
+YgzRW64jjoowmCOYN+dHMu2N8TuHJaGtNywwzJS/hAmGywn8nQjm2hBBgmzbP4Z9
+mv/j3sym/S43HLgoxFXdyy+A4mWhC6DYyqctC5stUb7LWhDDH1q3/vIpbGzNOlIU
+64RU7tnb73tfNAvP27wok1Y5QulkrcgmGhT1mEXC2Dmd6UNU53cPKC2L9mSYwpLY
+oI0S5LrNfvcJbv1T+Q+6tl4JOviv9c1pxHrGU5QiUC9iWHQAqABewDQcvZHCgkv3
+n1GU2n/Cw3FJN5VKZvsEsL3uLt0iPNsq+gXt1O1+72vnsU9WGb3cLpei+69NaWC2
+Y1eYROJUwvISYh5Fj3AbQHkeaoMBnlD65MtCC27e4wQ08f1WK9yqD9RuF0/AyoMq
+eKuacUkDdRsGtv/EPw+2Y4TVZU8NCx/bklwzfti9d5Gvl13dVKH2rNxNzfU2uwN9
+VMylBtSPKy0M7mIneZmpAFRDUzcVAV/+1u8khfWG0L6AX9jD3m/9/kKZIsVRuxLP
+RW8OcSkZ38Y8LachhEToEyr1s0iPWOa2Uo6/nPpBswk8yI5CGETSvsL0+imcnykU
+GJJGLNRg8QZRAXzB/CadLZ2YLSp+VbwY1RI9MUnOIQy4nDJYmqtrlFtFlbkgYign
+eI6NycS8iTSQkGJHJCxftPW5HU/rOFoVmDkdpZ8lMBJsjqsrWxuMhZdYhd12SYRz
+c8MUarMyTCNYOA/U3avP3wcMWlIBGXnDhCSJWuP4TgekL8YeXIZlpqfLNSbjjzjK
+Qjr1QWrFcheKFtcN+RwxjmEH9VIx/Gl+j39GKjuVE6qFv8ydf5pO6hNlpUhdPwbw
+AfnY26813nPRQszCSKXgT6ZzLExlOdGEtcsLdVgNhqTG/YLSOWOzLogqbbIGBXrP
+iDenjXgL+KWWVx68rLIkX6uXp7ECyJuIzHdA4rz4BJ2E8N07RWIB4UIJqDkb+SmB
+uBjHA/lnnF1NgTaF1YfGTBYJBh9A5De0lWs7f/4FBuQ6cudLHw1TWFzXNYrBUvIi
+JVi3wm1MZYiLz5uWvf4hqS6kuxtHlkxmZeOjawxyNAaESesM3LiuGNa4wlAdLqrb
+Re9jzz6n7OyL+7NEjpDgxS7kx2UjgZfrH3+FhGAGJaaqfeC1Gz21jXNc4S+zHxP2
+Qt3/qm027TN1TARpTxDK4eGRFgOLyDbb+8aeaywjcqUWRN5tWutFNavSn/Amgugh
+mSxJJvyf0WKnh6cbX5mGQFzKiaAqz22IgtcSovZt0K13KR6IExQZW1N2QbpchjWM
+NFwD7jxGsOPeukul9fpANrZk+qXZqjSX58bEbMax+th1WNpnEqG470FvcJv8z72e
+6YP6NW+YmJhshYOCv/q6Ng==
+-----END ENCRYPTED PRIVATE KEY-----

AK/openvpn/gw-ckubu/keys/index.txt

@@ -0,0 +1,2 @@
+V	380206133043Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de
+V	380206133654Z		02	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK-gw-ckubu/name=VPN AK/emailAddress=argus@oopen.de

AK/openvpn/gw-ckubu/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

AK/openvpn/gw-ckubu/keys/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

AK/openvpn/gw-ckubu/keys/index.txt.old

@@ -0,0 +1 @@
+V	380206133043Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de

AK/openvpn/gw-ckubu/keys/serial

@@ -0,0 +1 @@
+03

AK/openvpn/gw-ckubu/keys/serial.old

@@ -0,0 +1 @@
+02

AK/openvpn/gw-ckubu/keys/server.crt

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Feb  6 13:30:43 2018 GMT
+            Not After : Feb  6 13:30:43 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-AK-server/name=VPN AK/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:d6:54:ff:ed:31:40:93:d3:2e:da:0a:e2:7a:f6:
+                    51:83:c6:15:03:62:aa:59:e9:71:20:a3:af:4d:94:
+                    30:3e:23:30:18:f2:02:91:03:7a:6c:fe:ea:d2:8f:
+                    22:c7:19:10:5c:d2:ea:93:7e:5e:88:7b:9b:db:23:
+                    8c:b2:85:d7:d1:b1:ac:8d:3c:59:30:ec:2a:63:b5:
+                    56:32:e7:7d:af:bd:0c:05:74:30:a2:7f:42:8c:2b:
+                    b3:cc:e2:f2:5f:73:52:d4:27:44:87:1e:fb:c9:a4:
+                    0e:0d:1c:f9:b0:b9:dd:49:62:af:c8:1c:9e:7b:70:
+                    7c:21:ea:f1:fc:45:45:c6:f0:c8:36:c1:b6:b8:c4:
+                    b4:e6:78:45:8e:cb:e9:1e:33:41:f2:20:30:5f:3a:
+                    ba:b5:37:67:a1:b7:85:90:1f:19:3f:8b:42:a2:40:
+                    02:ba:67:25:92:58:57:dd:cc:af:92:c5:f4:99:a1:
+                    7a:f9:1c:cb:4b:4d:66:0c:9f:45:b0:5d:85:df:3d:
+                    cc:a9:77:73:d9:a1:ee:bc:d8:ee:8c:cd:91:96:2c:
+                    70:fb:4f:f1:cb:3d:90:aa:73:d6:ab:4b:b0:a5:f1:
+                    41:a3:f1:ea:8a:f3:20:5f:c1:88:cf:68:66:c3:65:
+                    eb:ef:b9:ed:ec:2c:8c:96:b7:eb:70:e5:c3:7b:52:
+                    c5:89:40:39:53:a1:ca:fc:84:05:2f:63:d3:5d:67:
+                    8d:94:26:1f:a8:fd:ae:9b:4e:64:87:8f:38:76:fc:
+                    06:30:49:ff:23:19:d6:a3:06:9d:3f:2b:1e:4f:42:
+                    44:6b:66:1f:55:88:19:23:40:9b:01:32:96:22:87:
+                    fa:9c:8e:0a:41:6b:e1:cf:a3:68:db:80:e1:5d:86:
+                    72:e0:33:0b:cd:30:5e:aa:c7:8a:20:19:0a:6e:2c:
+                    c9:01:36:57:bc:2d:c7:95:aa:3f:9c:40:47:e1:34:
+                    03:90:d0:9f:11:4e:f3:d4:3c:a9:fe:63:81:db:f0:
+                    bd:27:4c:4a:6d:89:a4:95:1a:f1:ed:b8:b8:a2:71:
+                    52:91:ff:e0:8b:b6:9e:31:fc:b7:c4:0e:07:84:29:
+                    20:79:57:99:5b:7e:5f:be:eb:a2:bb:73:9d:ef:f2:
+                    1e:8b:24:c6:86:91:68:cd:71:bd:35:05:d5:9f:cf:
+                    e7:5f:b4:9a:2f:12:9c:b5:3f:8a:7f:c7:b0:cf:d7:
+                    70:ea:28:63:65:6d:7c:64:ad:06:4d:1d:17:30:ca:
+                    0f:54:76:21:90:16:a0:49:0a:87:ae:b3:ff:dd:e0:
+                    71:17:0d:71:ee:96:8a:2d:86:14:fb:99:5f:ec:9f:
+                    5f:25:79:cf:42:7a:13:0c:66:cc:7a:60:83:43:77:
+                    f4:b6:f1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                C6:1E:B3:D8:34:53:70:7C:82:D3:64:78:9C:4C:33:01:71:8A:67:66
+            X509v3 Authority Key Identifier: 
+                keyid:10:75:D7:29:AC:8C:7D:38:52:34:22:27:55:62:4A:DB:BE:48:B9:BF
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-AK/name=VPN AK/emailAddress=argus@oopen.de
+                serial:B4:69:F7:44:F3:80:0D:34
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         91:4a:bc:3a:35:78:e5:e5:66:b6:36:5a:66:0d:da:e3:01:7c:
+         07:be:0e:0e:2e:61:1a:c0:74:90:83:f7:39:8b:2d:0a:06:92:
+         ca:75:d3:ac:a6:94:66:10:41:30:2c:dd:77:c3:12:e0:5c:97:
+         e6:5d:c3:ef:2f:63:65:d0:f7:c3:9f:72:6f:54:07:e8:80:af:
+         35:53:74:6f:4d:ea:33:0a:86:8c:1d:79:f1:22:76:97:f4:43:
+         34:01:0e:8c:79:8e:23:60:67:89:ad:eb:48:4a:d4:50:a7:09:
+         bf:00:ce:d6:d6:6c:e8:f1:06:b0:f9:1c:de:1d:d9:32:2c:8a:
+         02:dd:0f:31:a7:0f:f7:92:e5:f6:7d:37:7f:a8:5f:bc:87:93:
+         4d:58:1a:6b:e0:84:a0:7b:6d:f7:6e:84:e6:94:87:70:59:3a:
+         9d:07:c4:1a:21:96:8c:04:51:e4:f1:01:49:0d:3f:7d:d4:65:
+         5b:ae:dc:40:4b:63:71:0d:ef:bc:e3:f6:ab:11:2c:b8:2f:df:
+         5a:bd:70:21:03:d0:54:b0:3f:ce:70:d4:4e:f2:ec:1d:54:b6:
+         1a:53:ea:e7:2c:82:83:74:98:52:41:0e:4b:cd:03:02:9e:4f:
+         7c:85:45:13:6c:ec:a2:ba:18:ca:62:39:3c:45:f4:83:86:74:
+         77:0c:b4:fb:f7:50:f6:77:a2:91:db:5a:3c:d9:3b:75:2e:3c:
+         8a:68:dd:f3:fe:9a:4c:1a:d6:a6:46:d6:3f:9d:c2:f7:06:0f:
+         4a:5b:9a:de:27:39:a1:e9:19:8a:82:86:de:5f:86:82:f0:cc:
+         5c:47:64:fd:bf:8b:6a:f9:a2:ce:a8:75:12:1a:97:20:01:fa:
+         a3:22:7d:1f:5d:66:09:f0:51:97:ff:e0:b0:89:e4:2b:33:de:
+         c2:7e:86:24:34:28:6f:6a:5b:e7:f4:f8:4f:29:f5:06:9d:26:
+         a5:f4:e6:69:cb:dc:22:e6:3d:ae:65:da:41:f0:23:aa:58:93:
+         38:1e:14:fd:df:6e:af:9b:56:a4:d3:91:b7:33:a2:2d:5e:38:
+         6c:e3:16:de:91:f1:4e:f3:5a:37:1f:a7:6b:d4:97:7f:1e:a9:
+         34:a9:e3:db:38:7c:59:38:aa:c7:08:0b:89:46:42:c5:57:65:
+         a1:26:f2:57:0d:33:d1:25:24:da:b3:f6:2c:ac:b7:71:18:df:
+         20:06:90:89:78:f1:c4:7f:b6:48:78:f4:29:82:01:09:29:9c:
+         21:34:b3:e8:06:71:61:9c:da:34:38:4c:c3:ad:73:15:da:0a:
+         92:51:71:aa:67:87:44:3e:9b:b8:10:aa:06:d2:f6:a0:85:b0:
+         8b:64:1d:68:35:c6:44:00
+-----BEGIN CERTIFICATE-----
+MIIHPjCCBSagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1BSzEP
+MA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
+Fw0xODAyMDYxMzMwNDNaFw0zODAyMDYxMzMwNDNaMIGjMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEWMBQGA1UEAxMNVlBOLUFLLXNl
+cnZlcjEPMA0GA1UEKRMGVlBOIEFLMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANZU/+0xQJPTLtoK
+4nr2UYPGFQNiqlnpcSCjr02UMD4jMBjyApEDemz+6tKPIscZEFzS6pN+Xoh7m9sj
+jLKF19GxrI08WTDsKmO1VjLnfa+9DAV0MKJ/Qowrs8zi8l9zUtQnRIce+8mkDg0c
++bC53Ulir8gcnntwfCHq8fxFRcbwyDbBtrjEtOZ4RY7L6R4zQfIgMF86urU3Z6G3
+hZAfGT+LQqJAArpnJZJYV93Mr5LF9Jmhevkcy0tNZgyfRbBdhd89zKl3c9mh7rzY
+7ozNkZYscPtP8cs9kKpz1qtLsKXxQaPx6orzIF/BiM9oZsNl6++57ewsjJa363Dl
+w3tSxYlAOVOhyvyEBS9j011njZQmH6j9rptOZIePOHb8BjBJ/yMZ1qMGnT8rHk9C
+RGtmH1WIGSNAmwEyliKH+pyOCkFr4c+jaNuA4V2GcuAzC80wXqrHiiAZCm4syQE2
+V7wtx5WqP5xAR+E0A5DQnxFO89Q8qf5jgdvwvSdMSm2JpJUa8e24uKJxUpH/4Iu2
+njH8t8QOB4QpIHlXmVt+X77rortzne/yHoskxoaRaM1xvTUF1Z/P51+0mi8SnLU/
+in/HsM/XcOooY2VtfGStBk0dFzDKD1R2IZAWoEkKh66z/93gcRcNce6Wii2GFPuZ
+X+yfXyV5z0J6EwxmzHpgg0N39LbxAgMBAAGjggGAMIIBfDAJBgNVHRMEAjAAMBEG
+CWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJh
+dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxh6z2DRTcHyC02R4nEwz
+AXGKZ2YwgdEGA1UdIwSByTCBxoAUEHXXKayMfThSNCInVWJK275Iub+hgaKkgZ8w
+gZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxp
+bjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8w
+DQYDVQQDEwZWUE4tQUsxDzANBgNVBCkTBlZQTiBBSzEdMBsGCSqGSIb3DQEJARYO
+YXJndXNAb29wZW4uZGWCCQC0afdE84ANNDATBgNVHSUEDDAKBggrBgEFBQcDATAL
+BgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IC
+AQCRSrw6NXjl5Wa2NlpmDdrjAXwHvg4OLmEawHSQg/c5iy0KBpLKddOsppRmEEEw
+LN13wxLgXJfmXcPvL2Nl0PfDn3JvVAfogK81U3RvTeozCoaMHXnxInaX9EM0AQ6M
+eY4jYGeJretIStRQpwm/AM7W1mzo8Qaw+RzeHdkyLIoC3Q8xpw/3kuX2fTd/qF+8
+h5NNWBpr4ISge233boTmlIdwWTqdB8QaIZaMBFHk8QFJDT991GVbrtxAS2NxDe+8
+4/arESy4L99avXAhA9BUsD/OcNRO8uwdVLYaU+rnLIKDdJhSQQ5LzQMCnk98hUUT
+bOyiuhjKYjk8RfSDhnR3DLT791D2d6KR21o82Tt1LjyKaN3z/ppMGtamRtY/ncL3
+Bg9KW5reJzmh6RmKgobeX4aC8MxcR2T9v4tq+aLOqHUSGpcgAfqjIn0fXWYJ8FGX
+/+CwieQrM97CfoYkNChvalvn9PhPKfUGnSal9OZpy9wi5j2uZdpB8COqWJM4HhT9
+326vm1ak05G3M6ItXjhs4xbekfFO81o3H6dr1Jd/Hqk0qePbOHxZOKrHCAuJRkLF
+V2WhJvJXDTPRJSTas/YsrLdxGN8gBpCJePHEf7ZIePQpggEJKZwhNLPoBnFhnNo0
+OEzDrXMV2gqSUXGqZ4dEPpu4EKoG0vaghbCLZB1oNcZEAA==
+-----END CERTIFICATE-----

AK/openvpn/gw-ckubu/keys/server.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE6TCCAtECAQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRYwFAYDVQQDEw1WUE4tQUstc2VydmVyMQ8wDQYDVQQpEwZWUE4g
+QUsxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEA1lT/7TFAk9Mu2grievZRg8YVA2KqWelxIKOvTZQw
+PiMwGPICkQN6bP7q0o8ixxkQXNLqk35eiHub2yOMsoXX0bGsjTxZMOwqY7VWMud9
+r70MBXQwon9CjCuzzOLyX3NS1CdEhx77yaQODRz5sLndSWKvyByee3B8Ierx/EVF
+xvDINsG2uMS05nhFjsvpHjNB8iAwXzq6tTdnobeFkB8ZP4tCokACumclklhX3cyv
+ksX0maF6+RzLS01mDJ9FsF2F3z3MqXdz2aHuvNjujM2Rlixw+0/xyz2QqnPWq0uw
+pfFBo/HqivMgX8GIz2hmw2Xr77nt7CyMlrfrcOXDe1LFiUA5U6HK/IQFL2PTXWeN
+lCYfqP2um05kh484dvwGMEn/IxnWowadPyseT0JEa2YfVYgZI0CbATKWIof6nI4K
+QWvhz6No24DhXYZy4DMLzTBeqseKIBkKbizJATZXvC3Hlao/nEBH4TQDkNCfEU7z
+1Dyp/mOB2/C9J0xKbYmklRrx7bi4onFSkf/gi7aeMfy3xA4HhCkgeVeZW35fvuui
+u3Od7/IeiyTGhpFozXG9NQXVn8/nX7SaLxKctT+Kf8ewz9dw6ihjZW18ZK0GTR0X
+MMoPVHYhkBagSQqHrrP/3eBxFw1x7paKLYYU+5lf7J9fJXnPQnoTDGbMemCDQ3f0
+tvECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQAgB9FbRhYOdXMtQn8TfT3rN1Ya
+VghURxqmzxc1HQIvICXiOyP4XQVkefMWrEkFDP1a/jj6/6xkA7riIC2xMLNGrnPE
+j5OCQJAQKk07eaOUkI4ouNveNKyxpMdHJHloydlo/mwtJMOYc57PSCSggDkUgvr+
+NtNx0So8FDxsCl9CsU6cXMO6hehtPUZxvfHdHVAilvcz0JE4bLtX/xAlZrr1mpMZ
+zNRXFqwteyRaomPDLUkXe1I9zrUzEFHRko80YuuWZ61MbthKaS1rCNLuK6Fin44p
+Q98TPewicXfbGucCSqyXsAVwdWpu2/nmLEvO62LZe8nMVKw88tDn7crMg9dfWNtP
+tTvEaRJXlMIce7pUBERP7WEiTSR6X5Zc0RmvqbXUbvG5Agbzc+zrIk8GLmCw6xHn
+hynJLukDZae3UZxPUFuweJgPhCK/ohgpL+IORVoMpISfzHRWGU9C4/UTKo0OKAz3
+DLXBXyzHNDF463Vtt7niDTkNUPgjauNIWxxI59Y+CKnF/Q3CjxX+h46QJq5PFPF+
+sBx6MR7wDHQHoZPBFdL9F+f5AJIOkTYq0cvb3GAzN6+DgMPwQXpEk1UlV9w/Ki3c
+wQBtBKzXFB5X2IncMIGSfc670r2oASpZDo//2fvEG7vNtbPWeE1Uy4WgAaQtannk
+Drqr1RqgYNStmF1sUg==
+-----END CERTIFICATE REQUEST-----

AK/openvpn/gw-ckubu/keys/server.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDWVP/tMUCT0y7a
+CuJ69lGDxhUDYqpZ6XEgo69NlDA+IzAY8gKRA3ps/urSjyLHGRBc0uqTfl6Ie5vb
+I4yyhdfRsayNPFkw7CpjtVYy532vvQwFdDCif0KMK7PM4vJfc1LUJ0SHHvvJpA4N
+HPmwud1JYq/IHJ57cHwh6vH8RUXG8Mg2wba4xLTmeEWOy+keM0HyIDBfOrq1N2eh
+t4WQHxk/i0KiQAK6ZyWSWFfdzK+SxfSZoXr5HMtLTWYMn0WwXYXfPcypd3PZoe68
+2O6MzZGWLHD7T/HLPZCqc9arS7Cl8UGj8eqK8yBfwYjPaGbDZevvue3sLIyWt+tw
+5cN7UsWJQDlTocr8hAUvY9NdZ42UJh+o/a6bTmSHjzh2/AYwSf8jGdajBp0/Kx5P
+QkRrZh9ViBkjQJsBMpYih/qcjgpBa+HPo2jbgOFdhnLgMwvNMF6qx4ogGQpuLMkB
+Nle8LceVqj+cQEfhNAOQ0J8RTvPUPKn+Y4Hb8L0nTEptiaSVGvHtuLiicVKR/+CL
+tp4x/LfEDgeEKSB5V5lbfl++66K7c53v8h6LJMaGkWjNcb01BdWfz+dftJovEpy1
+P4p/x7DP13DqKGNlbXxkrQZNHRcwyg9UdiGQFqBJCoeus//d4HEXDXHuloothhT7
+mV/sn18lec9CehMMZsx6YINDd/S28QIDAQABAoICAQC1UT8Y17u70sIl72Ndhpe7
+FI2eSY+3dIchh5e714tgZcBAuit1pi2hm53n9vMC368596w+jn9Gktts7YwPUq8b
+VGWXLeB+RKwvoa6EbdWkIBfVXU/viB0yG56Fy9Ai85q0o2uTq6ByGvlQGp0Y5oPP
+m079yUhBQQ2iW/HO6oN3IycdO49qi+5FsqWVged6hv5Y6OZDCZn9yBtBcdHp9IUV
+fqgmPmSQcMYWIepjVs+JKTId7b/sknFhCN81+l+oLdYc31kOXGGDUTx4QkS8lQN+
+uaXy1NTGjRSfPlPyoZuVJp3TJcq3NarDlyQ34ihdURHhwbcHP0DIGFtzLMzMvV8h
+ir4O3lY/bhXUrPMpg5D2pPaD2L/uyqluzfePK0r8Y2a0bv+cGPHu83MZCgoHvyF9
+Bd+r1rz3vWYDrAqJi2xjADsUDtwFvtBaBuTu1Q/dvwY7DF+cDKpThSC0+4P8bAqf
+rC95Z8NSIAQra+BKElQCHK1fB0yCf/rVPDt1wcrbDzxnDjG8ZRiKpuOtYz86oOuB
+jLSe9SP2cEx9Oc9mTFaojjfkwGqkmKH45fuHPwpQy1cdAFWzhaLTkFpQjBWpBDQL
+njrhrg8iaKoai6dfn5fK7UMDFPM3F8SiqJ+SfSsSeqfeMKgwlduzsIgqWafopLm+
+RYQYkH8EUkaHS+uUw6rX4QKCAQEA8vkqaLzCaqSdbs4Sxsy28lwShuaZDZwM8659
+zWGRLGVeWtQMJfMNXgE3+yo2Bdc5vhiHR4+GlKGsJxjqY0iPfFFr7AOmLEBgjkUF
+uw7eNrIVxD15SG7MRAcw1Cs1frwaot4I/jIhWqrYwmALq8C+UsSLZipXaBKCUYyE
+Ej7rqXyIoaao+V+7jU45jTNbfbtozZkfVGWDYQbopfZyabTmon2p0uvz3Q8BbvMk
+E58hEAGJFilZKyHscxsRw2lHmOQisyMC1pmM4aN4ZTBA16WhFKtNmCzcwfTJDZQQ
+hYxItYRFX63OqzG7M6+yWxTo8rX3fI9HAeJ2Pahheh14N2Ef7QKCAQEA4dK6w0AW
+TZ9RTzMyKVEHXBi6xQnkfH6qwtAuTnc5cBc7/Pwz+DH0+VR6vci4j7cs+mYvXAxY
+R7FuRRyDyiahWzlNpTPHzRQy1wfcxKl3B1LKgfr8VBxgAJ50AYkkmZsaSi5S1Haw
+PGOle+4dkkpFuC2X6FWr8i/2doz1PC4lqT1dlFQTM8p2xuAPEO7OCUSndPe30RGt
+oAvVgmdu01ba/bEGr6JF2bCfr2HBN/0cN8QS7F+13Tp96i4fm+fwjsgrqIlECuN4
+cvdbBGKM+SgwGFMBX1gmk9QYMQaqEDWU08YhWHrzdmAO5eoK6KNrHuBC1faL04sJ
+1K8juKAjAWlqlQKCAQEAlDcegamzxy4Hw1H97jtu1kUIIDaG4uBwni2xHBoKXtSv
+TCTSDExJuTBxH8vODJ4P4UBBNYv+AqjkxSzTviDDNojMlrpbId9bhy3fow4cy6yy
+znTZiS/ddxoT1TlOdrL0ZKmhPr8BzbcuZtQECo+XChJPHtFxZFD2Ihzfa+nqBAet
+qT5rEUQuurIfNV1A0GAEPHbNv8P08rkuLh86B/WMQ074y2uX5R+ENlQni7ikiIkH
+QPeUJ1WYUVcP7O5J+KAh8rjGwHYGlJYNmVxoEaQ9sMgWm1+ygrZ59sh9k5nRuLip
+QQZbbd72XT8uQ5VrzLLn95nHLQUiL9aJL97OOKoMuQKCAQACHn8gK+7JpbAWpS1Y
+U+lUxOqjxLb/MBUcJOX6WIYSdjVa52b5ckaRPGi2dTa+KoLiiqjxHTCK47BcN6tI
+71neSEhhP34lf4YGnI1GzyxNxkoeNCPAClAgUVxXU1kjk+AISC0Az2hR+MFpy089
+uzKySsM9K+ikKi0O6b23Zdt2nhvNs4hGmSTKMvoRN5x5W8qSf2ybKqZNdS74vU29
+7/e4H7wnU8eCBnVJKQquItLr9wwSaceEHvNlii9DwEZyoJBAUaFw1LehpI6XGPGn
+uOfSopzFr0cVZg0gEKbx5f7Sie5wLR8xwi8Bm1Ok4Tu1G3elGF4xiwF5nHciWWZa
+sgmNAoIBAQDZHa2roknLsDJFH8W7DsnfjSa1glAQGY6lB5rh6f1BseHvERSNog+s
+199Y624za5wVWA43jDy+UFfAetna1CwX+plCk2w4FNncmuBP8nR1EX7fWRh7lXpy
+TKyrOuxFzPZARRLQheBzmGrF2ktDhtlEhH4xRuMUVv0ARluJI0w9Uc9DFIMekHws
+oKMPlj3wd+SJgpCQL90ePUKGM/t7GqqwBd/yvtYhv1ns/4ZqZ9xAzoHcl9yTmNZW
+TsB3gdCQqtRFm6J4EN1Rx3pEa2wp7bcg4Lq9YPWfxoTzH0eWqGQY9xUbX0f8PUt3
+hNt/I4LbfLl15/FCDKH27AG04sr+m6N2
+-----END PRIVATE KEY-----

AK/openvpn/gw-ckubu/keys/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+9b6729c5c91b466a2bf7a494c2773f66
+6f580c49cf669c267b408d4e69b47554
+eb9a77dc00111f2ffb3be09c38a34c29
+441ed188e45a20a0bc31e28f0740ee28
+10a36049da14f04a4efdfbfc15e492c4
+e8c6cc0e07b5ad43f8a7f9685edf07cc
+3764e44b091a1277195ff52cad66574b
+b9396a38e10445255a387a4c510ad5c9
+9376d6cfe2aee6b4970faadbe8b4b581
+cd01a751bd07d53d984cdbd82c357820
+0251066db57e5863fc96e6ccc4ac9ebf
+b06231f21e93d1934a9ed0352ff0d3cc
+e1fc4269821572b858b3461c4eacacd0
+0eb309b692e49ea3cd9683ff4ae85161
+790f3ff5bc0d7dba51015e182d88a09c
+9389557003a462a4c57467320c9913a8
+-----END OpenVPN Static key V1-----

AK/openvpn/server-ak.conf

@@ -0,0 +1,316 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+topology subnet
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap" if you are ethernet bridging.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Enable TUN IPv6 module
+;tun-ipv6
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca /etc/openvpn/ak/keys/ca.crt
+cert /etc/openvpn/ak/keys/server.crt
+key /etc/openvpn/ak/keys/server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys.
+dh /etc/openvpn/ak/keys/dh4096.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+;server 10.8.0.0 255.255.255.0
+;server-ipv6 2a01:30:1fff:fd00::/64
+server 10.0.0.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist /etc/openvpn/ak/ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 10.8.0.0  255.255.255.0"
+push "route 192.168.0.0 255.255.255.0"
+push "route 192.168.123.0 255.255.255.0"
+push "route 172.16.0.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+client-config-dir /etc/openvpn/ak/ccd/server-ak
+
+# ---
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir /etc/openvpn/ccd
+;route 192.168.40.128 255.255.255.248
+
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+# ---
+
+# ---
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+# ---
+
+# ---
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+# ---
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# the TUN/TAP interface to the internet in
+# order for this to work properly).
+# CAVEAT: May break client's network config if
+# client's local DHCP server packets get routed
+# through the tunnel.  Solution: make sure
+# client's local DHCP server is reachable via
+# a more specific route than the default route
+# of 0.0.0.0/0.0.0.0.
+;push "redirect-gateway"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+;push "dhcp-option WINS 10.8.0.1"
+push "dhcp-option DNS 192.168.0.254"
+push "dhcp-option DOMAIN ak.netz"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+tls-auth /etc/openvpn/ak/keys/ta.key 0
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+;status openvpn-status.log
+status /var/log/openvpn/status-server-ak.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log-append  openvpn.log
+;log         openvpn.log
+log         /var/log/openvpn/server-ak.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 1
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+# CRL (certificate revocation list) verification
+crl-verify /etc/openvpn/ak/crl.pem

AK/openvpn/server-gw-ckubu.conf

@@ -0,0 +1,318 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1195
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+topology subnet
+route 192.168.63.0 255.255.255.0 10.1.0.1
+route 192.168.64.0 255.255.255.0 10.1.0.1
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap" if you are ethernet bridging.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Enable TUN IPv6 module
+;tun-ipv6
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca /etc/openvpn/gw-ckubu/keys/ca.crt
+cert /etc/openvpn/gw-ckubu/keys/server.crt
+key /etc/openvpn/gw-ckubu/keys/server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys.
+dh /etc/openvpn/gw-ckubu/keys/dh4096.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+;server 10.8.0.0 255.255.255.0
+;server-ipv6 2a01:30:1fff:fd00::/64
+server 10.1.0.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist /etc/openvpn/gw-ckubu/ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 10.8.0.0  255.255.255.0"
+push "route 192.168.0.0 255.255.255.0"
+push "route 192.168.123.0 255.255.255.0"
+push "route 172.16.0.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+client-config-dir /etc/openvpn/gw-ckubu/ccd/server-gw-ckubu
+
+# ---
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir /etc/openvpn/ccd
+;route 192.168.40.128 255.255.255.248
+
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+# ---
+
+# ---
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+# ---
+
+# ---
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+# ---
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# the TUN/TAP interface to the internet in
+# order for this to work properly).
+# CAVEAT: May break client's network config if
+# client's local DHCP server packets get routed
+# through the tunnel.  Solution: make sure
+# client's local DHCP server is reachable via
+# a more specific route than the default route
+# of 0.0.0.0/0.0.0.0.
+;push "redirect-gateway"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+;push "dhcp-option WINS 10.8.0.1"
+push "dhcp-option DNS 192.168.0.254"
+push "dhcp-option DOMAIN ak.netz"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+tls-auth /etc/openvpn/gw-ckubu/keys/ta.key 0
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+;status openvpn-status.log
+status /var/log/openvpn/status-server-gw-ckubu.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log-append  openvpn.log
+;log         openvpn.log
+log         /var/log/openvpn/server-gw-ckubu.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 1
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+# CRL (certificate revocation list) verification
+crl-verify /etc/openvpn/gw-ckubu/crl.pem

AK/openvpn/update-resolv-conf

@@ -0,0 +1,58 @@
+#!/bin/bash
+# 
+# Parses DHCP options from openvpn to update resolv.conf
+# To use set as 'up' and 'down' script in your openvpn *.conf:
+# up /etc/openvpn/update-resolv-conf
+# down /etc/openvpn/update-resolv-conf
+#
+# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
+# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
+# 
+# Example envs set from openvpn:
+#
+#     foreign_option_1='dhcp-option DNS 193.43.27.132'
+#     foreign_option_2='dhcp-option DNS 193.43.27.133'
+#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+#
+
+[ -x /sbin/resolvconf ] || exit 0
+[ "$script_type" ] || exit 0
+[ "$dev" ] || exit 0
+
+split_into_parts()
+{
+	part1="$1"
+	part2="$2"
+	part3="$3"
+}
+
+case "$script_type" in
+  up)
+	NMSRVRS=""
+	SRCHS=""
+	for optionvarname in ${!foreign_option_*} ; do
+		option="${!optionvarname}"
+		echo "$option"
+		split_into_parts $option
+		if [ "$part1" = "dhcp-option" ] ; then
+			if [ "$part2" = "DNS" ] ; then
+				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
+			elif [ "$part2" = "DOMAIN" ] ; then
+				SRCHS="${SRCHS:+$SRCHS }$part3"
+			fi
+		fi
+	done
+	R=""
+	[ "$SRCHS" ] && R="search $SRCHS
+"
+	for NS in $NMSRVRS ; do
+        	R="${R}nameserver $NS
+"
+	done
+	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
+	;;
+  down)
+	/sbin/resolvconf -d "${dev}.openvpn"
+	;;
+esac
+