o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ANW-KM/openvpn/ccd/server-gw-ckubu/ANW-KM-Vpn-gw-ckubu Normal file
View File

@ -0,0 +1,6 @@
ifconfig-push 10.1.122.2 255.255.255.0
push "route 192.168.122.0 255.255.255.0 10.1.122.1"
push "route 192.168.2.0 255.255.255.0 10.1.122.1"
#push "route 192.168.123.0 255.255.255.0 10.1.122.1"
iroute 192.168.63.0 255.255.255.0
iroute 192.168.64.0 255.255.255.0

2
ANW-KM/openvpn/ccd/server-home/ANW-KM-Vpn-chris Normal file
View File

@ -0,0 +1,2 @@
ifconfig-push 10.0.122.2 10.0.122.1
#push "route 192.168.122.0 255.255.255.0"

2
ANW-KM/openvpn/ccd/server-home/ANW-KM-Vpn-rp Normal file
View File

@ -0,0 +1,2 @@
push "route 192.168.122.0 255.255.255.0"
ifconfig-push 10.0.122.5 10.0.122.1

1
ANW-KM/openvpn/easy-rsa/.externals Normal file
View File

@ -0,0 +1 @@
./2.0 http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0

13
ANW-KM/openvpn/easy-rsa/2.0/Makefile Normal file
View File

@ -0,0 +1,13 @@
DESTDIR=
PREFIX=
all:
echo "All done."
echo "Run make install DESTDIR=/usr/share/somewhere"
install:
install -c --directory "${DESTDIR}/${PREFIX}"
install -c --mode=0755 build-* "${DESTDIR}/${PREFIX}"
install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}"

BIN
ANW-KM/openvpn/easy-rsa/2.0/README.gz Normal file
View File

Binary file not shown.

8
ANW-KM/openvpn/easy-rsa/2.0/build-ca Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
#
# Build a root certificate
#
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --initca $*

11
ANW-KM/openvpn/easy-rsa/2.0/build-dh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
ANW-KM/openvpn/easy-rsa/2.0/build-inter Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --inter $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-key Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-key-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Similar to build-key, but protect the private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pass $*

8
ANW-KM/openvpn/easy-rsa/2.0/build-key-pkcs12 Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pkcs12 $*

10
ANW-KM/openvpn/easy-rsa/2.0/build-key-server Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --server $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-req-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Like build-req, but protect your private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr --pass $*

16
ANW-KM/openvpn/easy-rsa/2.0/clean-all Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && \
chmod go-rwx "$KEY_DIR" && \
touch "$KEY_DIR/index.txt" && \
echo 01 >"$KEY_DIR/serial"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

39
ANW-KM/openvpn/easy-rsa/2.0/inherit-inter Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# Build a new PKI which is rooted on an intermediate certificate generated
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
# have independent vars settings, and must use a different KEY_DIR directory
# from the parent. This tool can be used to generate arbitrary depth
# certificate chains.
#
# To build an intermediate CA, follow the same steps for a regular PKI but
# replace ./build-key or ./pkitool --initca with this script.
# The EXPORT_CA file will contain the CA certificate chain and should be
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
# will only contain the local intermediate CA -- it's needed by the easy-rsa
# scripts but not by OpenVPN directly.
EXPORT_CA="export-ca.crt"
if [ $# -ne 2 ]; then
echo "usage: $0 <parent-key-dir> <common-name>"
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
echo "common-name: the common name of the intermediate certificate in the parent PKI"
exit 1;
fi
if [ "$KEY_DIR" ]; then
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
cp "$1/$2.key" "$KEY_DIR/ca.key"
if [ -e "$1/$EXPORT_CA" ]; then
PARENT_CA="$1/$EXPORT_CA"
else
PARENT_CA="$1/ca.crt"
fi
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

13
ANW-KM/openvpn/easy-rsa/2.0/list-crl Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# list revoked certificates
CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \
$OPENSSL crl -text -noout -in "$CRL"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

BIN
ANW-KM/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf.gz Normal file
View File

Binary file not shown.

285
ANW-KM/openvpn/easy-rsa/2.0/openssl.cnf Executable file
View File

@ -0,0 +1,285 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

353
ANW-KM/openvpn/easy-rsa/2.0/pkitool Executable file
View File

@ -0,0 +1,353 @@
#!/bin/sh
# OpenVPN -- An application to securely tunnel IP networks
# over a single TCP/UDP port, with support for SSL/TLS-based
# session authentication and key exchange,
# packet encryption, packet authentication, and
# packet compression.
#
# Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program (see the file COPYING included with this
# distribution); if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# pkitool is a front-end for the openssl tool.
# Calling scripts can set the certificate organizational
# unit with the KEY_OU environmental variable.
PROGNAME=pkitool
VERSION=2.0
DEBUG=0
die()
{
local m="$1"
echo "$m" >&2
exit 1
}
need_vars()
{
echo ' Please edit the vars script to reflect your configuration,'
echo ' then source it with "source ./vars".'
echo ' Next, to start with a fresh PKI configuration and to delete any'
echo ' previous certificates and keys, run "./clean-all".'
echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
}
usage()
{
echo "$PROGNAME $VERSION"
echo "Usage: $PROGNAME [options...] [common-name]"
echo "Options:"
echo " --batch : batch mode (default)"
echo " --keysize : Set keysize"
echo " size : size (default=1024)"
echo " --interact : interactive mode"
echo " --server : build server cert"
echo " --initca : build root CA"
echo " --inter : build intermediate CA"
echo " --pass : encrypt private key with password"
echo " --csr : only generate a CSR, do not sign"
echo " --sign : sign an existing CSR"
echo " --pkcs12 : generate a combined PKCS#12 file"
echo " --pkcs11 : generate certificate on PKCS#11 token"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " id : PKCS#11 object id (hex string)"
echo " label : PKCS#11 object label"
echo "Standalone options:"
echo " --pkcs11-slots : list PKCS#11 slots"
echo " lib : PKCS#11 library"
echo " --pkcs11-objects : list PKCS#11 token objects"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " label : PKCS#11 token label"
echo "Notes:"
need_vars
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
echo "Generated files and corresponding OpenVPN directives:"
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
echo " ca.crt -> root certificate (--ca)"
echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
echo " .crt files -> client/server certificates (--cert)"
echo " .key files -> private keys, keep secure (--key)"
echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
echo "Examples:"
echo " $PROGNAME --initca -> Build root certificate"
echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
echo " Also see ./inherit-inter script."
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
echo " -> Build \"client5\" certificate/key in PKCS#11 token"
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
echo " [edit vars with your site-specific info]"
echo " source ./vars"
echo " ./clean-all"
echo " ./build-dh -> takes a long time, consider backgrounding"
echo " ./$PROGNAME --initca"
echo " ./$PROGNAME --server myserver"
echo " ./$PROGNAME client1"
echo " ./$PROGNAME --pass client2"
echo "Typical usage for adding client cert to existing PKI:"
echo " source ./vars"
echo " ./$PROGNAME client-new"
}
# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"
# Process options
while [ $# -gt 0 ]; do
case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="" ;;
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
# standalone
--pkcs11-init)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;;
--pkcs11-slots)
PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;;
--pkcs11-objects)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;;
# errors
--* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;;
esac
shift
done
if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7"
fi
fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together"
fi
if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi
fi
# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
NODES_P12="$NODES_REQ"
NODES_REQ="-nodes"
fi
if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete"
fi
fi
# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
CA_EXPIRE=3650
fi
# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
KEY_OU=""
fi
# Set KEY_CN
if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
KEY_CN="$1"
elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA"
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" $KEY_CN
fi
elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
echo "Using Common Name:" $KEY_CN
else
if [ $# -ne 1 ]; then
usage
exit 1
else
KEY_CN="$1"
fi
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
echo DO_REQ $DO_REQ
echo REQ_EXT $REQ_EXT
echo DO_CA $DO_CA
echo CA_EXT $CA_EXT
echo NODES_REQ $NODES_REQ
echo NODES_P12 $NODES_P12
echo DO_P12 $DO_P12
echo KEY_CN $KEY_CN
echo BATCH $BATCH
echo DO_ROOT $DO_ROOT
echo KEY_EXPIRE $KEY_EXPIRE
echo CA_EXPIRE $CA_EXPIRE
echo KEY_OU $KEY_OU
echo DO_P11 $DO_P11
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
echo PKCS11_SLOT $PKCS11_SLOT
echo PKCS11_ID $PKCS11_ID
echo PKCS11_LABEL $PKCS11_LABEL
fi
# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
cd "$KEY_DIR"
# Make sure $KEY_CONFIG points to the correct version
# of openssl.cnf
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
:
else
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
echo "version of openssl.cnf: $KEY_CONFIG"
echo "The correct version should have a comment that says: easy-rsa version 2.x";
exit 1;
fi
# Build root CA
if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key"
else
# Make sure CA key/cert is available
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
echo "Try $PROGNAME --initca to build a root certificate/key."
exit 1
fi
fi
# Generate key for PKCS#11 token
PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then
stty -echo
echo -n "User PIN: "
read -r PKCS11_PIN
stty echo
export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
-in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
-in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
# Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
fi
fi
# Need definitions
else
need_vars
fi

39
ANW-KM/openvpn/easy-rsa/2.0/revoke-full Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL="crl.pem"
RT="revoke-test.pem"
if [ $# -ne 1 ]; then
echo "usage: revoke-full <common-name>";
exit 1
fi
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR"
rm -f "$RT"
# set defaults
export KEY_CN=""
export KEY_OU=""
# revoke key and generate a new CRL
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
# generate a new CRL -- try to be compatible with
# intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT"
else
cat ca.crt "$CRL" >"$RT"
fi
# verify the revocation
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
ANW-KM/openvpn/easy-rsa/2.0/sign-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --sign $*

74
ANW-KM/openvpn/easy-rsa/2.0/vars Executable file
View File

@ -0,0 +1,74 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
#export EASY_RSA="`pwd`"
BASE_DIR=/etc/openvpn
export EASY_RSA="${BASE_DIR}/easy-rsa/2.0"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
#export KEY_DIR="$EASY_RSA/keys"
export KEY_DIR="${BASE_DIR}/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=10950
# In how many days should certificates expire?
export KEY_EXPIRE=10950
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
#export KEY_COUNTRY="US"
#export KEY_PROVINCE="CA"
#export KEY_CITY="SanFrancisco"
#export KEY_ORG="Fort-Funston"
#export KEY_EMAIL="me@myhost.mydomain"
export KEY_COUNTRY=DE
export KEY_PROVINCE=Berlin
export KEY_CITY=Berlin
export KEY_ORG="o.open"
export KEY_ORG_UN="network services"
export KEY_EMAIL="argus@oopen.de"

13
ANW-KM/openvpn/easy-rsa/2.0/whichopensslcnf Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
if [ "$OPENSSL" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
echo "$1/openssl-0.9.6.cnf"
else
echo "$1/openssl.cnf"
fi
else
echo "$1/openssl.cnf"
fi
exit 0

BIN
ANW-KM/openvpn/easy-rsa/README.gz Normal file
View File

Binary file not shown.

13
ANW-KM/openvpn/easy-rsa/build-ca Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
#
# Build a root certificate
#
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
chmod 0600 ca.key
else
echo you must define KEY_DIR
fi

12
ANW-KM/openvpn/easy-rsa/build-dh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
#
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
#
if test $KEY_DIR; then
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo you must define KEY_DIR
fi

19
ANW-KM/openvpn/easy-rsa/build-inter Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
#
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-inter <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

20
ANW-KM/openvpn/easy-rsa/build-key Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-key <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

20
ANW-KM/openvpn/easy-rsa/build-key-pass Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Similar to build-key, but protect the private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-key-pass <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

21
ANW-KM/openvpn/easy-rsa/build-key-pkcs12 Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
if test $# -ne 1; then
echo "usage: build-key-pkcs12 <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
chmod 0600 $1.key $1.p12
else
echo you must define KEY_DIR
fi

22
ANW-KM/openvpn/easy-rsa/build-key-server Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
if test $# -ne 1; then
echo "usage: build-key-server <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/build-req Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
#
if test $# -ne 1; then
echo "usage: build-req <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/build-req-pass Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Like build-req, but protect your private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-req-pass <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

19
ANW-KM/openvpn/easy-rsa/clean-all Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
#
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
#
d=$KEY_DIR
if test $d; then
rm -rf $d
mkdir $d && \
chmod go-rwx $d && \
touch $d/index.txt && \
echo 01 >$d/serial
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/list-crl Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# list revoked certificates
#
#
if test $# -ne 1; then
echo "usage: list-crl <crlfile.pem>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl crl -text -noout -in $1
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/make-crl Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# generate a CRL
#
#
if test $# -ne 1; then
echo "usage: make-crl <crlfile.pem>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -gencrl -out $1 -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

255
ANW-KM/openvpn/easy-rsa/openssl.cnf Normal file
View File

@ -0,0 +1,255 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::KEY_ORG_UN
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

18
ANW-KM/openvpn/easy-rsa/revoke-crt Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# revoke a certificate
#
#
if test $# -ne 1; then
echo "usage: revoke-crt <file.crt>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -revoke $1 -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

29
ANW-KM/openvpn/easy-rsa/revoke-full Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL=crl.pem
RT=revoke-test.pem
if test $# -ne 1; then
echo "usage: revoke-full <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR
rm -f $RT
# revoke key and generate a new CRL
openssl ca -revoke $1.crt -config $KEY_CONFIG
# generate a new CRL
openssl ca -gencrl -out $CRL -config $KEY_CONFIG
cat ca.crt $CRL >$RT
# verify the revocation
openssl verify -CAfile $RT -crl_check $1.crt
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/sign-req Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
#
if test $# -ne 1; then
echo "usage: sign-req <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

59
ANW-KM/openvpn/easy-rsa/vars Normal file
View File

@ -0,0 +1,59 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
## export D=`pwd`
BASE_DIR=/etc/openvpn
export D=${BASE_DIR}/easy-rsa
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
## export KEY_DIR=$D/keys
export KEY_DIR=${BASE_DIR}/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_COUNTRY=DE
export KEY_PROVINCE=Berlin
export KEY_CITY=Berlin
export KEY_ORG="o.open"
export KEY_ORG_UN="network services"
export KEY_EMAIL="argus@oopen.de"

5
ANW-KM/openvpn/ipaddresses.txt Normal file
View File

@ -0,0 +1,5 @@
10.0.72.1 openvpn server
10.0.72.2 -- frei --
10.0.72.3 chris
10.0.72.4 -- frei --
10.0.72.5 rene

0
ANW-KM/openvpn/ipp.txt Normal file
View File

70
ANW-KM/openvpn/keys/01.pem Normal file
View File

@ -0,0 +1,70 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 00:02:32 2008 GMT
Not After : May 18 00:02:32 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-server/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e8:50:de:da:67:fb:8b:e8:71:1f:3c:da:c8:63:
33:9f:29:41:b1:a5:8f:27:99:91:16:a8:51:3b:a1:
5b:52:c3:6a:26:a2:e7:f3:07:ea:c0:65:a6:60:30:
d8:fb:39:e6:05:19:73:28:fa:0a:2e:4e:82:a0:72:
c1:1b:ca:27:fb:ad:8d:3c:c8:15:36:4c:f6:22:70:
1f:4d:6c:10:88:84:c6:f1:c3:9f:f2:55:58:3d:f2:
10:cb:d5:a7:18:3d:b9:d6:fd:25:e9:9d:ec:6c:0e:
55:f9:2d:64:54:a0:32:58:34:b0:2c:c9:10:55:33:
6c:75:9e:97:29:61:db:c1:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
41:12:64:24:C4:4E:59:A4:C9:B3:A4:8E:A2:E6:5A:9C:27:CF:C6:21
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
81:b5:d0:b9:ba:8e:87:ad:48:a7:ce:11:e6:30:b5:e2:6a:20:
19:b4:4d:e2:17:8e:7d:4c:ae:1d:45:a8:38:c2:b9:7d:71:08:
db:b4:a9:96:75:bf:ca:26:5a:d1:0d:80:cf:d8:b3:ce:3d:3a:
76:81:43:90:91:b8:de:45:33:63:cd:56:ed:1a:6b:33:36:e3:
8f:97:3a:15:e4:11:64:e5:bf:ee:98:53:cc:51:d9:fa:ac:76:
2e:2b:c3:dc:a9:7f:e1:8d:44:34:8d:f3:fd:32:26:7b:4d:cf:
9b:b4:43:9a:d2:0d:65:56:2f:4d:78:87:9a:ca:5a:22:5d:08:
68:01
-----BEGIN CERTIFICATE-----
MIID0TCCAzqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAw
MDIzMloXDTE4MDUxODAwMDIzMlowgYUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEaMBgGA1UEAxMRQU5XLUtNLVZwbi1zZXJ2ZXIxHTAbBgkqhkiG9w0BCQEWDmFy
Z3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoUN7aZ/uL
6HEfPNrIYzOfKUGxpY8nmZEWqFE7oVtSw2omoufzB+rAZaZgMNj7OeYFGXMo+gou
ToKgcsEbyif7rY08yBU2TPYicB9NbBCIhMbxw5/yVVg98hDL1acYPbnW/SXpnexs
DlX5LWRUoDJYNLAsyRBVM2x1npcpYdvB0wIDAQABo4IBQDCCATwwCQYDVR0TBAIw
ADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2Vu
ZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUQRJkJMROWaTJs6SO
ouZanCfPxiEwgccGA1UdIwSBvzCBvIAUaESHa/D8iXGZzzLIHBA461LYNJihgZik
gZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2Vz
MRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
b3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3DQEBBAUAA4GBAIG10Lm6joetSKfO
EeYwteJqIBm0TeIXjn1Mrh1FqDjCuX1xCNu0qZZ1v8omWtENgM/Ys849OnaBQ5CR
uN5FM2PNVu0aazM244+XOhXkEWTlv+6YU8xR2fqsdi4rw9ypf+GNRDSN8/0yJntN
z5u0Q5rSDWVWL014h5rKWiJdCGgB
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/02.pem Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 00:05:06 2008 GMT
Not After : May 18 00:05:06 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-chris/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c0:17:80:be:42:58:ea:c2:1d:e7:54:4a:98:6d:
31:24:95:d3:ea:aa:84:aa:20:0e:df:18:df:07:64:
2b:53:a5:41:df:55:32:91:d3:38:b4:41:cd:ca:3b:
8d:0f:41:60:01:ed:22:2b:9d:2f:57:7e:6b:f0:a9:
f2:a0:25:f1:a7:67:b8:46:15:c5:75:da:f6:4e:54:
c4:f4:70:c2:74:c1:7f:d3:85:77:28:c6:a5:b2:91:
99:32:1e:d9:bb:4c:76:c9:4e:58:63:dd:49:f3:9b:
4b:5d:91:06:2c:30:b1:ae:5d:ec:d7:13:a4:e4:d6:
9d:c9:db:66:a5:0b:0f:5d:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:9F:21:B1:38:CD:F5:A8:DF:DB:3C:23:96:D9:FF:B1:C1:43:B2:63
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
91:38:89:c3:46:db:82:87:ad:48:ef:dc:63:fe:a4:08:a0:f7:
e6:1c:1d:b0:0b:ca:fc:d0:29:3b:38:a1:a6:66:47:6e:98:26:
45:b9:78:0d:2b:cf:cb:00:f4:5c:4a:51:ab:ca:d7:3a:8f:21:
ef:d7:8b:9e:7f:04:c2:93:71:31:a8:29:bc:d9:70:4b:43:2c:
3e:80:fa:6a:0c:87:d2:08:20:80:06:26:5b:60:07:17:73:5b:
b8:b4:7c:42:1c:18:ce:e1:fc:5a:50:b2:d7:c1:e9:8b:22:b9:
c1:da:34:02:c8:ed:16:cf:99:ed:5c:07:d8:40:46:e7:ca:b4:
f6:f2
-----BEGIN CERTIFICATE-----
MIIDtjCCAx+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAw
MDUwNloXDTE4MDUxODAwMDUwNlowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEZMBcGA1UEAxMQQU5XLUtNLVZwbi1jaHJpczEdMBsGCSqGSIb3DQEJARYOYXJn
dXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMAXgL5CWOrC
HedUSphtMSSV0+qqhKogDt8Y3wdkK1OlQd9VMpHTOLRBzco7jQ9BYAHtIiudL1d+
a/Cp8qAl8adnuEYVxXXa9k5UxPRwwnTBf9OFdyjGpbKRmTIe2btMdslOWGPdSfOb
S12RBiwwsa5d7NcTpOTWncnbZqULD12RAgMBAAGjggEmMIIBIjAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUVJ8hsTjN9ajf2zwjltn/scFDsmMwgccGA1UdIwSBvzCBvIAUaESH
a/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
VQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0w
GwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3
DQEBBAUAA4GBAJE4icNG24KHrUjv3GP+pAig9+YcHbALyvzQKTs4oaZmR26YJkW5
eA0rz8sA9FxKUavK1zqPIe/Xi55/BMKTcTGoKbzZcEtDLD6A+moMh9IIIIAGJltg
BxdzW7i0fEIcGM7h/FpQstfB6YsiucHaNALI7RbPme1cB9hARufKtPby
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/03.pem Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 01:00:02 2008 GMT
Not After : May 18 01:00:02 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-rp/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:7d:de:5d:20:0d:20:9e:db:2a:93:5d:99:6c:
43:da:5d:f1:09:d8:68:d0:b5:8b:41:7d:79:19:77:
c1:9e:53:22:15:78:83:80:d4:03:10:e6:4b:c4:e9:
15:26:10:cd:28:97:a2:48:82:49:46:c0:0b:6d:c0:
21:ea:87:ad:2d:1f:c3:29:ef:80:49:91:7f:3f:ff:
d0:6d:2c:80:f9:94:2f:e4:88:82:88:74:27:51:26:
68:d8:cd:11:cb:b3:46:6b:e8:b6:c8:81:d1:7c:de:
0b:e5:90:40:c4:50:20:e5:59:4c:fc:30:f3:fa:ee:
72:b2:a2:77:e3:6c:30:6a:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0D:C2:77:E9:BD:42:92:03:32:41:6D:10:EE:97:78:54:04:65:0F:3D
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
61:cd:a7:35:6b:a7:cb:94:75:2c:5c:d4:7b:cd:be:1a:43:43:
f3:73:ff:22:72:c0:06:c6:ae:40:19:eb:3b:53:56:01:4a:e8:
eb:a6:e2:61:e0:d3:2a:9d:fc:63:ac:38:4f:cd:34:7b:e5:22:
9f:ac:6e:0f:61:f7:b2:7c:f2:50:0c:a6:cc:76:ec:24:60:67:
41:51:54:5f:dc:06:f8:7a:af:ce:80:1f:06:6a:1c:9a:27:13:
05:e7:80:e7:45:34:f5:e9:d0:96:67:7f:2f:15:88:94:63:d5:
fc:e9:cb:ef:93:c2:38:5a:73:28:fa:f3:04:c9:91:01:d9:ab:
a6:96
-----BEGIN CERTIFICATE-----
MIIDszCCAxygAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAx
MDAwMloXDTE4MDUxODAxMDAwMlowgYExCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEWMBQGA1UEAxMNQU5XLUtNLVZwbi1ycDEdMBsGCSqGSIb3DQEJARYOYXJndXNA
b29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN93l0gDSCe2yqT
XZlsQ9pd8QnYaNC1i0F9eRl3wZ5TIhV4g4DUAxDmS8TpFSYQzSiXokiCSUbAC23A
IeqHrS0fwynvgEmRfz//0G0sgPmUL+SIgoh0J1EmaNjNEcuzRmvotsiB0XzeC+WQ
QMRQIOVZTPww8/rucrKid+NsMGr9AgMBAAGjggEmMIIBIjAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUDcJ36b1CkgMyQW0Q7pd4VARlDz0wgccGA1UdIwSBvzCBvIAUaESHa/D8
iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
ExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0wGwYJ
KoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3DQEB
BAUAA4GBAGHNpzVrp8uUdSxc1HvNvhpDQ/Nz/yJywAbGrkAZ6ztTVgFK6Oum4mHg
0yqd/GOsOE/NNHvlIp+sbg9h97J88lAMpsx27CRgZ0FRVF/cBvh6r86AHwZqHJon
EwXngOdFNPXp0JZnfy8ViJRj1fzpy++Twjhacyj68wTJkQHZq6aW
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/04.pem Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: Jun 17 13:39:04 2008 GMT
Not After : Jun 15 13:39:04 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-berenice/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:0e:32:eb:f3:cd:4e:ad:75:fe:2f:03:b0:f8:
4a:44:cd:85:fa:e0:a5:dc:a2:c0:1d:d2:a9:04:e7:
39:8a:dc:cd:47:b3:26:e4:c8:aa:7b:0b:51:20:a0:
bd:db:90:c2:b8:8c:27:59:81:5e:31:33:b1:d7:bf:
e2:d0:15:7c:11:25:98:67:1f:03:e0:a7:11:37:4a:
a0:85:c6:f5:2c:44:f1:4d:45:59:11:bc:e9:d5:77:
98:ca:60:5e:de:b4:3e:13:ac:9a:23:d5:57:78:ff:
10:a6:94:52:c7:98:3b:27:2e:16:ed:42:9d:4c:4e:
df:60:a1:ab:8c:58:5b:60:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:12:07:04:E1:24:43:1B:40:85:A1:A5:47:2E:83:7B:FA:69:FE:EC
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
2a:4a:7e:39:ea:12:a1:36:23:64:92:74:b0:05:a1:98:01:ff:
ea:2d:bf:9a:4d:01:3b:fe:d8:99:dd:77:23:fc:77:f0:8b:f4:
22:a8:eb:e3:de:e4:fd:04:df:17:4c:68:57:aa:79:3a:d3:3a:
02:38:dd:3b:d3:95:f7:f6:3b:87:c9:87:dc:d7:cb:a0:f1:d3:
04:62:48:4c:92:67:5d:70:8b:c5:b1:f8:2e:03:c7:84:a5:57:
e4:c1:14:07:06:0e:12:a6:e5:df:25:f9:e4:81:95:6c:f9:fc:
10:a0:cf:e6:5e:b3:09:83:2a:40:31:e1:e7:83:91:d1:fc:c5:
2c:24
-----BEGIN CERTIFICATE-----
MIIDuTCCAyKgAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDYxNzEz
MzkwNFoXDTE4MDYxNTEzMzkwNFowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEcMBoGA1UEAxMTQU5XLUtNLVZwbi1iZXJlbmljZTEdMBsGCSqGSIb3DQEJARYO
YXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANMOMuvz
zU6tdf4vA7D4SkTNhfrgpdyiwB3SqQTnOYrczUezJuTIqnsLUSCgvduQwriMJ1mB
XjEzsde/4tAVfBElmGcfA+CnETdKoIXG9SxE8U1FWRG86dV3mMpgXt60PhOsmiPV
V3j/EKaUUseYOycuFu1CnUxO32Chq4xYW2BhAgMBAAGjggEmMIIBIjAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU2hIHBOEkQxtAhaGlRy6De/pp/uwwgccGA1UdIwSBvzCBvIAU
aESHa/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkw
FwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNh
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqG
SIb3DQEBBAUAA4GBACpKfjnqEqE2I2SSdLAFoZgB/+otv5pNATv+2JnddyP8d/CL
9CKo6+Pe5P0E3xdMaFeqeTrTOgI43TvTlff2O4fJh9zXy6Dx0wRiSEySZ11wi8Wx
+C4Dx4SlV+TBFAcGDhKm5d8l+eSBlWz5/BCgz+ZeswmDKkAx4eeDkdH8xSwk
-----END CERTIFICATE-----

73
ANW-KM/openvpn/keys/05.pem Normal file
View File

@ -0,0 +1,73 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: Jan 2 03:39:56 2015 GMT
Not After : Dec 25 03:39:56 2044 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-gw-ckubu/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9d:32:39:db:a9:6d:78:47:e2:78:2a:0e:2d:60:
b9:ee:27:e9:a3:59:cf:5b:90:6c:3a:5a:c9:e8:9c:
72:a9:6a:e7:c2:b2:99:78:94:e2:34:69:af:33:42:
64:51:34:0c:ff:84:59:b5:1a:d8:f7:3b:4a:94:f9:
75:cf:5d:66:23:a3:38:b6:dd:b8:59:e5:1b:be:d5:
5e:91:c8:28:83:90:bd:26:a3:2d:1d:32:1c:bc:98:
aa:4e:99:fc:34:7a:9a:4e:13:9b:aa:f3:e4:c6:e0:
93:1f:5a:ca:f5:56:51:4d:ff:1c:ce:b1:9b:ae:2a:
4c:3d:fd:8e:5f:68:26:b0:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
EC:14:0E:00:D3:F8:F9:BB:B3:E1:63:47:96:45:00:C4:7F:00:FC:2E
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
18:00:f8:c3:1d:2a:78:32:56:b8:d8:5d:93:2f:bd:78:8a:71:
c1:ca:48:40:60:f4:e8:cf:52:ef:9f:44:e9:12:20:b6:08:54:
ef:83:9d:00:b3:ab:c3:68:dc:92:ff:71:11:23:40:d1:31:12:
00:8c:65:10:81:96:a8:d3:5a:85:cb:6e:ac:69:4a:86:c7:65:
52:72:f9:50:e6:d8:61:47:27:6e:13:77:59:2f:07:fd:4f:26:
98:7c:bc:b2:b2:14:79:af:78:f8:6e:6b:35:79:59:38:21:87:
b2:30:b9:df:5a:7a:ac:fb:1a:e8:4e:0a:4b:b9:7d:0a:fc:57:
bb:05
-----BEGIN CERTIFICATE-----
MIID7TCCA1agAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTE1MDEwMjAz
Mzk1NloXDTQ0MTIyNTAzMzk1NlowgZgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
ExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNBTlctS00tVnBuLWd3LWNrdWJ1
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAnTI526lteEfieCoOLWC57ifpo1nPW5BsOlrJ6JxyqWrnwrKZ
eJTiNGmvM0JkUTQM/4RZtRrY9ztKlPl1z11mI6M4tt24WeUbvtVekcgog5C9JqMt
HTIcvJiqTpn8NHqaThObqvPkxuCTH1rK9VZRTf8czrGbripMPf2OX2gmsBMCAwEA
AaOCAUkwggFFMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdl
bmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU7BQOANP4+buz4WNHlkUAxH8A
/C4wgccGA1UdIwSBvzCBvIAUaESHa/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEP
MA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYD
VQQDEw1BTlctS00tVnBuLWNhMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5k
ZYIJAOPMOpcckCT9MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAN
BgkqhkiG9w0BAQUFAAOBgQAYAPjDHSp4Mla42F2TL714inHBykhAYPToz1Lvn0Tp
EiC2CFTvg50As6vDaNyS/3ERI0DRMRIAjGUQgZao01qFy26saUqGx2VScvlQ5thh
RyduE3dZLwf9TyaYfLyyshR5r3j4bms1eVk4IYeyMLnfWnqs+xroTgpLuX0K/Fe7
BQ==
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/berenice.crt Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: Jun 17 13:39:04 2008 GMT
Not After : Jun 15 13:39:04 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-berenice/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:0e:32:eb:f3:cd:4e:ad:75:fe:2f:03:b0:f8:
4a:44:cd:85:fa:e0:a5:dc:a2:c0:1d:d2:a9:04:e7:
39:8a:dc:cd:47:b3:26:e4:c8:aa:7b:0b:51:20:a0:
bd:db:90:c2:b8:8c:27:59:81:5e:31:33:b1:d7:bf:
e2:d0:15:7c:11:25:98:67:1f:03:e0:a7:11:37:4a:
a0:85:c6:f5:2c:44:f1:4d:45:59:11:bc:e9:d5:77:
98:ca:60:5e:de:b4:3e:13:ac:9a:23:d5:57:78:ff:
10:a6:94:52:c7:98:3b:27:2e:16:ed:42:9d:4c:4e:
df:60:a1:ab:8c:58:5b:60:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:12:07:04:E1:24:43:1B:40:85:A1:A5:47:2E:83:7B:FA:69:FE:EC
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
2a:4a:7e:39:ea:12:a1:36:23:64:92:74:b0:05:a1:98:01:ff:
ea:2d:bf:9a:4d:01:3b:fe:d8:99:dd:77:23:fc:77:f0:8b:f4:
22:a8:eb:e3:de:e4:fd:04:df:17:4c:68:57:aa:79:3a:d3:3a:
02:38:dd:3b:d3:95:f7:f6:3b:87:c9:87:dc:d7:cb:a0:f1:d3:
04:62:48:4c:92:67:5d:70:8b:c5:b1:f8:2e:03:c7:84:a5:57:
e4:c1:14:07:06:0e:12:a6:e5:df:25:f9:e4:81:95:6c:f9:fc:
10:a0:cf:e6:5e:b3:09:83:2a:40:31:e1:e7:83:91:d1:fc:c5:
2c:24
-----BEGIN CERTIFICATE-----
MIIDuTCCAyKgAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDYxNzEz
MzkwNFoXDTE4MDYxNTEzMzkwNFowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEcMBoGA1UEAxMTQU5XLUtNLVZwbi1iZXJlbmljZTEdMBsGCSqGSIb3DQEJARYO
YXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANMOMuvz
zU6tdf4vA7D4SkTNhfrgpdyiwB3SqQTnOYrczUezJuTIqnsLUSCgvduQwriMJ1mB
XjEzsde/4tAVfBElmGcfA+CnETdKoIXG9SxE8U1FWRG86dV3mMpgXt60PhOsmiPV
V3j/EKaUUseYOycuFu1CnUxO32Chq4xYW2BhAgMBAAGjggEmMIIBIjAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU2hIHBOEkQxtAhaGlRy6De/pp/uwwgccGA1UdIwSBvzCBvIAU
aESHa/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkw
FwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNh
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqG
SIb3DQEBBAUAA4GBACpKfjnqEqE2I2SSdLAFoZgB/+otv5pNATv+2JnddyP8d/CL
9CKo6+Pe5P0E3xdMaFeqeTrTOgI43TvTlff2O4fJh9zXy6Dx0wRiSEySZ11wi8Wx
+C4Dx4SlV+TBFAcGDhKm5d8l+eSBlWz5/BCgz+ZeswmDKkAx4eeDkdH8xSwk
-----END CERTIFICATE-----

12
ANW-KM/openvpn/keys/berenice.csr Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB2TCCAUICAQAwgZgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
IHNlcnZpY2VzMRwwGgYDVQQDExNBTlctS00tVnBuLWJlcmVuaWNlMR0wGwYJKoZI
hvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA0w4y6/PNTq11/i8DsPhKRM2F+uCl3KLAHdKpBOc5itzNR7Mm5MiqewtRIKC9
25DCuIwnWYFeMTOx17/i0BV8ESWYZx8D4KcRN0qghcb1LETxTUVZEbzp1XeYymBe
3rQ+E6yaI9VXeP8QppRSx5g7Jy4W7UKdTE7fYKGrjFhbYGECAwEAAaAAMA0GCSqG
SIb3DQEBBQUAA4GBAK7tMCQeEbkzjeoCQzKrBm3adXXHkam70RUs9mC+f8VhFkzd
3mwhdvxK1pUnqEBMHHph3EVRA9Szlx/u15Qu5k4VTeCvSFxy6S2f1yPEMHICwpdB
w729DJiY4PMnfl+wmx7HuuOVZ9M5KZaTg1DZHH910qdV6T+hSt07Jaq9x08E
-----END CERTIFICATE REQUEST-----

18
ANW-KM/openvpn/keys/berenice.key Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A6843353293493DD
pv0oTV5HPsQDluEZLtsiYks5/36BxIXnwxWbIzPh8n1gL7c+rF2GxKorNwEdpvrO
/BdyNIQ3Se5w89NUkN6IobGVvfmL7w0PSw9aITrUQq2h3O6jusJSp6Yi2EvfkDVe
V5nmehb+YG2m3xOxPwceYLSBR/evNwFLMho4vcAE3g9lp+8Le0PpSjbggou8TFrj
Xw3V71sDdJqNn38j2ILcEgWu4FzL+93Sll+ok70TL7XRbczP1V1YLKuY0TwN40Jx
a/FoP+a4rAix5s9D1ml9VUxwLuGWBNzX47pHcoHk/9OpsR1xX92jhXUl3NmNNlUN
MvYFPkMfy8U5aMiL8EXBve7AXLPCv1FcbpeiY+qKXcbA2ljVD04YBfGHDBdcqtA1
H0ULRdqZZPu3PFieneqEXX3n953noLIM0pOCmboYik7gZo8ebu9NPY4Pdgra3qtc
Lsp9UVctGZDFyCHuj/HvymNbn+EJ5QaPF7MhTejBz0aPIKwp/dCqqDMfVVSGq0Ka
NbIdTCZdvqQXOBgOf64ixHWGqKm3bgjm98ECp2X6joRTCl5KeXADe8mv+aQS8UID
4j1jVu/w8IFiqgQYOYYrBGHhPgjSw0rvhT0ujDF4ttwvKWdwItZgb3oVuv0LZGoi
d2F+60LH7dSyfd84Sx/SLg71pUJ4R3TTCHsySYhOImEC14CaZDg8ihdO6pY9JFbT
xPcOQLil1UuOmQWF/qE82Y4BuXFv70iqucq/Y+i0poCXqRY4djs3XtjBgeZ+IWmQ
rhtwNCPf4rjYHevhmaFZWkgM7Ei8NNW4R7SQaKZQSZ6mCLpA/QNtng==
-----END RSA PRIVATE KEY-----

22
ANW-KM/openvpn/keys/ca.crt Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDnzCCAwigAwIBAgIJAOPMOpcckCT9MA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEWMBQGA1UEAxMN
QU5XLUtNLVZwbi1jYTEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwHhcN
MDgwNTIwMDAwMTI4WhcNMTgwNTE4MDAwMTI4WjCBkjELMAkGA1UEBhMCREUxDzAN
BgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4x
GTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1WcG4t
Y2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCz6U29hsY9zm7uv7aG2lnlRKyeVCwQYUw5/BPT9DaSqROz
Kuidjnu/mmwqmwiPQi8ikkEb2sgH+EdxMXig9DSgoVNrXCYCDLlhruyf2Gr6XPXY
q0IzhskqilP3QkjTnrJabBZSdXF6JWVXSVZXiP0tpJZZpCIQAUzkN2aBOk2PrwID
AQABo4H6MIH3MB0GA1UdDgQWBBRoRIdr8PyJcZnPMsgcEDjrUtg0mDCBxwYDVR0j
BIG/MIG8gBRoRIdr8PyJcZnPMsgcEDjrUtg0mKGBmKSBlTCBkjELMAkGA1UEBhMC
REUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZv
Lm9wZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1L
TS1WcG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlggkA48w6lxyQ
JP0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQB/ETqWltrGX7r72NED
4vpdN2ZVYxEMz0A4UI6dCRrqEMmhbN7WbvTN/pYaIEl5C41ANGG8ZZKiSrjFwrXC
wevYMUKtHMFeV9Bn116w3odXdD+/Z6ykGvrX3jk5BNYbekVLxG3XgQt1lurvTWle
La/k2uEdxP0RwOLDm75rVYw8ag==
-----END CERTIFICATE-----

15
ANW-KM/openvpn/keys/ca.key Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCz6U29hsY9zm7uv7aG2lnlRKyeVCwQYUw5/BPT9DaSqROzKuid
jnu/mmwqmwiPQi8ikkEb2sgH+EdxMXig9DSgoVNrXCYCDLlhruyf2Gr6XPXYq0Iz
hskqilP3QkjTnrJabBZSdXF6JWVXSVZXiP0tpJZZpCIQAUzkN2aBOk2PrwIDAQAB
AoGAQxTWe7ho6lqyWir5b8ayhh3ZDx/rXiApP+WRrxH71ytbwQ5atYSO954ofqpX
wrK2yHkn9a7Zrr8QRFBh3gGwLSRu9MwVPg74z/t/b2lXULeNCiiMvTs/WIVA5veK
Y+S3Pl7rcHY+jZ9rsJHPtzhM7V6IVCLPFeM1nF0YUEkXOaECQQDXzqWM7hBl6XRL
0aywCS3h9ZYxvfGxOhHP77vg2iKK9bvlkfMy1/wGHKMB13+fhml0AniFECSWpAZk
5POpGfijAkEA1WsykGGIl7I6MkqmS43R2zKHOYnlTqjUNN22nqRWJtrM+dJdUJs2
UU4m6qwMa1PCBC6bprnTwgmhaIUvLnpBhQJAVzMPn7dd9t/y9uPdJDBBUuk57BV1
AIiXQ+75emyJwp5yctubajLticaucwMRdXMJTy/kZNfWAOx8DO6aKfztgwJABkZz
oykrAgLckTP+tcQCwqY2satrUafHLZLDVuDQI65VTpcv5TnbHALnRAkxCErbLpJM
Q1e9cTwlQdSAsaYonQJBAMhORq1D6rJnLOCiYFtzLlotEh+lsquMZfPLFLZZq0W0
iPpI3JmJMfNBj+3P/fKRFjdPw4Q4APiCfjntbvCsKOA=
-----END RSA PRIVATE KEY-----

67
ANW-KM/openvpn/keys/chris.crt Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 00:05:06 2008 GMT
Not After : May 18 00:05:06 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-chris/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c0:17:80:be:42:58:ea:c2:1d:e7:54:4a:98:6d:
31:24:95:d3:ea:aa:84:aa:20:0e:df:18:df:07:64:
2b:53:a5:41:df:55:32:91:d3:38:b4:41:cd:ca:3b:
8d:0f:41:60:01:ed:22:2b:9d:2f:57:7e:6b:f0:a9:
f2:a0:25:f1:a7:67:b8:46:15:c5:75:da:f6:4e:54:
c4:f4:70:c2:74:c1:7f:d3:85:77:28:c6:a5:b2:91:
99:32:1e:d9:bb:4c:76:c9:4e:58:63:dd:49:f3:9b:
4b:5d:91:06:2c:30:b1:ae:5d:ec:d7:13:a4:e4:d6:
9d:c9:db:66:a5:0b:0f:5d:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:9F:21:B1:38:CD:F5:A8:DF:DB:3C:23:96:D9:FF:B1:C1:43:B2:63
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
91:38:89:c3:46:db:82:87:ad:48:ef:dc:63:fe:a4:08:a0:f7:
e6:1c:1d:b0:0b:ca:fc:d0:29:3b:38:a1:a6:66:47:6e:98:26:
45:b9:78:0d:2b:cf:cb:00:f4:5c:4a:51:ab:ca:d7:3a:8f:21:
ef:d7:8b:9e:7f:04:c2:93:71:31:a8:29:bc:d9:70:4b:43:2c:
3e:80:fa:6a:0c:87:d2:08:20:80:06:26:5b:60:07:17:73:5b:
b8:b4:7c:42:1c:18:ce:e1:fc:5a:50:b2:d7:c1:e9:8b:22:b9:
c1:da:34:02:c8:ed:16:cf:99:ed:5c:07:d8:40:46:e7:ca:b4:
f6:f2
-----BEGIN CERTIFICATE-----
MIIDtjCCAx+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAw
MDUwNloXDTE4MDUxODAwMDUwNlowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEZMBcGA1UEAxMQQU5XLUtNLVZwbi1jaHJpczEdMBsGCSqGSIb3DQEJARYOYXJn
dXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMAXgL5CWOrC
HedUSphtMSSV0+qqhKogDt8Y3wdkK1OlQd9VMpHTOLRBzco7jQ9BYAHtIiudL1d+
a/Cp8qAl8adnuEYVxXXa9k5UxPRwwnTBf9OFdyjGpbKRmTIe2btMdslOWGPdSfOb
S12RBiwwsa5d7NcTpOTWncnbZqULD12RAgMBAAGjggEmMIIBIjAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUVJ8hsTjN9ajf2zwjltn/scFDsmMwgccGA1UdIwSBvzCBvIAUaESH
a/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
VQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0w
GwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3
DQEBBAUAA4GBAJE4icNG24KHrUjv3GP+pAig9+YcHbALyvzQKTs4oaZmR26YJkW5
eA0rz8sA9FxKUavK1zqPIe/Xi55/BMKTcTGoKbzZcEtDLD6A+moMh9IIIIAGJltg
BxdzW7i0fEIcGM7h/FpQstfB6YsiucHaNALI7RbPme1cB9hARufKtPby
-----END CERTIFICATE-----

12
ANW-KM/openvpn/keys/chris.csr Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwgZUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
IHNlcnZpY2VzMRkwFwYDVQQDExBBTlctS00tVnBuLWNocmlzMR0wGwYJKoZIhvcN
AQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wBeAvkJY6sId51RKmG0xJJXT6qqEqiAO3xjfB2QrU6VB31UykdM4tEHNyjuND0Fg
Ae0iK50vV35r8KnyoCXxp2e4RhXFddr2TlTE9HDCdMF/04V3KMalspGZMh7Zu0x2
yU5YY91J85tLXZEGLDCxrl3s1xOk5NadydtmpQsPXZECAwEAAaAAMA0GCSqGSIb3
DQEBBQUAA4GBABOowQSdCtUQufkD1kjDyo6wrGDQ1DjF+FoyO9cVK4txtM8iMd2w
p83DSKP1pLj7gF3ludXIO0XSmL+bUxfXTdBqBQZtR97hSYqA1oqglIf+o3sXFd6H
6bFtUBezs+pqlNlXjW9L98pRDHmmI+1uY9QdN7QTGPvRKr89BPyZxopy
-----END CERTIFICATE REQUEST-----

15
ANW-KM/openvpn/keys/chris.key Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDAF4C+Qljqwh3nVEqYbTEkldPqqoSqIA7fGN8HZCtTpUHfVTKR
0zi0Qc3KO40PQWAB7SIrnS9XfmvwqfKgJfGnZ7hGFcV12vZOVMT0cMJ0wX/ThXco
xqWykZkyHtm7THbJTlhj3Unzm0tdkQYsMLGuXezXE6Tk1p3J22alCw9dkQIDAQAB
AoGBAKeEl5jUgXiROsTfZIJTTzUJmJqghDtc47s5lF58w7AZgT3DreswGdZRQKcp
kdWI/LIRW+hPFtclf/qMKvPwwzDoAB86heyvm1LUKx69Jm0jYJ2/P0WH6VcJTH+f
RagkWmHWMKhJzN+lyE3sITtXI58akxOYtJIQ3UHSKAADgm5BAkEA7UMjIeyS5ktc
K7/HZloMqAaXAL4F3J16dnAcpFNgU5qh3zzhtJgjXLq1ItjBMyLevLYdX5ifVRxL
lZSdSFlLqQJBAM9DITGcO5Hn3ZuBI2sJd/YUewkLFZ1W+QgToP0sS2uWhiF8L3mr
PrQARsy4JCsH6grwq3y/Nlinbvu9WoHT86kCQEnu79W0aJpGxXQEkNg+G0+IrilX
DXCPygd6LBKwwIWM3AA6coLaHbrZm3Q+YwXSSeI4RbLyVkQpSwxTgSd4W/ECQQC1
CeELsXkDKHIU68chLsMfKqKRsqHtrlOWb3bWzgMO9gsxYoUhlKgPmJI/LbVB9QbF
CZXxQCBbbdzufWZ6MsYJAkARnDvFpfFI2Bcwryaqs6IUxhxYKhy/4gJXFAdhhmLp
dzHGQxBI95Qnap4KqdDqqrtVF7wEHpS/5UObkfLge1SI
-----END RSA PRIVATE KEY-----

5
ANW-KM/openvpn/keys/dh1024.pem Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN DH PARAMETERS-----
MIGHAoGBAIa7uguEoirICBLDIkBbmDAgIL8gBeNeKu5br43dV9L+np7J5uOdJ+/2
lXhmOdeOXRCNCWQv8PsFWzcYkkOIgyo999U7tqg6kmXQdq+zO9nBm/GHW+GmySvq
YFgxGtzCv7VvaIWqfa8WWUBOpmXQBe8lX1iHEmQl2OxWpivUsP57AgEC
-----END DH PARAMETERS-----

73
ANW-KM/openvpn/keys/gw-ckubu.crt Normal file
View File

@ -0,0 +1,73 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: Jan 2 03:39:56 2015 GMT
Not After : Dec 25 03:39:56 2044 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-gw-ckubu/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9d:32:39:db:a9:6d:78:47:e2:78:2a:0e:2d:60:
b9:ee:27:e9:a3:59:cf:5b:90:6c:3a:5a:c9:e8:9c:
72:a9:6a:e7:c2:b2:99:78:94:e2:34:69:af:33:42:
64:51:34:0c:ff:84:59:b5:1a:d8:f7:3b:4a:94:f9:
75:cf:5d:66:23:a3:38:b6:dd:b8:59:e5:1b:be:d5:
5e:91:c8:28:83:90:bd:26:a3:2d:1d:32:1c:bc:98:
aa:4e:99:fc:34:7a:9a:4e:13:9b:aa:f3:e4:c6:e0:
93:1f:5a:ca:f5:56:51:4d:ff:1c:ce:b1:9b:ae:2a:
4c:3d:fd:8e:5f:68:26:b0:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
EC:14:0E:00:D3:F8:F9:BB:B3:E1:63:47:96:45:00:C4:7F:00:FC:2E
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
18:00:f8:c3:1d:2a:78:32:56:b8:d8:5d:93:2f:bd:78:8a:71:
c1:ca:48:40:60:f4:e8:cf:52:ef:9f:44:e9:12:20:b6:08:54:
ef:83:9d:00:b3:ab:c3:68:dc:92:ff:71:11:23:40:d1:31:12:
00:8c:65:10:81:96:a8:d3:5a:85:cb:6e:ac:69:4a:86:c7:65:
52:72:f9:50:e6:d8:61:47:27:6e:13:77:59:2f:07:fd:4f:26:
98:7c:bc:b2:b2:14:79:af:78:f8:6e:6b:35:79:59:38:21:87:
b2:30:b9:df:5a:7a:ac:fb:1a:e8:4e:0a:4b:b9:7d:0a:fc:57:
bb:05
-----BEGIN CERTIFICATE-----
MIID7TCCA1agAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTE1MDEwMjAz
Mzk1NloXDTQ0MTIyNTAzMzk1NlowgZgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
ExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNBTlctS00tVnBuLWd3LWNrdWJ1
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAnTI526lteEfieCoOLWC57ifpo1nPW5BsOlrJ6JxyqWrnwrKZ
eJTiNGmvM0JkUTQM/4RZtRrY9ztKlPl1z11mI6M4tt24WeUbvtVekcgog5C9JqMt
HTIcvJiqTpn8NHqaThObqvPkxuCTH1rK9VZRTf8czrGbripMPf2OX2gmsBMCAwEA
AaOCAUkwggFFMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdl
bmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU7BQOANP4+buz4WNHlkUAxH8A
/C4wgccGA1UdIwSBvzCBvIAUaESHa/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEP
MA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYD
VQQDEw1BTlctS00tVnBuLWNhMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5k
ZYIJAOPMOpcckCT9MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAN
BgkqhkiG9w0BAQUFAAOBgQAYAPjDHSp4Mla42F2TL714inHBykhAYPToz1Lvn0Tp
EiC2CFTvg50As6vDaNyS/3ERI0DRMRIAjGUQgZao01qFy26saUqGx2VScvlQ5thh
RyduE3dZLwf9TyaYfLyyshR5r3j4bms1eVk4IYeyMLnfWnqs+xroTgpLuX0K/Fe7
BQ==
-----END CERTIFICATE-----

12
ANW-KM/openvpn/keys/gw-ckubu.csr Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB2TCCAUICAQAwgZgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
IHNlcnZpY2VzMRwwGgYDVQQDExNBTlctS00tVnBuLWd3LWNrdWJ1MR0wGwYJKoZI
hvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAnTI526lteEfieCoOLWC57ifpo1nPW5BsOlrJ6JxyqWrnwrKZeJTiNGmvM0Jk
UTQM/4RZtRrY9ztKlPl1z11mI6M4tt24WeUbvtVekcgog5C9JqMtHTIcvJiqTpn8
NHqaThObqvPkxuCTH1rK9VZRTf8czrGbripMPf2OX2gmsBMCAwEAAaAAMA0GCSqG
SIb3DQEBBQUAA4GBAF+Jx1AX4dLnFPMvVUd7YdumKuTkfdkPkYRbrFtzyZRRo24k
Vpij8KMAYfU1v1YsY1WOXGVVQ9FbAFI+YhUGcOTQelkgWDumDfRq1f8zqsizv1iH
JYOBSd/BbhIJ4HCaPK3LAriCdkHLH4xIG+dz1ZDei9pv74mHTRdR9qgJZzBw
-----END CERTIFICATE REQUEST-----

18
ANW-KM/openvpn/keys/gw-ckubu.key Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,17FCFC43E5265156
V8gYTlFBeMXEIZUYq1fLtRIYjVnYNBRGmGNHtraHXZycO/RUnnEyoawl6pTPRWlM
z1fVM7sK93uyEX6yftVG9DfFbMSkzkW8P3CLIMGNvVE5kF2KzpNPDJ1Lvfi7Vafu
KPvUngUAEjQQ968NIAGvN+fOeICoihNZYro6lNaN1iOPTHO1ySiSEGslbW2Q7WrQ
RyUJPS1onvAMkEOp+E15g+BNVLVap0iISlIW+urCnJ0dhVUAS/bZNaQVh6MsKUnp
rYh/t3DZmXTBOG5gu/VSY4PU7zGMuHKNyA0hMUEapvzAeyyVfppjvKN31OhqXZAS
X65uD8x0nMH8NgBuh7ZJBmMIYjjAvHi4/0hsfRjp5ZbADkeay+cyzjo1t8q0xctJ
qZdLFcTj+XVN9DfPeAkg6RQa1sUKJE+n0enmsBL+99fopWH+GrxEDqux+JHhRrlc
15fzFh8AZBe3Fl8aheDE9n2f4sk63ap+u7hgPMRa0wYJVU5meYLsfaU4XRJnq73f
LO6ZwLV0MDEm1sc4k1P9KkPbZc/XxIXDtsev3psy/M39zWodhtfXMrzYVfH3ChRn
uIFV8EhkEMPj6hPFFubhHRFjW09Pa2knWOZK6x8Wad6YEJxMw/pB6NAa1m2bkGan
EXTL3Ehb6iAQvQ6BBb5+kqjnWFuCqjsz9h2Rb5r/l0KvO+VScF10mkDLoNqCHhBK
BNLKYngRCZw+8N4vnhsc3s8GPf5ssSpFEW1sypaSbW2Hgux55jBu9NtNzo4vQLGM
UoxiJoq54w9a3EjgVspMQ1qy6WzJaNCZpqvdl2fT43c=
-----END RSA PRIVATE KEY-----

5
ANW-KM/openvpn/keys/index.txt Normal file
View File

@ -0,0 +1,5 @@
V 180518000232Z 01 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-server/emailAddress=argus@oopen.de
V 180518000506Z 02 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-chris/emailAddress=argus@oopen.de
V 180518010002Z 03 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-rp/emailAddress=argus@oopen.de
V 180615133904Z 04 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-berenice/emailAddress=argus@oopen.de
V 441225033956Z 05 unknown /C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-gw-ckubu/emailAddress=argus@oopen.de

1
ANW-KM/openvpn/keys/index.txt.attr Normal file
View File

@ -0,0 +1 @@
unique_subject = no

1
ANW-KM/openvpn/keys/index.txt.attr.old Normal file
View File

@ -0,0 +1 @@
unique_subject = no

4
ANW-KM/openvpn/keys/index.txt.old Normal file
View File

@ -0,0 +1,4 @@
V 180518000232Z 01 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-server/emailAddress=argus@oopen.de
V 180518000506Z 02 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-chris/emailAddress=argus@oopen.de
V 180518010002Z 03 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-rp/emailAddress=argus@oopen.de
V 180615133904Z 04 unknown /C=DE/ST=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-berenice/emailAddress=argus@oopen.de

67
ANW-KM/openvpn/keys/rp.crt Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 01:00:02 2008 GMT
Not After : May 18 01:00:02 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-rp/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:7d:de:5d:20:0d:20:9e:db:2a:93:5d:99:6c:
43:da:5d:f1:09:d8:68:d0:b5:8b:41:7d:79:19:77:
c1:9e:53:22:15:78:83:80:d4:03:10:e6:4b:c4:e9:
15:26:10:cd:28:97:a2:48:82:49:46:c0:0b:6d:c0:
21:ea:87:ad:2d:1f:c3:29:ef:80:49:91:7f:3f:ff:
d0:6d:2c:80:f9:94:2f:e4:88:82:88:74:27:51:26:
68:d8:cd:11:cb:b3:46:6b:e8:b6:c8:81:d1:7c:de:
0b:e5:90:40:c4:50:20:e5:59:4c:fc:30:f3:fa:ee:
72:b2:a2:77:e3:6c:30:6a:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0D:C2:77:E9:BD:42:92:03:32:41:6D:10:EE:97:78:54:04:65:0F:3D
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
61:cd:a7:35:6b:a7:cb:94:75:2c:5c:d4:7b:cd:be:1a:43:43:
f3:73:ff:22:72:c0:06:c6:ae:40:19:eb:3b:53:56:01:4a:e8:
eb:a6:e2:61:e0:d3:2a:9d:fc:63:ac:38:4f:cd:34:7b:e5:22:
9f:ac:6e:0f:61:f7:b2:7c:f2:50:0c:a6:cc:76:ec:24:60:67:
41:51:54:5f:dc:06:f8:7a:af:ce:80:1f:06:6a:1c:9a:27:13:
05:e7:80:e7:45:34:f5:e9:d0:96:67:7f:2f:15:88:94:63:d5:
fc:e9:cb:ef:93:c2:38:5a:73:28:fa:f3:04:c9:91:01:d9:ab:
a6:96
-----BEGIN CERTIFICATE-----
MIIDszCCAxygAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAx
MDAwMloXDTE4MDUxODAxMDAwMlowgYExCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEWMBQGA1UEAxMNQU5XLUtNLVZwbi1ycDEdMBsGCSqGSIb3DQEJARYOYXJndXNA
b29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN93l0gDSCe2yqT
XZlsQ9pd8QnYaNC1i0F9eRl3wZ5TIhV4g4DUAxDmS8TpFSYQzSiXokiCSUbAC23A
IeqHrS0fwynvgEmRfz//0G0sgPmUL+SIgoh0J1EmaNjNEcuzRmvotsiB0XzeC+WQ
QMRQIOVZTPww8/rucrKid+NsMGr9AgMBAAGjggEmMIIBIjAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUDcJ36b1CkgMyQW0Q7pd4VARlDz0wgccGA1UdIwSBvzCBvIAUaESHa/D8
iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
ExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0wGwYJ
KoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3DQEB
BAUAA4GBAGHNpzVrp8uUdSxc1HvNvhpDQ/Nz/yJywAbGrkAZ6ztTVgFK6Oum4mHg
0yqd/GOsOE/NNHvlIp+sbg9h97J88lAMpsx27CRgZ0FRVF/cBvh6r86AHwZqHJon
EwXngOdFNPXp0JZnfy8ViJRj1fzpy++Twjhacyj68wTJkQHZq6aW
-----END CERTIFICATE-----

12
ANW-KM/openvpn/keys/rp.csr Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB0zCCATwCAQAwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
IHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLXJwMR0wGwYJKoZIhvcNAQkB
Fg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA033e
XSANIJ7bKpNdmWxD2l3xCdho0LWLQX15GXfBnlMiFXiDgNQDEOZLxOkVJhDNKJei
SIJJRsALbcAh6oetLR/DKe+ASZF/P//QbSyA+ZQv5IiCiHQnUSZo2M0Ry7NGa+i2
yIHRfN4L5ZBAxFAg5VlM/DDz+u5ysqJ342wwav0CAwEAAaAAMA0GCSqGSIb3DQEB
BQUAA4GBAEvdTAvawGhkv3a2t82sQFonSaPygbTWfBnU+ajhh2ZiInp+ceSTn27M
gTV34cndsl5TKmfrMFtH/ol97nxo126DCoO7YWkoVKPvJrocvWUI9NaaQ41K5f3m
qhI2TBjDggbflGQ2Y4CsekTT9/nHd63HHXt0HEhnzlysWxPyyNXS
-----END CERTIFICATE REQUEST-----

18
ANW-KM/openvpn/keys/rp.key Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CB98AB5AB57879EF
2h2/FQ1ZF8QjJKd2LpyQtngyJoHOh4tV0EhtONlepF7qiVPjbc4JMv9NjiI0fJm1
uidVS22scXuklaB+/SOjAdTJiJt5zbOeH0ARnPpkVl4gV5dXXdBYaH3y3LeNwuKG
ZiQl6AQJlJYPG9nsmjByAV84y7vQRhkY10yM125qZiyrg0WJdtZYUVcCbCmXjy1j
hscTqjdSqfokroS2nAEQXMBFKCo8A4hKoQCw7VPKFmzF3OWtD/i8m2LuTA2GHldI
JoJnsGR7QrTk+M5nJnHQ4UANbDwVowFVc63i+InnWQ7RdB0SgH4j25Qs06qZkBW6
u4v6wiwhNtgcJiXWOTlwJdOa8jG4CWL1WcAVjFJRbWuegOlrC8zMEc44NO98aVMk
89FHKzroN2eQ7aR1LAXZn99tvTbbwGbj5crMWsfxzmgPnswg497t/hIYVVRypQbH
NOFxXagthpTvSNoHk1DHfM84oLs43ceujCVKDdD24UG6pPOZYwtdBfYZ4eTcSO5U
iO/THxeZGyAXIEfq5p/EyC1LN3ac7cgDEyoTU7u4DXho5UkxvCoEvHaOpOatSBX9
WoXRGf1oQ04UfkD836nnVD556mshT1cniBUwOr5VIF/bPhoK27lOF0IpO22y3Nt3
XFKkJsDeojMLYsacJwVNRpLKwn/oev1El25NwwmsDlDEmlHEjZZfjjWSF/kHydLT
yhxYrBleFS8HlqMw1X1H/mUi7SylXzMst7tKh/sWPXz9PtZoZH+1fbpPC9VaxaGQ
KEzs6Re7jjpK1CMmiKDNqMqzhDRSwLj2YEOxkRi8ByOtz0xDIjaHHg==
-----END RSA PRIVATE KEY-----

1
ANW-KM/openvpn/keys/serial Normal file
View File

@ -0,0 +1 @@
06

1
ANW-KM/openvpn/keys/serial.old Normal file
View File

@ -0,0 +1 @@
05

70
ANW-KM/openvpn/keys/server.crt Normal file
View File

@ -0,0 +1,70 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 00:02:32 2008 GMT
Not After : May 18 00:02:32 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-server/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e8:50:de:da:67:fb:8b:e8:71:1f:3c:da:c8:63:
33:9f:29:41:b1:a5:8f:27:99:91:16:a8:51:3b:a1:
5b:52:c3:6a:26:a2:e7:f3:07:ea:c0:65:a6:60:30:
d8:fb:39:e6:05:19:73:28:fa:0a:2e:4e:82:a0:72:
c1:1b:ca:27:fb:ad:8d:3c:c8:15:36:4c:f6:22:70:
1f:4d:6c:10:88:84:c6:f1:c3:9f:f2:55:58:3d:f2:
10:cb:d5:a7:18:3d:b9:d6:fd:25:e9:9d:ec:6c:0e:
55:f9:2d:64:54:a0:32:58:34:b0:2c:c9:10:55:33:
6c:75:9e:97:29:61:db:c1:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
41:12:64:24:C4:4E:59:A4:C9:B3:A4:8E:A2:E6:5A:9C:27:CF:C6:21
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
81:b5:d0:b9:ba:8e:87:ad:48:a7:ce:11:e6:30:b5:e2:6a:20:
19:b4:4d:e2:17:8e:7d:4c:ae:1d:45:a8:38:c2:b9:7d:71:08:
db:b4:a9:96:75:bf:ca:26:5a:d1:0d:80:cf:d8:b3:ce:3d:3a:
76:81:43:90:91:b8:de:45:33:63:cd:56:ed:1a:6b:33:36:e3:
8f:97:3a:15:e4:11:64:e5:bf:ee:98:53:cc:51:d9:fa:ac:76:
2e:2b:c3:dc:a9:7f:e1:8d:44:34:8d:f3:fd:32:26:7b:4d:cf:
9b:b4:43:9a:d2:0d:65:56:2f:4d:78:87:9a:ca:5a:22:5d:08:
68:01
-----BEGIN CERTIFICATE-----
MIID0TCCAzqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAw
MDIzMloXDTE4MDUxODAwMDIzMlowgYUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEaMBgGA1UEAxMRQU5XLUtNLVZwbi1zZXJ2ZXIxHTAbBgkqhkiG9w0BCQEWDmFy
Z3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoUN7aZ/uL
6HEfPNrIYzOfKUGxpY8nmZEWqFE7oVtSw2omoufzB+rAZaZgMNj7OeYFGXMo+gou
ToKgcsEbyif7rY08yBU2TPYicB9NbBCIhMbxw5/yVVg98hDL1acYPbnW/SXpnexs
DlX5LWRUoDJYNLAsyRBVM2x1npcpYdvB0wIDAQABo4IBQDCCATwwCQYDVR0TBAIw
ADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2Vu
ZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUQRJkJMROWaTJs6SO
ouZanCfPxiEwgccGA1UdIwSBvzCBvIAUaESHa/D8iXGZzzLIHBA461LYNJihgZik
gZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2Vz
MRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
b3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3DQEBBAUAA4GBAIG10Lm6joetSKfO
EeYwteJqIBm0TeIXjn1Mrh1FqDjCuX1xCNu0qZZ1v8omWtENgM/Ys849OnaBQ5CR
uN5FM2PNVu0aazM244+XOhXkEWTlv+6YU8xR2fqsdi4rw9ypf+GNRDSN8/0yJntN
z5u0Q5rSDWVWL014h5rKWiJdCGgB
-----END CERTIFICATE-----

12
ANW-KM/openvpn/keys/server.csr Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB1zCCAUACAQAwgZYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
IHNlcnZpY2VzMRowGAYDVQQDExFBTlctS00tVnBuLXNlcnZlcjEdMBsGCSqGSIb3
DQEJARYOYXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AOhQ3tpn+4vocR882shjM58pQbGljyeZkRaoUTuhW1LDaiai5/MH6sBlpmAw2Ps5
5gUZcyj6Ci5OgqBywRvKJ/utjTzIFTZM9iJwH01sEIiExvHDn/JVWD3yEMvVpxg9
udb9Jemd7GwOVfktZFSgMlg0sCzJEFUzbHWelylh28HTAgMBAAGgADANBgkqhkiG
9w0BAQUFAAOBgQDn1T22greiThuxtpEb1ydzssh99XEQhdV2f2G++rjb+N63blfy
i263sHPCqqaHbt0Lf7NA3iIE0vrUq2dhdqDzUnfo1Opr0njm4VwaFR2Ngm7eYNTP
yKVZWKElM0sVwDCgJ00nfDw+zIrTza1TRUZn0L/alE3rGqvV2poawo8xeA==
-----END CERTIFICATE REQUEST-----

15
ANW-KM/openvpn/keys/server.key Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDoUN7aZ/uL6HEfPNrIYzOfKUGxpY8nmZEWqFE7oVtSw2omoufz
B+rAZaZgMNj7OeYFGXMo+gouToKgcsEbyif7rY08yBU2TPYicB9NbBCIhMbxw5/y
VVg98hDL1acYPbnW/SXpnexsDlX5LWRUoDJYNLAsyRBVM2x1npcpYdvB0wIDAQAB
AoGBAN8ihdobU9WercCGL9GWzsdJ1iptzWEIs/2iL1vp8JA+159Ciyy35vdi6vmr
EU3D37X4Ks8p0kuF5xt6/RXXBqx1mWojTPFAWCIbGhCkneoWxruf31w7RBiK/ezS
BkDX+jplb/dNzq1yN+3hPyk6quJYs01NUVmG/z3505DYCaLJAkEA/5a2fGu6THLe
XcfXNm4+NsCJf7UU8Ul30LZoohdDV65KoP5b8hVQ9FnS+mZXUq+ZYM799XOMPn+q
7UseiJc8VwJBAOiwkhhGuavoPdDW2L51e3FHGy7A10m1/nb+Ayx05qyVWZ1I3uBQ
0tACpdKBJDQYm2gSPO6liaEhl7WfPZXGeOUCQETsVo+c2WNOQqrVfjK+beaD61BV
+6zJnBbbacH0NgPKC3P4w8C3gNoz8tH1kSzKD7lseE2deD9OXECbVkONTQcCQQCO
pS/qkfDg4c6DaDIXEA5MszqGvtE77sXATJfFeSSwSB5XvYRkHygdPIJLOb/n7+3V
LtkLs49bqCxIuwYV+0XBAkEAm3USgjdnjeP6he49gKY9tDug2EtxksQ1PCTpy/lR
qoPBM0xQ8DdFoD4ljgJ+AOs5JVm5FKHR4WaMdd3bmaXtFQ==
-----END RSA PRIVATE KEY-----

21
ANW-KM/openvpn/keys/ta.key Normal file
View File

@ -0,0 +1,21 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
82b1f1533640a6436ed2eb2993ef9e7c
f867d5f61ffe5691be2bc8304714b41a
9f49a741e0c9f22417ee9ee6893434fb
1e5611b7d64d31532a450e41871c4885
c3ac11d33ed5c878500206416cb88c9b
c0487fd5098dc3a5982694feb2d4d3fe
1ba4f32fc7574fa4b09d47aa1986c096
e022fcd44b87ad8c08c979b8ac7ade3d
130f838ffaedf278360eba2f6f9b94db
e1d0e0f6f4a44210f4acb38835797444
fa2b5e067ec14e5f2013a36827c85722
386cf69b2c5e9c3bced20e4aac287edc
da8b1eb743cf527750999e01274f2e47
e79c9cbede772362b103a6ddebff76da
ed23277286cf8da544d86f6e5f6046b7
a0d2f4b8bf57d734ef4ec3763979ced2
-----END OpenVPN Static key V1-----

8
ANW-KM/openvpn/openvpn-status.log Normal file
View File

@ -0,0 +1,8 @@
OpenVPN CLIENT LIST
Updated,Thu Jan 1 22:16:41 2015
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

9
ANW-KM/openvpn/password.txt Normal file
View File

@ -0,0 +1,9 @@
key...............: rp.key
common name.......: ANW-KM-Vpn-rp
password..........: Zuse54My
key...............: berenice.key
common name.......: ANW-KM-Vpn-berenice
password..........: Gi8aHozo

300
ANW-KM/openvpn/server-gw-ckubu.conf Normal file
View File

@ -0,0 +1,300 @@
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1195
# TCP or UDP server?
;proto tcp
proto udp
topology subnet
route 192.168.63.0 255.255.255.0 10.1.122.1
route 192.168.64.0 255.255.255.0 10.1.122.1
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.1.122.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /etc/openvpn/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.23.0 255.255.255.0"
;push "route 192.168.122.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /etc/openvpn/ccd/server-gw-ckubu
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;push "dhcp-option DNS 192.168.122.53"
;push "dhcp-option DOMAIN anw-km.netz"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
tls-auth keys/ta.key 0
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
persist-local-ip
persist-remote-ip
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/status-server-gw-ckubu.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn/server-gw-ckubu.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
#crl-verify /etc/openvpn/keys/crl.pem

298
ANW-KM/openvpn/server-home.conf Normal file
View File

@ -0,0 +1,298 @@
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1196
# TCP or UDP server?
;proto tcp
proto udp
topology subnet
#route 192.168.63.0 255.255.255.0 10.1.122.1
#route 192.168.64.0 255.255.255.0 10.1.122.1
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.122.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /etc/openvpn/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.23.0 255.255.255.0"
;push "route 192.168.122.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /etc/openvpn/ccd/server-home
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
push "dhcp-option DNS 192.168.122.53"
push "dhcp-option DOMAIN anw-km.netz"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
tls-auth keys/ta.key 0
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
persist-local-ip
persist-remote-ip
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/status-server-home.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn/server-home.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

58
ANW-KM/openvpn/update-resolv-conf Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac