Initial commit

ANW-URB/README.txt

@@ -0,0 +1,25 @@
+
+Notice:
+   You have to change some configuration files becaus the because
+   the configuration of network interfaces must not be equal.
+
+   !! Take care, to use the right device names !!
+   Maybe they are called i.e. 'enp0sXX', but you can rename it.
+   See also : README.rename.netdevices
+
+   For the backup gateway host:
+      eth1 --> LAN
+      eth2 --> WAN or ppp0 (DSL device)
+
+      eth0 --> WLAN or second LAN or what ever
+      or
+      br0  --> WLAN or second LAN or what ever
+
+
+   So you have to change the following files
+      dsl-provider.ANW-URB: ppp0 comes over eth2
+      interfaces.ANW-URB: see above
+      default_isc-dhcp-server.ANW-URB
+      ipt-firewall.ANW-URB: LAN device (mostly ) = eth1
+                                second LAN WLAN or what ever (if present) = eth0
+         

ANW-URB/bin/clean_log_files.sh

@@ -0,0 +1 @@
+admin-stuff/clean_log_files.sh

ANW-URB/bin/os-upgrade.sh

@@ -0,0 +1 @@
+admin-stuff/os-upgrade.sh

ANW-URB/bin/test_email.sh

@@ -0,0 +1 @@
+admin-stuff/test_email.sh

ANW-URB/bin/wakeup_fileserver.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env sh
+
+_NETW=192.168.102.0
+_MAC_FILESERVER="00:30:48:8c:de:c0"
+
+/usr/bin/wakeonlan -i $_NETW $_MAC_FILESERVER
+
+exit 0

ANW-URB/bind/bind.keys

@@ -0,0 +1,49 @@
+/* $Id: bind.keys,v 1.5.42.2 2011-01-04 19:14:48 each Exp $ */
+# The bind.keys file is used to override built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  As of the current release (BIND
+# 9.7), the only trust anchor it sets is the one for the ISC DNSSEC
+# Lookaside Validation zone ("dlv.isc.org").  Trust anchors for any other
+# zones MUST be configured elsewhere; if they are configured here, they
+# will not be recognized or used by named.
+#
+# This file also contains a copy of the trust anchor for the DNS root zone
+# (".").  However, named does not use it; it is provided here for
+# informational purposes only.  To switch on DNSSEC validation at the
+# root, the root key below can be copied into named.conf.
+#
+# The built-in DLV trust anchor in this file is used directly by named.
+# However, it is not activated unless specifically switched on.  To use
+# the DLV key, set "dnssec-lookaside auto;" in the named.conf options.
+# Without this option being set, the key in this file is ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of January 2011.  If any key fails to
+# initialize correctly, it may have expired.  In that event you should
+# replace this file with a current version.  The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
+        # in named.conf.
+	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+		TDN0YUuWrBNh";
+
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+	# for current trust anchor information.
+        # NOTE: This key is activated by setting "dnssec-validation auto;"
+        # in named.conf.
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+};

ANW-URB/bind/db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

ANW-URB/bind/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

ANW-URB/bind/db.192.168.132.0

@@ -0,0 +1,47 @@
+;
+; BIND reverse data file for local anwaeltinnen.netz zone
+;
+$TTL  43600
+@  IN SOA   ns.anwaeltinnen.netz. ckubu.oopen.de. (
+      2012082601     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+            IN NS     ns-urban.anwaeltinnen.netz.
+
+; - Gateway/Firewall
+254         IN PTR    gw-urban.anwaeltinnen.netz.
+
+
+; - (Caching ) Nameserver
+1           IN PTR    ns-urban.anwaeltinnen.netz.
+
+
+; - Fileserver
+10          IN PTR    file-urban.anwaeltinnen.netz.
+
+
+; - Drucker
+6            IN PTR    canon0b7d6f.anwaeltinnen.netz.
+
+
+; - IPMI
+15          IN PTR    ipmi-urban.anwaeltinnen.netz.
+
+
+; file-win7 - Windows7 File Server
+;
+20          IN PTR    ipmi-urban.anwaeltinnen.netz.
+
+
+; - Buero PC's
+211          IN PTR    pcbuero1.anwaeltinnen.netz.
+212          IN PTR    pcbuero.anwaeltinnen.netz.
+213          IN PTR    pcbuero2.anwaeltinnen.netz.
+214          IN PTR    pcreg.anwaeltinnen.netz.
+215          IN PTR    pcson.anwaeltinnen.netz.
+216          IN PTR    pcund.anwaeltinnen.netz.
+

ANW-URB/bind/db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

ANW-URB/bind/db.anwaeltinnen.netz

@@ -0,0 +1,57 @@
+;
+; BIND data file for local anwaeltinnen.netz zone
+;
+$TTL  43600
+@  IN SOA   ns.anwaeltinnen.netz. ckubu.oopen.de. (
+      2012082601     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+
+                IN NS     ns-urban.anwaeltinnen.netz.
+
+; Gateway/Firewall
+gw-urban        IN A      192.168.132.254
+gate            IN CNAME  gw-urban
+gw              IN CNAME  gw-urban
+
+; (Caching ) Nameserver
+ns-urban        IN A      192.168.132.1
+ns              IN CNAME  ns-urban
+nscache         IN CNAME  ns-urban
+
+
+; - Fileserver
+file-urban      IN A      192.168.132.10
+file            IN CNAME  file-urban
+marvin          IN CNAME  file-urban
+
+
+; - IPMI
+ipmi-urban      IN A      192.168.132.15
+file-ipmi       IN CNAME  ipmi-urban
+ipmi            IN CNAME  ipmi-urban
+
+
+; file-win7 - Windows 7 Server
+;
+file-win7       IN A      192.168.132.20
+
+
+; - Drucker
+canon0b7d6f     IN A      192.168.132.6
+canon           IN CNAME  canon0b7d6f
+
+
+
+; PC's
+pcbuero1        IN A      192.168.132.211
+pcbuero         IN A      192.168.132.212
+pcbuero2        IN A      192.168.132.213
+pcreg           IN A      192.168.132.214
+pcson           IN A      192.168.132.215
+pcund           IN A      192.168.132.216
+

ANW-URB/bind/db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

ANW-URB/bind/db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

ANW-URB/bind/db.root

@@ -0,0 +1,87 @@
+;       This file holds the information on root name servers needed to
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:    Jun 17, 2010
+;       related version of root zone:   2010061700
+;
+; formerly NS.INTERNIC.NET
+;
+.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FE::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
+; End of File

ANW-URB/bind/named.conf

@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";

ANW-URB/bind/named.conf.default-zones

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/etc/bind/db.root";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+

ANW-URB/bind/named.conf.local

@@ -0,0 +1,24 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+
+zone "anwaeltinnen.netz" {
+   type master;
+   file "/etc/bind/db.anwaeltinnen.netz";
+};
+
+zone "1.168.192.in-addr.arpa" {
+   type master;
+   file "/etc/bind/db.192.168.1.0";
+};
+
+zone "132.168.192.in-addr.arpa" {
+   type master;
+   file "/etc/bind/db.192.168.132.0";
+};
+

ANW-URB/bind/named.conf.local.INSTALL

@@ -0,0 +1,8 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

ANW-URB/bind/named.conf.options

@@ -0,0 +1,51 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+   /*
+   forwarders {
+      // OpenDNS servers
+      208.67.222.222;
+      208.67.220.220;
+      // DNS-Cache des CCC
+      213.73.91.35;
+      // ISP DNS Servers
+      217.237.150.51;
+      217.237.148.22;
+   };
+   */
+
+
+   // Security options
+   listen-on port 53 {
+      127.0.0.1;
+      192.168.132.1;
+   };
+   allow-query {
+      127.0.0.1;
+      192.168.0.0/16;
+      10.0.0.0/8;
+   };
+   allow-recursion {
+      127.0.0.1;
+      192.168.0.0/16;
+      10.0.0.0/8;
+   };
+   allow-transfer { none; };
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+

ANW-URB/bind/named.conf.options.INSTALL

@@ -0,0 +1,20 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+

ANW-URB/bind/rndc.key

@@ -0,0 +1,4 @@
+key "rndc-key" {
+	algorithm hmac-md5;
+	secret "p8uEoosC6vrcRj73ribYKg==";
+};

ANW-URB/bind/zones.rfc1918

@@ -0,0 +1,20 @@
+zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+ 
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

ANW-URB/chap-secrets.ANW-URB

@@ -0,0 +1,6 @@
+# Secrets for authentication using CHAP
+# client	server	secret			IP addresses
+
+
+## - Anwaltskanzlei - Urbanstrasse (anw-urb)
+"0019673090265502751343110001@t-online.de" * "85593499"

ANW-URB/cron_root.ANW-URB

@@ -0,0 +1,66 @@
+# DO NOT EDIT THIS FILE - edit the master and reinstall.
+# (/tmp/crontab.KkdUPg/crontab installed on Wed Oct 11 10:57:34 2017)
+# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
+# Edit this file to introduce tasks to be run by cron.
+# 
+# Each task to run has to be defined through a single line
+# indicating with different fields when the task will be run
+# and what command to run for the task
+# 
+# To define the time you can provide concrete values for
+# minute (m), hour (h), day of month (dom), month (mon),
+# and day of week (dow) or use '*' in these fields (for 'any').# 
+# Notice that tasks will be started based on the cron's system
+# daemon's notion of time and timezones.
+# 
+# Output of the crontab jobs (including errors) is sent through
+# email to the user the crontab file belongs to (unless redirected).
+# 
+# For example, you can run a backup of all your user accounts
+# at 5 a.m every week with:
+# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
+# 
+# For more information see the manual pages of crontab(5) and cron(8)
+# 
+# m h  dom mon dow   command
+
+## - ORIG
+#*/5 * * * * /usr/local/sbin/synctime
+#*/1 * * * * env LANG=C /usr/bin/mrtg --logging /var/log/mrtg/mrtg.log --lock-file /var/run/mrtg.lck --log-only
+
+PATH=/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+
+# - check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
+# - if not set this entry to "1"
+# -
+0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
+
+# - Check if postfix mailservice is running. Restart service if needed.
+# -
+41 * * * * /root/bin/monitoring/check_postfix.sh
+
+# - check if openvpn is running if not restart the service
+# -
+*/10 * * * * /root/bin/monitoring/check_dns.sh
+
+# - Check if postfix mail service ist running. Restart service if necessary
+# -
+01,31 * * * * /root/bin/monitoring/check_postfix.sh
+
+# - check if openvpn is running if not restart the service
+# -
+*/30 * * * * /root/bin/monitoring/check_vpn.sh
+
+# - check if DynDNS ip is correct, adjust if needed
+# -
+27 * * * * /root/bin/monitoring/check_dyndns.sh anw-urb.homelinux.org
+
+# - reconnect to internet
+# -
+#7 6 * * * /root/bin/reconnect_inet.sh
+
+
+# - copy gateway configuration
+# -
+10 3 * * * /root/bin/manage-gw-config/copy_gateway-config.sh ANW-URB

ANW-URB/ddclient.conf.ANW-URB

@@ -0,0 +1,14 @@
+# Configuration file for ddclient generated by debconf
+#
+# /etc/ddclient.conf
+
+protocol=dyndns2
+use=web, web=checkip.dyndns.com, web-skip='IP Address'
+server=members.dyndns.org
+login=ckubu
+password=7213b4e6178a11e6ab1362f831f6741e
+anw-urb.homelinux.org
+
+ssl=yes
+mail=argus@oopen.de
+mail-failure=root

ANW-URB/default_isc-dhcp-server.ANW-URB

@@ -0,0 +1,11 @@
+# Defaults for dhcp initscript
+# sourced by /etc/init.d/dhcp
+# installed at /etc/default/isc-dhcp-server by the maintainer scripts
+
+#
+# This is a POSIX shell fragment
+#
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACES=""

ANW-URB/dhcpd.conf.ANW-URB

@@ -0,0 +1,221 @@
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+option domain-name "anwaeltinnen.netz";
+option domain-name-servers 192.168.132.1;
+
+option subnet-mask 255.255.255.0;
+
+option broadcast-address 192.168.132.255;
+
+option routers 192.168.132.254;
+
+
+default-lease-time 3600;
+max-lease-time 14400;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+subnet 192.168.132.0 netmask 255.255.255.0 {
+   range 192.168.132.130 192.168.132.180;
+   option domain-name "anwaeltinnen.netz";
+   option subnet-mask 255.255.255.0;
+   option broadcast-address 192.168.132.255;
+   option domain-name-servers 192.168.132.1;
+   option routers 192.168.132.254;
+   default-lease-time 43200;
+   max-lease-time 86400;
+}
+
+## - wireless LAN
+subnet 192.168.133.0 netmask 255.255.255.0 {
+  range 192.168.133.150 192.168.133.199;
+  #local-address 192.168.103.254 ;
+  option domain-name "anwaeltinnen.netz";
+  option subnet-mask 255.255.255.0;
+  option broadcast-address 192.168.133.255;
+  option domain-name-servers 192.168.132.1;
+  option routers 192.168.133.254;
+  default-lease-time 86400;
+  max-lease-time 259200;
+}
+
+## - No dhcp on WAN-Interface
+## -
+subnet 172.16.132.0 netmask 255.255.255.0 {
+}
+
+host panic {
+   hardware ethernet 00:11:25:31:64:50;
+   fixed-address panic.anwaeltinnen.netz;
+}
+
+host pcreg {
+   ## - alter PC
+   #hardware ethernet 00:30:05:45:27:21;
+   ## - neuer PC
+   hardware ethernet 70:71:BC:72:27:5C;
+   fixed-address pcreg.anwaeltinnen.netz;
+}
+host pcson {
+   #hardware ethernet 00:24:21:0b:3e:a2;
+   hardware ethernet E8:40:F2:EC:C5:42;
+   fixed-address pcson.anwaeltinnen.netz;
+}
+host pcund {
+   #hardware ethernet 00:27:0E:18:B3:14;
+   hardware ethernet 74:d4:35:b6:81:4c;
+   fixed-address pcund.anwaeltinnen.netz;
+}
+host pcund-alt {
+   hardware ethernet 00:30:05:2F:6A:CF;
+   fixed-address pcund-alt.anwaeltinnen.netz;
+}
+
+## buero rechner
+host pcbuero {
+   hardware ethernet 00:27:0E:05:A0:69;
+   fixed-address pcbuero.anwaeltinnen.netz;
+}
+host pcbuero-alt {
+   hardware ethernet 00:05:5D:DD:40:EB;
+   fixed-address pcbuero-alt.anwaeltinnen.netz;
+}
+host pcbuero1 {
+   hardware ethernet 00:22:4d:af:f5:f3;
+   fixed-address pcbuero1.anwaeltinnen.netz;
+}
+host pcbuero2 {
+   #hardware ethernet 00:0D:87:D4:4C:2B;
+   hardware ethernet E8:40:F2:ED:14:56;
+   fixed-address pcbuero2.anwaeltinnen.netz;
+}
+
+## laptop
+host undine-laptop {
+   hardware ethernet 00:16:41:A7:A1:93 ;
+   fixed-address undine-laptop.anwaeltinnen.netz ;
+}
+
+
+## - fileserver
+host marvin {
+   hardware ethernet 0c:c4:7a:0b:75:36;
+   fixed-address marvin.anwaeltinnen.netz;
+}
+host marvin-alt {
+   hardware ethernet 00:25:90:09:1D:F2;
+   fixed-address marvin-alt.anwaeltinnen.netz;
+}
+
+## printer
+host canon {
+   #hardware ethernet 00:00:85:0b:7d:6f;
+   #fixed-address canon0b7d6f.anwaeltinnen.netz;
+   hardware ethernet 00:1e:8f:d3:35:d2;
+   fixed-address canond335d2.anwaeltinnen.netz;
+}
+
+
+## host gw-doberan {
+##    hardware ethernet 00:C0:26:A1:8A:CD;
+##    fixed-address gw-doberan.rav.local ;
+## }
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.fugue.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.fugue.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

ANW-URB/email_notice.ANW-URB

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+file=/tmp/mail_ip-up$$
+
+admin_email=argus@oopen.de
+from_address=ip-up_anw-urban@oopen.de
+from_name="ip-up - ANW-URBAN"
+
+echo "" > $file
+echo " ********************************************************" >> $file
+echo " *** This is an autogenerated mail from `hostname -f` ***" >> $file
+echo "" >> $file
+echo " I brought up the ppp-daemon with the following" >> $file
+echo -e " parameters:\n" >> $file
+echo -e "\tInterface name...............: $PPP_IFACE" >> $file
+echo -e "\tThe tty......................: $PPP_TTY" >> $file
+echo -e "\tThe link speed...............: $PPP_SPEED" >> $file
+echo -e "\tLocal IP number..............: $PPP_LOCAL" >> $file
+echo -e "\tPeer  IP number..............: $PPP_REMOTE" >> $file
+if [ "$USEPEERDNS" ] && [ "$DNS1" ] ; then
+   echo -e "\tNameserver 1.................: $DNS1" >> $file
+   if [ "$DNS2" ] ; then
+      echo -e "\tNameserver 2.................: $DNS2" >> $file
+   fi
+fi
+
+
+echo -e "\tOptional \"ipparam\" value.....: $PPP_IPPARAM" >> $file
+echo "" >> $file
+echo -e "\tDate.........................: `date +\"%d.%m.%Y\"`" >> $file
+echo -e "\tTime.........................: `date +\"%H:%M:%S\"`" >> $file
+echo "" >> $file
+echo " ********************************************************" >> $file
+
+#/bin/echo -e "From:ip-up@`hostname -f`\nTo:${admin_email}\nSubject: $PPP_LOCAL\n`cat $file`" | /usr/sbin/sendmail $admin_email
+## /bin/echo -e "From:ip-up@inferno.local\nSubject: $PPP_LOCAL\n`cat $file`" | /usr/sbin/sendmail ckubu@so36.net
+
+/bin/echo -e "From:${from_name} <${from_address}>\nTo:${admin_email}\nSubject: $PPP_LOCAL\n`cat $file`" | /usr/sbin/sendmail $admin_email
+
+rm -f $file
+

ANW-URB/generic.ANW-URB

@@ -0,0 +1,3 @@
+root@gw-urban.anwaeltinnen.netz      root_anw-urban@oopen.de
+cron@gw-urban.anwaeltinnen.netz      cron_anw-urban@oopen.de
+@gw-urban.anwaeltinnen.netz          other_anw-urban@oopen.de

ANW-URB/hostapd.conf.ANW-URB

@@ -0,0 +1,30 @@
+interface=wlan0
+bridge=br0
+ssid=Alix-WLAN-OOPEN
+driver=nl80211
+
+## - D-LINK DWA-552
+## - MicroTIK RouterBOARD R52n-M
+## -
+#wme_enabled=1
+#ieee80211n=1
+#ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
+
+## - Linksys WMP600N
+## -
+#wme_enabled=1
+#ieee80211n=1
+#ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC12]
+
+channel=4
+hw_mode=g
+ignore_broadcast_ssid=0
+auth_algs=1
+macaddr_acl=0
+wpa=2
+wpa_key_mgmt=WPA-PSK
+wpa_passphrase=WoAuchImmer
+wpa_pairwise=TKIP
+rsn_pairwise=CCMP
+wpa_group_rekey=600
+ctrl_interface=/var/run/hostapd

ANW-URB/hostname.ANW-URB

@@ -0,0 +1 @@
+gw-urban

ANW-URB/hosts.ANW-URB

@@ -0,0 +1,10 @@
+127.0.0.1	localhost
+127.0.1.1	gw-urban.anwaeltinnen.netz	gw-urban
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts

ANW-URB/igmpproxy.conf.ANW-URB

@@ -0,0 +1,75 @@
+########################################################
+#
+#   Example configuration file for the IgmpProxy
+#   --------------------------------------------
+#
+#   The configuration file must define one upstream
+#   interface, and one or more downstream interfaces.
+#
+#   If multicast traffic originates outside the
+#   upstream subnet, the "altnet" option can be
+#   used in order to define legal multicast sources.
+#   (Se example...)
+#
+#   The "quickleave" should be used to avoid saturation
+#   of the upstream link. The option should only
+#   be used if it's absolutely nessecary to
+#   accurately imitate just one Client.
+#
+########################################################
+
+##------------------------------------------------------
+## Enable Quickleave mode (Sends Leave instantly)
+##------------------------------------------------------
+quickleave
+
+
+##------------------------------------------------------
+## Configuration for eth0 (Upstream Interface)
+##------------------------------------------------------
+#phyint eth0 upstream  ratelimit 0  threshold 1
+#        altnet 10.0.0.0/8 
+#        altnet 192.168.0.0/24
+##------------------------------------------------------
+## Configuration for ppp0 (Upstream Interface)
+##------------------------------------------------------
+#phyint ppp0 upstream  ratelimit 0  threshold 1
+phyint eth2.8 upstream  ratelimit 0  threshold 1
+        altnet 217.0.119.194/24
+        altnet 193.158.35.0/24;
+        altnet 239.35.100.6/24;
+        altnet 93.230.64.0/19;
+        altnet 192.168.63.0/24;
+        #
+        #altnet 192.168.63.5/32;
+        #altnet 192.168.63.40/32;
+
+
+##------------------------------------------------------
+## Configuration for eth1 (Downstream Interface)
+##------------------------------------------------------
+#phyint br0 downstream  ratelimit 0  threshold 1
+phyint eth1 downstream  ratelimit 0  threshold 1
+        # IP der TV-Box
+        altnet 192.168.63.0/24;
+        #altnet 192.168.63.5/32;
+        #altnet 192.168.63.40/32;
+
+
+##------------------------------------------------------
+## Configuration for eth2 (Disabled Interface)
+##------------------------------------------------------
+#phyint eth2 disabled
+##------------------------------------------------------
+## Configuration for eth2 (Disabled Interface)
+##------------------------------------------------------
+phyint eth0 disabled
+phyint eth2 disabled
+phyint eth2.7 disabled
+phyint eth1:0 disabled
+phyint eth1:wf disabled
+phyint ppp0 disabled
+phyint tun0 disabled
+phyint lo disabled
+
+

ANW-URB/interfaces.ANW-URB

@@ -0,0 +1,56 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+
+#-----------------------------
+# eth1 - LAN
+#-----------------------------
+
+auto eth1 eth1:0
+iface eth1 inet static
+   address 192.168.132.254
+   network 192.168.132.0
+   netmask 255.255.255.0
+   broadcast 192.168.132.255
+
+iface eth1:0 inet static
+   address 192.168.132.1
+   network 192.168.132.0
+   netmask 255.255.255.0
+   broadcast 192.168.132.255
+
+
+#-----------------------------
+# eth2 - WAN
+#-----------------------------
+
+auto eth2
+iface eth2 inet static
+   address 172.16.132.1
+   network 172.16.132.0
+   netmask 255.255.255.0
+   broadcast 172.16.132.255
+   gateway 172.16.132.254
+
+
+#-----------------------------
+# br0 (bind eth0 + wlan0) - WAN
+#-----------------------------
+
+auto br0
+iface br0 inet static
+   address 192.168.133.254
+   network 192.168.133.0
+   netmask 255.255.255.0
+   broadcast 192.168.133.255
+   bridge_ports eth0 wlan0
+   bridge_stp off
+   bridge_maxwait 1
+
+iface eth0 inet manual
+iface wlan0 inet manual
+

ANW-URB/ipt-firewall/default_ports.conf

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Ports for Services out
+# =============
+
+standard_ident_port=113
+standard_silc_port=706
+standard_irc_port=6667
+standard_jabber_port=5222
+standard_smtp_port=25
+standard_ssh_port=22
+standard_http_port=80
+standard_https_port=443
+standard_ftp_port=21
+standard_tftp_udp_port=69
+standard_ntp_port=123
+standard_snmp_port=161
+standard_snmp_trap_port=162
+standard_timeserver_port=37
+standard_pgp_keyserver_port=11371
+standard_telnet_port=23
+standard_whois_port=43
+standard_cpan_wait_port=1404
+standard_xymon_port=1984
+standard_hbci_port=3000
+standard_mysql_port=3306
+standard_ipp_port=631
+standard_cups_port=$standard_ipp_port
+standard_print_raw_port=515
+standard_print_port=9100
+standard_remote_console_port=5900
+
+# - IPsec - Internet Security Association and
+# -  Key Management Protocol
+standard_isakmp_port=500
+standard_ipsec_nat_t=4500
+
+
+# - Comma separated lists
+# -
+standard_http_ports="80,443"
+standard_mailuser_ports="587,465,110,995,143,993"
+

ANW-URB/ipt-firewall/include_functions.conf

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Some functions
+# =============
+
+# - Is this script running on terminal ?
+# -
+if [[ -t 1 ]] ; then
+      terminal=true
+else
+   terminal=false
+fi
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mdone\033[m ]"
+   else
+      echo " [ done ]"
+   fi
+}
+echo_ok() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mok\033[m ]"
+   else
+      echo " [ ok ]"
+   fi
+}
+echo_warning() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+   else
+      echo " [ warning ]"
+   fi
+}
+echo_failed(){
+   if $terminal ; then
+      echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+   else
+      echo ' [ failed! ]'
+   fi
+}
+echo_skipped() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[37mskipped\033[m ]"
+   else
+      echo " [ skipped ]"
+   fi
+}
+
+
+fatal (){
+   echo ""
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
+      echo ""
+      echo -e "\t\033[31m\033[1m           Firewall Script will be interrupted..\033[m\033[m"
+   else
+      echo "fatal: $*"
+      echo "Firewall Script will be interrupted.."
+   fi
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   else
+      echo "Error: $*"
+   fi
+   echo ""
+}
+
+warn (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   else
+      echo "Warning: $*"
+   fi
+   echo ""
+}
+
+info (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   else
+      echo "Info: $*"
+   fi
+   echo ""
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+

ANW-URB/ipt-firewall/interfaces_ipv4.conf

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Network Interfaces / Ip-Adresses / Ports
+# =============
+
+# - Extern Interfaces DSL Lines
+# -    (blank separated list)
+ext_if_dsl_1=""
+ext_if_dsl_2=""
+ext_if_dsl_3=""
+ext_if_dsl_4=""
+
+ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
+
+# - Extern Interfaces Static Lines
+# -    (blank separated list)
+ext_if_static_1="eth2"
+ext_if_static_2=""
+ext_if_static_3=""
+
+ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
+
+# - VPN Interfaces
+# -    (blank separated list)
+vpn_ifs="tun+"
+
+# - Local Interfaces
+local_if_1="eth1"
+local_if_2="br0"
+local_if_3=""
+local_if_4=""
+local_if_5=""
+local_if_6=""
+local_if_7=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
+# -
+# - Blank separated list
+# -
+nat_devices=""
+
+# - Are local alias interfaces like eth0:0 defined"
+# -
+local_alias_interfaces=true

ANW-URB/ipt-firewall/load_modules_ipv4.conf

@@ -0,0 +1,36 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+# - Note:! 
+# -    Since Kernel 4.7 the automatic conntrack helper assignment
+# -    is disabled by default (net.netfilter.nf_conntrack_helper = 0).
+# -    Enable it by setting this variable in file /etc/sysctl.conf:
+# -
+# -       net.netfilter.nf_conntrack_helper = 1
+# -
+# -    Reboot or type "sysctl -p"
+
+
+ip_tables
+
+iptable_nat
+iptable_filter
+iptable_mangle
+iptable_raw
+
+# - Load base modules for tracking
+# -
+nf_conntrack
+nf_nat
+
+# - Load module for FTP Connection tracking and NAT
+# -
+nf_conntrack_ftp
+nf_nat_ftp
+
+# - Load modules for SIP VOIP
+# -
+nf_conntrack_sip
+nf_nat_sip
+

ANW-URB/ipt-firewall/load_modules_ipv6.conf

@@ -0,0 +1,9 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+ip6_tables
+ip6table_filter
+ip6t_REJECT
+
+ip6table_mangle

ANW-URB/ipt-firewall/logging_ipv4.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=false
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv4:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

ANW-URB/ipt-firewall/logging_ipv6.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=false
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv6:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

ANW-URB/ipt-firewall/post_decalrations.conf

@@ -0,0 +1,505 @@
+#!/usr/bin/env bash
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+# ---
+# - Masquerade TCP Connections
+# ---
+
+declare -a nat_network_arr
+for _net in $nat_networks ; do
+   nat_network_arr+=("$_net")
+done
+
+declare -a masquerade_tcp_con_arr
+for _str in $masquerade_tcp_cons ; do
+   masquerade_tcp_con_arr+=("$_str")
+done
+
+
+# ---
+# - Extern Network interfaces (DSL, Staic Lines, All together)
+# ---
+declare -a nat_device_arr
+declare -a dsl_device_arr
+declare -a ext_if_arr
+for _dev in $ext_ifs_dsl ; do
+   dsl_device_arr+=("$_dev")
+   ext_if_arr+=("$_dev")
+   nat_device_arr+=("$_dev")
+done
+for _dev in $ext_ifs_static ; do
+   ext_if_arr+=("$_dev")
+done
+for _dev in $nat_devices ; do
+   if ! containsElement $_dev "${nat_device_arr[@]}" ; then
+      nat_device_arr+=("$_dev")
+   fi
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Allow these local networks any access to the internet
+# ---
+declare -a any_access_to_inet_network_arr
+for _net in $any_access_to_inet_networks ; do
+   any_access_to_inet_network_arr+=("$_net")
+done
+
+declare -a any_access_from_inet_network_arr
+for _net in $any_access_from_inet_networks ; do
+   any_access_from_inet_network_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given extern networks
+# ---
+declare -a allow_ext_net_to_local_service_arr 
+for _val in $allow_ext_net_to_local_service ; do
+   allow_ext_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from extern address/network to local address/network
+# ---
+declare -a allow_ext_net_to_local_net_arr
+for _val in $allow_ext_net_to_local_net ; do
+   allow_ext_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Block all extern traffic to (given) local network
+# ---
+declare -a block_all_ext_to_local_net_arr
+for _net in $block_all_ext_to_local_net ; do
+   block_all_ext_to_local_net_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given local networks
+# ---
+declare -a allow_local_net_to_local_service_arr 
+for _val in $allow_local_net_to_local_service ; do
+   allow_local_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local network to local ip-address
+# ---
+declare -a allow_local_net_to_local_ip_arr
+for _val in $allow_local_net_to_local_ip ; do
+   allow_local_net_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local ip-address to local network
+# ---
+declare -a allow_local_ip_to_local_net_arr
+for _val in $allow_local_ip_to_local_net ; do
+   allow_local_ip_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from (one) local network to (another) local network
+# ---
+declare -a allow_local_net_to_local_net_arr
+for _val in $allow_local_net_to_local_net ; do
+   allow_local_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow local ip address from given local interface
+# ---
+declare -a allow_local_if_to_local_ip_arr
+for _val in $allow_local_if_to_local_ip ; do
+   allow_local_if_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Separate local Networks
+# ---
+declare -a separate_local_network_arr
+for _net in $separate_local_networks ; do
+   separate_local_network_arr+=("$_net")
+done
+
+# ---
+# - Separate local Interfaces
+# ---
+declare -a separate_local_if_arr
+for _net in $separate_local_ifs ; do
+   separate_local_if_arr+=("$_net")
+done
+
+# ---
+# - Generally block ports on extern interfaces
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Not wanted on intern interfaces
+# ---
+declare -a not_wanted_on_gw_tcp_port_arr
+for _port in $not_wanted_on_gw_tcp_ports ; do
+   not_wanted_on_gw_tcp_port_arr+=("$_port")
+done
+
+declare -a not_wanted_on_gw_udp_port_arr
+for _port in $not_wanted_on_gw_udp_ports ; do
+   not_wanted_on_gw_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses to log
+# ---
+declare -a log_ip_arr
+for _ip in $log_ips ; do
+   log_ip_arr+=("$_ip")
+done
+
+# ---
+# - Network Devices local DHCP Client
+# ---
+declare -a dhcp_client_interfaces_arr
+for _dev in $dhcp_client_interfaces ; do
+   dhcp_client_interfaces_arr+=("$_dev")
+done
+
+# ---
+# - IP Addresses DHCP Failover Server
+# ---
+declare -a dhcp_failover_server_ip_arr
+for _ip in $dhcp_failover_server_ips ; do
+   dhcp_failover_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses DNS Server
+# ---
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SSH Server only at ocal Networks
+# ---
+declare -a ssh_server_only_local_ip_arr
+for _ip in $ssh_server_only_local_ips ; do
+   ssh_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses HTTP Server only local Networks
+# ---
+declare -a http_server_only_local_ip_arr
+for _ip in $http_server_only_local_ips ; do
+   http_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mail Server only local Networks
+# ---
+declare -a mail_server_only_local_ip_arr
+for _ip in $mail_server_only_local_ips ; do
+   mail_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+declare -a ftp_server_only_local_ip_arr
+for _ip in $ftp_server_only_local_ips ; do
+   ftp_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Samba Server
+# ---
+declare -a samba_server_local_ip_arr
+for _ip in $samba_server_local_ips ; do
+   samba_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses LDAP Server
+# ---
+declare -a ldap_server_local_ip_arr
+for _ip in $ldap_server_local_ips ; do
+   ldap_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Telephone Systems
+# ---
+declare -a tele_sys_ip_arr
+for _ip in $tele_sys_ips ; do
+   tele_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SNMP Server
+# ---
+declare -a snmp_server_ip_arr
+for _ip in $snmp_server_ips ; do
+   snmp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Munin Service 
+# ---
+declare -a munin_local_server_ip_arr
+for _ip in $munin_local_server_ips ; do
+   munin_local_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses IPMI interface
+# ---
+declare -a ipmi_server_ip_arr
+for _ip in $ipmi_server_ips ; do
+   ipmi_server_ip_arr+=("$_ip")
+done
+
+# ---
+# -IP Addresses Ubiquiti Unifi Accesspoints
+# ---
+declare -a unifi_ap_local_ip_arr
+for _ip in $unifi_ap_local_ips ; do
+   unifi_ap_local_ip_arr+=("$_ip")
+done
+declare -a unifi_controller_gateway_ip_arr
+for _ip in $unifi_controller_gateway_ips ; do
+   unifi_controller_gateway_ip_arr+=("$_ip")
+done
+declare -a unify_controller_local_net_ip_arr
+for _ip in $unify_controller_local_net_ips ; do
+   unify_controller_local_net_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Printer
+# -
+declare -a printer_ip_arr
+for _ip in $printer_ips ; do
+   printer_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Adresses Brother Scanner (brscan)
+# ---
+declare -a brother_scanner_ip_arr
+for _ip in $brother_scanner_ips ; do
+   brother_scanner_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses PCNS Server
+# ---
+declare -a pcns_server_ip_arr
+for _ip in $pcns_server_ips ; do
+   pcns_server_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Addresses VNC Service
+# ---
+declare -a rm_server_ip_arr
+for _ip in $rm_server_ips ; do
+   rm_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - Other local Services
+# ---
+declare -a other_service_arr
+for _val in $other_services ; do
+   other_service_arr+=("$_val")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - Cisco kompartible VPN Ports
+# ---
+declare -a cisco_vpn_out_port_arr
+for _port in $cisco_vpn_out_ports ; do
+   cisco_vpn_out_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+declare -a vpn_gw_port_arr
+for _port in $vpn_gw_ports ; do
+   vpn_gw_port_arr+=("$_port")
+done
+declare -a vpn_local_net_port_arr
+for _port in $vpn_local_net_ports ; do
+   vpn_local_net_port_arr+=("$_port")
+done
+declare -a vpn_out_port_arr
+for _port in $vpn_out_ports ; do
+   vpn_out_port_arr+=("$_port")
+done
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+# ---
+# - Samba Ports
+# ---
+
+declare -a samba_udp_port_arr
+for _port in $samba_udp_ports ; do
+   samba_udp_port_arr+=("$_port")
+done
+
+declare -a samba_tcp_port_arr
+for _port in $samba_tcp_ports ; do
+   samba_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - LDAP Ports
+# ---
+
+declare -a ldap_udp_port_arr
+for _port in $ldap_udp_ports ; do
+   ldap_udp_port_arr+=("$_port")
+done
+
+declare -a ldap_tcp_port_arr
+for _port in $ldap_tcp_ports ; do
+   ldap_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - IPMI
+# ---
+
+declare -a ipmi_udp_port_arr
+for _port in $ipmi_udp_ports ; do
+   ipmi_udp_port_arr+=("$_port")
+done
+
+declare -a ipmi_tcp_port_arr
+for _port in $ipmi_tcp_ports ; do
+   ipmi_tcp_port_arr+=("$_port")
+done
+
+
+# ---
+# - Portforwrds TCP
+# ---
+declare -a portforward_tcp_arr
+for _str in $portforward_tcp ; do
+   portforward_tcp_arr+=("$_str")
+done
+
+# ---
+# - Portforwrds UDP
+# ---
+declare -a portforward_udp_arr
+for _str in $portforward_udp ; do
+   portforward_udp_arr+=("$_str")
+done
+
+# ---
+# - MAC Address Filtering
+# ---
+declare -a allow_all_mac_src_address_arr
+for _mac in $allow_all_mac_src_addresses ; do
+   allow_all_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_local_mac_src_address_arr
+for _mac in $allow_local_mac_src_addresses ; do
+   allow_local_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_remote_mac_src_address_arr
+for _mac in $allow_remote_mac_src_addresses ; do
+   allow_remote_mac_src_address_arr+=("$_mac")
+done
+

ANW-URB/mailname.ANW-URB

@@ -0,0 +1 @@
+gw-urban.anwaeltinnen.netz

ANW-URB/main.cf.ANW-URB

@@ -0,0 +1,268 @@
+# ============ Basic settings ============
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = /usr/share/doc/postfix
+html_directory = /usr/share/doc/postfix/html
+
+## - The Internet protocols Postfix will attempt to use when making 
+## - or accepting connections.
+## - DEFAULT: ipv4
+inet_protocols = ipv4
+
+#inet_interfaces = all
+inet_interfaces =
+   127.0.0.1
+   192.168.132.254
+
+myhostname = gw-urban.anwaeltinnen.netz
+
+mydestination = 
+   gw-urban.anwaeltinnen.netz
+   localhost
+
+## - The list of "trusted" SMTP clients that have more 
+## - privileges than "strangers"
+## -
+mynetworks = 
+   127.0.0.0/8
+   192.168.132.254/32
+
+#smtp_bind_address = 172.16.132.1
+#smtp_bind_address6 = 
+
+
+## - The method to generate the default value for the mynetworks parameter.
+## -
+## -   mynetworks_style = host" when Postfix should "trust" only the local machine
+## -   mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP 
+## -                       clients in the same IP subnetworks as the local machine.
+## -   mynetworks_style = class" when Postfix should "trust" SMTP clients in the same 
+## -                      IP class A/B/C networks as the local machine.
+## -
+#mynetworks_style = host
+
+
+## - The maximal size of any local(8) individual mailbox or maildir file, 
+## - or zero (no limit). In fact, this limits the size of any file that is 
+## - written to upon local delivery, including files written by external 
+## - commands that are executed by the local(8) delivery agent. 
+## -
+mailbox_size_limit = 0
+
+## - The maximal size in bytes of a message, including envelope information.
+## -
+## - we user 50MB
+## -
+message_size_limit = 52480000
+
+## - The system-wide recipient address extension delimiter
+## -
+recipient_delimiter = +
+
+## - The alias databases that are used for local(8) delivery.
+## -
+alias_maps =
+   hash:/etc/aliases
+
+## - The alias databases for local(8) delivery that are updated 
+## - with "newaliases" or with "sendmail -bi". 
+## -
+alias_database =
+   hash:/etc/aliases
+
+
+## - The maximal time a message is queued before it is sent back as 
+## - undeliverable. Defaults to 5d (5 days)
+## - Specify 0 when mail delivery should be tried only once.
+## - 
+maximal_queue_lifetime = 3d
+bounce_queue_lifetime = $maximal_queue_lifetime
+
+## - delay_warning_time (default: 0h)
+## -
+## - The time after which the sender receives a copy of the message 
+## - headers of mail that is still queued. To enable this feature, 
+## - specify a non-zero time value (an integral value plus an optional 
+## - one-letter suffix that specifies the time unit). 
+## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 
+## - The default time unit is h (hours). 
+delay_warning_time = 1d
+
+
+
+# ============ Relay parameters ============
+
+#relayhost =
+
+
+# ============ SASL authentication ============
+
+# Enable SASL authentication
+smtp_sasl_auth_enable = yes
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [b.mx.oopen.de]
+
+# File including login data
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+
+# Force using a (TLS) security connection
+# obsulete - use smtp_tls_security_level instead
+#smtp_use_tls = yes
+#smtp_tls_enforce_peername = no
+smtp_tls_security_level = encrypt
+
+# Disallow methods that allow anonymous authentication.
+smtp_sasl_security_options = noanonymous
+
+
+
+# ============ TLS parameters ============
+
+## - Aktiviert TLS für den Mailempfang
+## -
+## - may:
+## - Opportunistic TLS. Use TLS if this is supported by the remote 
+## - SMTP server, otherwise use plaintext
+## -
+## - This overrides the obsolete parameters smtpd_use_tls and 
+## - smtpd_enforce_tls. This parameter is ignored with 
+## - "smtpd_tls_wrappermode = yes".
+#smtpd_use_tls=yes
+smtp_tls_security_level=encrypt
+
+## - Aktiviert TLS für den Mailversand
+## -
+## - may:
+## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+## - but do not require that clients use TLS encryption.
+# smtp_use_tls=yes
+smtpd_tls_security_level=may
+
+## -    0 Disable logging of TLS activity. 
+## -    1 Log TLS handshake and certificate information. 
+## -    2 Log levels during TLS negotiation. 
+## -    3 Log hexadecimal and ASCII dump of TLS negotiation process. 
+## -    4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. 
+## -
+smtpd_tls_loglevel = 1
+smtp_tls_loglevel = 1
+
+smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
+smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
+## -
+smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
+## - also possible to use 2048 key with that parameter
+## -
+#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. 
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
+## -
+smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
+
+
+## - File containing CA certificates of root CAs trusted to sign either remote SMTP 
+## - server certificates or intermediate CA certificates. These are loaded into 
+## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
+## - 
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
+## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
+## - necessary "hash" links with, for example, "
+## - /bin/c_rehash /etc/postfix/certs". 
+## -
+## - !! Note !!
+## - To use this option in chroot mode, this directory (or a copy) must be inside 
+## - the chroot jail. 
+## -
+## - Note that a chrooted daemon resolves all filenames relative to the Postfix 
+## - queue directory (/var/spool/postfix)
+## -
+#smtpd_tls_CApath = /etc/postfix/certs
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# 
+# List of TLS protocols that the Postfix SMTP server will exclude or  
+# include with opportunistic TLS encryption.  
+smtpd_tls_protocols = !SSLv2, !SSLv3
+# 
+# The SSL/TLS protocols accepted by the Postfix SMTP server  
+# with mandatory TLS encryption. 
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP client 
+#  
+# List of TLS protocols that the Postfix SMTP client will exclude or  
+# include with opportunistic TLS encryption.  
+smtp_tls_protocols = !SSLv2, !SSLv3
+# 
+# List of SSL/TLS protocols that the Postfix SMTP client will use  
+# with mandatory TLS encryption 
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
+## -    openssl > 1.0
+## -
+smtpd_tls_eecdh_grade = strong
+
+# standard list cryptographic algorithm
+tls_preempt_cipherlist = yes
+
+# Disable ciphers which are less than 256-bit:
+#
+#smtpd_tls_mandatory_ciphers = high
+#
+# opportunistic
+smtpd_tls_ciphers = high
+
+
+# Exclude ciphers
+#smtpd_tls_exclude_ciphers =
+#   RC4
+#   aNULL
+#   SEED-SHA
+#   EXP
+#   MD5
+smtpd_tls_exclude_ciphers =
+   aNULL
+   eNULL
+   EXPORT
+   DES
+   RC4
+   MD5
+   PSK
+   aECDH
+   EDH-DSS-DES-CBC3-SHA
+   EDH-RSA-DES-CDC3-SHA
+   KRB5-DE5, CBC3-SHA
+
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+

ANW-URB/openvpn/ccd/server-gw-ckubu/ANW-URB-VPN-gw-ckubu

@@ -0,0 +1,6 @@
+ifconfig-push 10.1.132.2 255.255.255.0
+push "route 192.168.132.0 255.255.255.0 10.1.132.1"
+push "route 192.168.133.0 255.255.255.0 10.1.132.1"
+push "route 172.16.132.0 255.255.255.0 10.1.132.1"
+iroute 192.168.63.0 255.255.255.0
+iroute 192.168.64.0 255.255.255.0

ANW-URB/openvpn/ccd/server-home/ANW-Urban-VPN-chris

@@ -0,0 +1,4 @@
+ifconfig-push 10.0.132.3 255.255.255.0
+push "route 172.16.132.0 255.255.255.0"
+#push "route 192.168.1.0 255.255.255.0"
+

ANW-URB/openvpn/ccd/server-home/ANW-Urban-VPN-undine

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.132.4 255.255.255.0
+#push "route 192.168.1.0 255.255.255.0"

ANW-URB/openvpn/easy-rsa/1.0/build-ca

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
+        chmod 0600 ca.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-dh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+#
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+#
+
+if test $KEY_DIR; then
+    openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+    echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-inter

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-inter <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-key <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+	chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key-pass

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+#
+# Similar to build-key, but protect the private key
+# with a password.
+#
+
+if test $# -ne 1; then
+        echo "usage: build-key-pass <name>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+	chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key-pkcs12

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+if test $# -ne 1; then
+        echo "usage: build-key-pkcs12 <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
+        openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
+	chmod 0600 $1.key $1.p12
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-key-server

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+#
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+if test $# -ne 1; then
+        echo "usage: build-key-server <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
+        chmod 0600 $1.key
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-req

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Build a certificate signing request and private key.  Use this
+# when your root certificate and key is not available locally.
+#
+
+if test $# -ne 1; then
+    echo "usage: build-req <name>";
+    exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+    cd $KEY_DIR && \
+    openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+    echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/build-req-pass

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Like build-req, but protect your private key
+# with a password.
+#
+
+if test $# -ne 1; then
+    echo "usage: build-req-pass <name>";
+    exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+    cd $KEY_DIR && \
+    openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
+else
+    echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/clean-all

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+#
+
+d=$KEY_DIR
+
+if test $d; then
+	rm -rf $d
+	mkdir $d && \
+	chmod go-rwx $d && \
+	touch $d/index.txt && \
+	echo 01 >$d/serial
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/list-crl

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# list revoked certificates
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: list-crl <crlfile.pem>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl crl -text -noout -in $1
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/make-crl

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# generate a CRL
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: make-crl <crlfile.pem>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl ca -gencrl -out $1 -config $KEY_CONFIG
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/openssl.cnf

@@ -0,0 +1,255 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

ANW-URB/openvpn/easy-rsa/1.0/revoke-crt

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# revoke a certificate
+#
+#
+
+if test $# -ne 1; then
+        echo "usage: revoke-crt <file.crt>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR && \
+       openssl ca -revoke $1 -config $KEY_CONFIG
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/revoke-full

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# revoke a certificate, regenerate CRL,
+# and verify revocation
+
+CRL=crl.pem
+RT=revoke-test.pem
+
+if test $# -ne 1; then
+        echo "usage: revoke-full <name>";
+        exit 1
+fi
+
+if test $KEY_DIR; then
+       cd $KEY_DIR
+       rm -f $RT
+
+       # revoke key and generate a new CRL
+       openssl ca -revoke $1.crt -config $KEY_CONFIG
+
+       # generate a new CRL
+       openssl ca -gencrl -out $CRL -config $KEY_CONFIG
+       cat ca.crt $CRL >$RT
+    
+       # verify the revocation
+       openssl verify -CAfile $RT -crl_check $1.crt
+else
+       echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/sign-req

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#
+# Sign a certificate signing request (a .csr file)
+# with a local root certificate and key.
+#
+
+if test $# -ne 1; then
+        echo "usage: sign-req <name>";
+        exit 1
+fi                                                                             
+
+if test $KEY_DIR; then
+	cd $KEY_DIR && \
+	openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
+else
+	echo you must define KEY_DIR
+fi

ANW-URB/openvpn/easy-rsa/1.0/vars

@@ -0,0 +1,49 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export D=`pwd`
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=$D/openssl.cnf
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR=$D/keys
+
+# Issue rm -rf warning
+echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY=KG
+export KEY_PROVINCE=NA
+export KEY_CITY=BISHKEK
+export KEY_ORG="OpenVPN-TEST"
+export KEY_EMAIL="me@myhost.mydomain"

ANW-URB/openvpn/easy-rsa/2.0/Makefile

@@ -0,0 +1,13 @@
+
+DESTDIR=
+PREFIX=
+
+all:
+	echo "All done."
+	echo "Run make install DESTDIR=/usr/share/somewhere"
+
+install:
+	install -d "${DESTDIR}/${PREFIX}"
+	install -m 0755 build-* "${DESTDIR}/${PREFIX}"
+	install -m 0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
+	install -m 0644 openssl-0.9.6.cnf openssl-0.9.8.cnf openssl-1.0.0.cnf README vars "${DESTDIR}/${PREFIX}"

ANW-URB/openvpn/easy-rsa/2.0/build-ca

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+#
+# Build a root certificate
+#
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --initca $*

ANW-URB/openvpn/easy-rsa/2.0/build-dh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Build Diffie-Hellman parameters for the server side
+# of an SSL/TLS connection.
+
+if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
+    $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/build-inter

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Make an intermediate CA certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --inter $*

ANW-URB/openvpn/easy-rsa/2.0/build-key

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact $*

ANW-URB/openvpn/easy-rsa/2.0/build-key-pass

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Similar to build-key, but protect the private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pass $*

ANW-URB/openvpn/easy-rsa/2.0/build-key-pkcs12

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate and convert it to a PKCS #12 file including the
+# the CA certificate as well.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --pkcs12 $*

ANW-URB/openvpn/easy-rsa/2.0/build-key-server

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Make a certificate/private key pair using a locally generated
+# root certificate.
+#
+# Explicitly set nsCertType to server using the "server"
+# extension in the openssl.cnf file.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --server $*

ANW-URB/openvpn/easy-rsa/2.0/build-req

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Build a certificate signing request and private key.  Use this
+# when your root certificate and key is not available locally.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr $*

ANW-URB/openvpn/easy-rsa/2.0/build-req-pass

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Like build-req, but protect your private key
+# with a password.
+
+export EASY_RSA="${EASY_RSA:-.}"
+"$EASY_RSA/pkitool" --interact --csr --pass $*

ANW-URB/openvpn/easy-rsa/2.0/clean-all

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Initialize the $KEY_DIR directory.
+# Note that this script does a
+# rm -rf on $KEY_DIR so be careful!
+
+if [ "$KEY_DIR" ]; then
+    rm -rf "$KEY_DIR"
+    mkdir "$KEY_DIR" && \
+	chmod go-rwx "$KEY_DIR" && \
+	touch "$KEY_DIR/index.txt" && \
+	echo 01 >"$KEY_DIR/serial"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/inherit-inter

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Build a new PKI which is rooted on an intermediate certificate generated
+# by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
+# have independent vars settings, and must use a different KEY_DIR directory
+# from the parent.  This tool can be used to generate arbitrary depth
+# certificate chains.
+#
+# To build an intermediate CA, follow the same steps for a regular PKI but
+# replace ./build-key or ./pkitool --initca with this script.
+
+# The EXPORT_CA file will contain the CA certificate chain and should be
+# referenced by the OpenVPN "ca" directive in config files.  The ca.crt file
+# will only contain the local intermediate CA -- it's needed by the easy-rsa
+# scripts but not by OpenVPN directly.
+EXPORT_CA="export-ca.crt"
+
+if [ $# -ne 2 ]; then
+    echo "usage: $0 <parent-key-dir> <common-name>"
+    echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
+    echo "common-name: the common name of the intermediate certificate in the parent PKI"
+    exit 1;
+fi
+
+if [ "$KEY_DIR" ]; then
+    cp "$1/$2.crt" "$KEY_DIR/ca.crt"
+    cp "$1/$2.key" "$KEY_DIR/ca.key"
+
+    if [ -e "$1/$EXPORT_CA" ]; then
+	PARENT_CA="$1/$EXPORT_CA"
+    else
+	PARENT_CA="$1/ca.crt"
+    fi
+    cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
+    cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
+else
+    echo 'Please source the vars script first (i.e. "source ./vars")'
+    echo 'Make sure you have edited it to reflect your configuration.'
+fi

ANW-URB/openvpn/easy-rsa/2.0/keys/01.pem

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:02:28 2012 GMT
+            Not After : May 10 03:02:28 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix, CN=crl-test.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:c5:ea:a1:09:d0:00:af:07:54:12:6c:96:83:dc:
+                    2a:6e:10:db:57:0c:a9:70:8e:cd:3a:d4:c7:cf:bc:
+                    f8:8e:88:85:9c:59:26:fe:94:93:78:a6:7e:48:41:
+                    ce:78:12:55:1c:18:60:93:66:ab:35:9b:10:60:67:
+                    48:6e:e5:ef:01:d6:2b:33:24:73:66:ba:50:5f:90:
+                    bc:05:95:1c:fd:9a:82:e4:41:81:bb:a8:45:c3:9a:
+                    09:a3:8b:7a:00:fe:00:9f:bd:cf:15:42:5b:53:38:
+                    0d:8d:b4:90:c9:26:f3:2b:aa:de:a4:e9:eb:1c:e4:
+                    ab:e7:a9:0a:85:e4:72:53:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                2E:44:CD:9A:53:C1:1D:BC:4C:4D:58:7F:52:62:AF:7B:AC:C9:FF:3A
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        27:8b:a6:82:17:72:9d:e5:31:b5:14:58:a1:40:93:15:50:47:
+        d6:73:ff:55:79:cb:bc:d6:e3:e5:d7:1b:5d:77:c8:ad:a4:1f:
+        f0:2a:a3:de:81:4f:58:87:b9:38:49:42:69:53:51:87:79:ba:
+        23:48:51:5d:b1:19:88:a0:6c:a2:1c:79:c3:7f:02:62:61:56:
+        3e:1f:73:ec:e6:d1:33:22:ed:3d:60:3a:35:a4:8c:07:88:cc:
+        25:b2:d8:2c:ac:db:47:a4:a6:72:30:e3:09:0c:0f:6d:bd:e7:
+        bf:b7:77:af:89:8e:89:cb:7e:23:6b:9d:42:7e:b3:22:d9:aa:
+        e0:67
+-----BEGIN CERTIFICATE-----
+MIIEITCCA4qgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDIyOFoXDTIyMDUxMDAzMDIyOFow
+fTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8x
+GDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMNY3JsLXRlc3Quc2l0
+ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
+qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
+o4IBfjCCAXowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4
+QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFC5EzZpTwR28TE1Yf1Jir3usyf86MIHiBgNVHSMEgdowgdeAFIyl21Mh
+vV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQGEwJCUjELMAkGA1UECBMC
+U1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMhRGViaWFuIEZvciBBbGl4
+IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51eCBQcm9qZWN0czEbMBkG
+A1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZIhvcNAQkBFgxuby1tYWls
+QHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC
+BaAwDQYJKoZIhvcNAQEFBQADgYEAJ4umghdyneUxtRRYoUCTFVBH1nP/VXnLvNbj
+5dcbXXfIraQf8Cqj3oFPWIe5OElCaVNRh3m6I0hRXbEZiKBsohx5w38CYmFWPh9z
+7ObRMyLtPWA6NaSMB4jMJbLYLKzbR6SmcjDjCQwPbb3nv7d3r4mOict+I2udQn6z
+Itmq4Gc=
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/02.pem

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:03:25 2012 GMT
+            Not After : May 10 03:03:25 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=alix.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:cb:96:17:e9:b2:ad:89:cb:26:60:63:28:d2:77:
+                    6c:95:31:bd:79:96:b9:08:63:ec:44:07:c9:e5:b3:
+                    ba:31:8c:1e:4d:a1:ff:81:8d:fd:7e:e2:68:63:18:
+                    93:be:99:15:70:b1:5b:20:fe:0f:ab:19:21:2e:57:
+                    16:55:21:3e:f5:2c:98:3d:ac:d6:0b:3f:34:ee:8f:
+                    59:a2:f2:4a:94:ed:96:c2:41:93:e3:9d:ed:d0:fa:
+                    64:f4:d7:24:3c:03:98:bc:95:be:2c:3f:42:89:3f:
+                    b9:e5:1a:95:3c:2d:67:0a:84:60:17:7d:21:5f:a8:
+                    43:99:65:3f:b3:d8:06:1d:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                E0:51:7A:02:09:11:E6:2F:5F:47:D9:2E:36:9D:9D:AF:7F:16:5F:74
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        6b:b8:50:42:30:27:87:e9:1e:0c:8d:c5:c0:fc:71:f4:70:41:
+        ee:45:09:ac:d2:2c:54:c7:d6:10:66:09:43:cd:8f:8e:75:9a:
+        61:b7:7b:45:10:fa:f4:15:73:6a:ca:01:0b:33:fc:a1:06:30:
+        c0:ff:10:5b:9d:5d:c1:2c:8d:a5:5f:f0:c2:ef:1c:49:e2:1f:
+        02:f3:fa:3b:cd:19:c3:a6:37:0b:0c:cb:af:b0:f8:24:8e:f9:
+        4d:36:82:89:2c:b8:84:a8:5d:5c:fb:f0:64:bd:04:f2:67:a2:
+        3c:d9:59:a0:81:f4:ad:f5:9d:ad:d5:14:48:e2:48:99:ed:41:
+        5e:31
+-----BEGIN CERTIFICATE-----
+MIIESTCCA7KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDMyNVoXDTIyMDUxMDAzMDMyNVow
+gaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
+MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
+BgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4LnNpdGUxGzAZBgkq
+hkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYweTaH/gY39fuJoYxiT
+vpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2WwkGT453t0Ppk9Nck
+PAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMCAwEAAaOCAX4wggF6
+MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
+YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTg
+UXoCCRHmL19H2S42nZ2vfxZfdDCB4gYDVR0jBIHaMIHXgBSMpdtTIb1fYeFW7Xqb
+pQK9LiOqpqGBs6SBsDCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYD
+VQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1Z
+IENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRl
+YmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlggkA
+jmjimwbL0WUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqG
+SIb3DQEBBQUAA4GBAGu4UEIwJ4fpHgyNxcD8cfRwQe5FCazSLFTH1hBmCUPNj451
+mmG3e0UQ+vQVc2rKAQsz/KEGMMD/EFudXcEsjaVf8MLvHEniHwLz+jvNGcOmNwsM
+y6+w+CSO+U02goksuISoXVz78GS9BPJnojzZWaCB9K31na3VFEjiSJntQV4x
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/03.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:06:31 2012 GMT
+            Not After : May 10 03:06:31 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=vpn01.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a0:47:e1:23:fa:32:a3:cc:ee:e4:03:96:4c:84:
+                    c2:1e:05:2a:a8:b1:02:0c:b4:26:c5:54:ec:a0:85:
+                    3b:a2:a2:51:b8:85:9a:af:8e:50:fc:99:0a:5a:87:
+                    bf:02:f6:89:bd:04:44:fc:39:db:97:94:62:e8:e1:
+                    2f:c5:f9:dc:ce:2a:c0:63:b7:be:6c:41:7d:87:01:
+                    dd:f2:8b:b2:99:f6:a8:af:4e:11:0d:7b:e2:6e:82:
+                    ec:10:78:21:3c:09:85:c3:ab:b1:6d:14:74:c8:0a:
+                    8f:ec:80:80:b8:f6:a1:ef:dc:ba:7a:08:2b:c2:f5:
+                    77:af:93:d5:8d:1d:98:f2:85
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                91:38:28:A9:09:46:53:9E:E7:BC:29:77:F7:3B:25:92:08:6A:49:56
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+        72:65:d4:0d:49:25:77:e2:c1:6d:10:eb:21:6a:d8:33:e7:01:
+        b6:e5:25:dd:46:73:3f:65:91:16:46:dd:db:88:ed:97:2b:02:
+        6f:0e:f3:be:23:e0:38:80:93:5b:6c:85:e8:32:cc:2a:fc:d3:
+        23:c6:c1:66:52:d9:cf:d1:ab:7d:85:19:7a:a9:02:3a:f8:af:
+        74:97:bf:8d:73:92:b8:d4:18:48:b8:2a:a6:c1:5e:e2:6e:cc:
+        ea:91:ba:91:7c:39:21:4e:46:76:c8:4e:3f:98:a7:fc:f2:31:
+        e4:27:fa:c2:34:d5:7c:8a:94:63:c1:bb:b4:eb:7c:ce:21:00:
+        d5:72
+-----BEGIN CERTIFICATE-----
+MIIEMDCCA5mgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDYzMVoXDTIyMDUxMDAzMDYzMVow
+gaUxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
+MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
+BgNVBAsTDkxpbnV4IFByb2plY3RzMRMwEQYDVQQDEwp2cG4wMS5zaXRlMRswGQYJ
+KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKBH4SP6MqPM7uQDlkyEwh4FKqixAgy0JsVU7KCFO6KiUbiFmq+OUPyZClqH
+vwL2ib0ERPw525eUYujhL8X53M4qwGO3vmxBfYcB3fKLspn2qK9OEQ174m6C7BB4
+ITwJhcOrsW0UdMgKj+yAgLj2oe/cunoIK8L1d6+T1Y0dmPKFAgMBAAGjggFkMIIB
+YDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFJE4KKkJRlOe57wpd/c7JZIIaklWMIHiBgNV
+HSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQG
+EwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMh
+RGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51
+eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZI
+hvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEF
+BQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAcmXUDUkld+LBbRDr
+IWrYM+cBtuUl3UZzP2WRFkbd24jtlysCbw7zviPgOICTW2yF6DLMKvzTI8bBZlLZ
+z9GrfYUZeqkCOvivdJe/jXOSuNQYSLgqpsFe4m7M6pG6kXw5IU5GdshOP5in/PIx
+5Cf6wjTVfIqUY8G7tOt8ziEA1XI=
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/alix.site.crt

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:03:25 2012 GMT
+            Not After : May 10 03:03:25 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=alix.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:cb:96:17:e9:b2:ad:89:cb:26:60:63:28:d2:77:
+                    6c:95:31:bd:79:96:b9:08:63:ec:44:07:c9:e5:b3:
+                    ba:31:8c:1e:4d:a1:ff:81:8d:fd:7e:e2:68:63:18:
+                    93:be:99:15:70:b1:5b:20:fe:0f:ab:19:21:2e:57:
+                    16:55:21:3e:f5:2c:98:3d:ac:d6:0b:3f:34:ee:8f:
+                    59:a2:f2:4a:94:ed:96:c2:41:93:e3:9d:ed:d0:fa:
+                    64:f4:d7:24:3c:03:98:bc:95:be:2c:3f:42:89:3f:
+                    b9:e5:1a:95:3c:2d:67:0a:84:60:17:7d:21:5f:a8:
+                    43:99:65:3f:b3:d8:06:1d:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                E0:51:7A:02:09:11:E6:2F:5F:47:D9:2E:36:9D:9D:AF:7F:16:5F:74
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        6b:b8:50:42:30:27:87:e9:1e:0c:8d:c5:c0:fc:71:f4:70:41:
+        ee:45:09:ac:d2:2c:54:c7:d6:10:66:09:43:cd:8f:8e:75:9a:
+        61:b7:7b:45:10:fa:f4:15:73:6a:ca:01:0b:33:fc:a1:06:30:
+        c0:ff:10:5b:9d:5d:c1:2c:8d:a5:5f:f0:c2:ef:1c:49:e2:1f:
+        02:f3:fa:3b:cd:19:c3:a6:37:0b:0c:cb:af:b0:f8:24:8e:f9:
+        4d:36:82:89:2c:b8:84:a8:5d:5c:fb:f0:64:bd:04:f2:67:a2:
+        3c:d9:59:a0:81:f4:ad:f5:9d:ad:d5:14:48:e2:48:99:ed:41:
+        5e:31
+-----BEGIN CERTIFICATE-----
+MIIESTCCA7KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDMyNVoXDTIyMDUxMDAzMDMyNVow
+gaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UEBxMJU2FvIFBhdWxv
+MSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBDSEFOR0UgSVQxFzAV
+BgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4LnNpdGUxGzAZBgkq
+hkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYweTaH/gY39fuJoYxiT
+vpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2WwkGT453t0Ppk9Nck
+PAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMCAwEAAaOCAX4wggF6
+MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
+YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTg
+UXoCCRHmL19H2S42nZ2vfxZfdDCB4gYDVR0jBIHaMIHXgBSMpdtTIb1fYeFW7Xqb
+pQK9LiOqpqGBs6SBsDCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYD
+VQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1Z
+IENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRl
+YmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlggkA
+jmjimwbL0WUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqG
+SIb3DQEBBQUAA4GBAGu4UEIwJ4fpHgyNxcD8cfRwQe5FCazSLFTH1hBmCUPNj451
+mmG3e0UQ+vQVc2rKAQsz/KEGMMD/EFudXcEsjaVf8MLvHEniHwLz+jvNGcOmNwsM
+y6+w+CSO+U02goksuISoXVz78GS9BPJnojzZWaCB9K31na3VFEjiSJntQV4x
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/alix.site.csr

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB5TCCAU4CAQAwgaQxCzAJBgNVBAYTAkJSMQswCQYDVQQIEwJTUDESMBAGA1UE
+BxMJU2FvIFBhdWxvMSowKAYDVQQKEyFEZWJpYW4gRm9yIEFsaXggLSBEVU1NWSBD
+SEFOR0UgSVQxFzAVBgNVBAsTDkxpbnV4IFByb2plY3RzMRIwEAYDVQQDEwlhbGl4
+LnNpdGUxGzAZBgkqhkiG9w0BCQEWDG5vLW1haWxAc2l0ZTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAy5YX6bKticsmYGMo0ndslTG9eZa5CGPsRAfJ5bO6MYwe
+TaH/gY39fuJoYxiTvpkVcLFbIP4PqxkhLlcWVSE+9SyYPazWCz807o9ZovJKlO2W
+wkGT453t0Ppk9NckPAOYvJW+LD9CiT+55RqVPC1nCoRgF30hX6hDmWU/s9gGHUMC
+AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBACEP5T3w6bdqyF0aHZD3Tye0b02bL1S/
+x6phHacFHYA0SwDPU/Wd6jXmqWvgG0Iz6mtoKTcfYdPaWvqagykRB0PHIkKlf1he
+Y+hHJfnOzvUroUglF6a3tc6LDLU9GwBZ8u/H1Ox9U+vhstTkVB72735Q8L0FWAVa
+iE3D7xZX5Rjf
+-----END CERTIFICATE REQUEST-----

ANW-URB/openvpn/easy-rsa/2.0/keys/alix.site.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDLlhfpsq2JyyZgYyjSd2yVMb15lrkIY+xEB8nls7oxjB5Nof+B
+jf1+4mhjGJO+mRVwsVsg/g+rGSEuVxZVIT71LJg9rNYLPzTuj1mi8kqU7ZbCQZPj
+ne3Q+mT01yQ8A5i8lb4sP0KJP7nlGpU8LWcKhGAXfSFfqEOZZT+z2AYdQwIDAQAB
+AoGAFZ4fdepKMRqIPa3p1MdnmUQJ2ZJenXx2xxaIosJ93+sAAMBV8DzSkRmbegJP
+FesNcsTyZ0NzCHkHo/MNZQa9t3xSb3I5ZTg6CMe/QiXu09U56dIACNT9GhrfPpIZ
+ovllZtTPQwR4rcQnwTXxWTn6NCjiDFs/VvwaGAkU0rO3VlkCQQD5pGsMwKj9HPI7
+SM4tN6saNvLyPzE1rooF03zIpD4SwtwAsuHWT8LNiI4Th4f61q0uhn2G3bpjiriX
+f4wB4TxNAkEA0MVn/h3dghfy2GxvMbTbn7wbPcCGhQRXU5NwbdgOmqFDfpBa7+TS
+/xqqb0APFgBgKi0iuYpN/mH7gSpeCmFHzwJAXufd9qwr0oY1pMop79DREJdBR000
+1Ra0zEA5mUGvg4xm/TEEYGhUQ7UdZllJHdiNYDmq8SHMYVl0kcvgmzpYpQJAQqxo
+080x6tQ/KEMpF9TMtyzZ/lS4IU8LnJNfupTfxR5vccIkaKzJfdNETxdEOiCQlaeo
+iVzUH8OnEM85DVOYHQJBAOBvhg5bY9IjhZWEcdq/uY1XDTbaxNydeDLUO7imoQVd
+/rbaY+krV26ewmE6LUS2n6tIrGQG4FRlQtEp7I36htQ=
+-----END RSA PRIVATE KEY-----

ANW-URB/openvpn/easy-rsa/2.0/keys/ca.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8jCCA1ugAwIBAgIJAI5o4psGy9FlMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYD
+VQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UE
+ChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5M
+aW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJ
+KoZIhvcNAQkBFgxuby1tYWlsQHNpdGUwHhcNMTIwNTEyMDMwMTUzWhcNMjIwNTEw
+MDMwMTUzWjCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlT
+YW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxpeCAtIERVTU1ZIENIQU5H
+RSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZBgNVBAMTEkRlYmlhbiBG
+b3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfy
+rCmhOwZYqNTFrGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA
+4kjZcSlQZ7YrdNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAt
+YRmN0wIDAQABo4IBFjCCARIwHQYDVR0OBBYEFIyl21MhvV9h4VbtepulAr0uI6qm
+MIHiBgNVHSMEgdowgdeAFIyl21MhvV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQsw
+CQYDVQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgG
+A1UEChMhRGViaWFuIEZvciBBbGl4IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQL
+Ew5MaW51eCBQcm9qZWN0czEbMBkGA1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRsw
+GQYJKoZIhvcNAQkBFgxuby1tYWlsQHNpdGWCCQCOaOKbBsvRZTAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBABVmoMWdupXUB2J5p3LI18icmItRPyPH5uBc
+8C2/7AuvOvsRjjjAOtiThBLshCa2YQ2kxlT/uQKVAHrJojzDjozF/NB4rjr74aqj
+GGrWIL8ATWUjNKQFJv32h16t+eUrmWJJUlS4L0oq+v/C96l2QMG8M5Z3nxuctWwO
+ObQ1wsVu
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCvPgsgF+v7xSfdH/EJVoRdvGHfj+xwHarRNHfyrCmhOwZYqNTF
+rGV+PgZqLu1KVFUxEiV4/qjDosmQnKMfSOo07QY07JpQkyPmezyA4kjZcSlQZ7Yr
+dNI/jtSWZwehm1pkGftWQUx1SOFUhYVOm6DM76SoaSJRXkbqlfAtYRmN0wIDAQAB
+AoGBAIUrpfK2mxtSAPA2VMqe16oP/WSSD8BHm0auE7TzhhNDMphvfHnXf61G30MT
+9Dk3CyJmQtnG1GMPMxPVJNUiaO+aUVfOV1o38S9y9eSd34IX86MvzCsdwAkK120M
+/Mndf6G2TSLLTh351SBAKx1F3bAB5gohIIKMRUiWNd7edJxBAkEA5sfMVSt3isyK
+X3pToki/H+d0Ht3HZAQzjpCzy4lFymfMiywMlU/ujsTR0KpXXEtJAvC1S22hBGmX
+s/YPMGmLswJBAMJkic85d/Eld2xIsGZMvn/2hjQiJMd+akdvSO6p6Fq4IX8zFdXS
+yob1zyaaI8r9YZcBIBJjipeEgY29yVAKZWECQGhNnPhRcPH2iAOnEe2i217cCQt6
+SQfXLkYc+GXhYP2d9EBiZD2HptY39mxM0LcR/6moiQfSQJfx8XKQn0TOLykCQQCF
+3xEc2bnlI2U7+E8rFFz46QCBNKZZkJCGg3gZjH9MwpOm8rpt183L5cp0DiDqMVcc
+1BSPNWgDcqh5waK68X3hAkEAnnYmuNkKLTs25Zc2gRR/7OXgGc3sRdBnHiTT/dPr
+nGQ7npSSA01XZKJFSRFSgEFoBBiP3k5GcuS9Srr9gfHSJQ==
+-----END RSA PRIVATE KEY-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl-test.site.crt

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix - DUMMY CHANGE IT, OU=Linux Projects, CN=Debian For Alix CA/emailAddress=no-mail@site
+        Validity
+            Not Before: May 12 03:02:28 2012 GMT
+            Not After : May 10 03:02:28 2022 GMT
+        Subject: C=BR, ST=SP, L=Sao Paulo, O=Debian For Alix, CN=crl-test.site/emailAddress=no-mail@site
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:c5:ea:a1:09:d0:00:af:07:54:12:6c:96:83:dc:
+                    2a:6e:10:db:57:0c:a9:70:8e:cd:3a:d4:c7:cf:bc:
+                    f8:8e:88:85:9c:59:26:fe:94:93:78:a6:7e:48:41:
+                    ce:78:12:55:1c:18:60:93:66:ab:35:9b:10:60:67:
+                    48:6e:e5:ef:01:d6:2b:33:24:73:66:ba:50:5f:90:
+                    bc:05:95:1c:fd:9a:82:e4:41:81:bb:a8:45:c3:9a:
+                    09:a3:8b:7a:00:fe:00:9f:bd:cf:15:42:5b:53:38:
+                    0d:8d:b4:90:c9:26:f3:2b:aa:de:a4:e9:eb:1c:e4:
+                    ab:e7:a9:0a:85:e4:72:53:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                2E:44:CD:9A:53:C1:1D:BC:4C:4D:58:7F:52:62:AF:7B:AC:C9:FF:3A
+            X509v3 Authority Key Identifier: 
+                keyid:8C:A5:DB:53:21:BD:5F:61:E1:56:ED:7A:9B:A5:02:BD:2E:23:AA:A6
+                DirName:/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=Debian For Alix CA/emailAddress=no-mail@site
+                serial:8E:68:E2:9B:06:CB:D1:65
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        27:8b:a6:82:17:72:9d:e5:31:b5:14:58:a1:40:93:15:50:47:
+        d6:73:ff:55:79:cb:bc:d6:e3:e5:d7:1b:5d:77:c8:ad:a4:1f:
+        f0:2a:a3:de:81:4f:58:87:b9:38:49:42:69:53:51:87:79:ba:
+        23:48:51:5d:b1:19:88:a0:6c:a2:1c:79:c3:7f:02:62:61:56:
+        3e:1f:73:ec:e6:d1:33:22:ed:3d:60:3a:35:a4:8c:07:88:cc:
+        25:b2:d8:2c:ac:db:47:a4:a6:72:30:e3:09:0c:0f:6d:bd:e7:
+        bf:b7:77:af:89:8e:89:cb:7e:23:6b:9d:42:7e:b3:22:d9:aa:
+        e0:67
+-----BEGIN CERTIFICATE-----
+MIIEITCCA4qgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCQlIx
+CzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlh
+biBGb3IgQWxpeCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJv
+amVjdHMxGzAZBgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJ
+ARYMbm8tbWFpbEBzaXRlMB4XDTEyMDUxMjAzMDIyOFoXDTIyMDUxMDAzMDIyOFow
+fTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8x
+GDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMNY3JsLXRlc3Quc2l0
+ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
+qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
+o4IBfjCCAXowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4
+QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFC5EzZpTwR28TE1Yf1Jir3usyf86MIHiBgNVHSMEgdowgdeAFIyl21Mh
+vV9h4VbtepulAr0uI6qmoYGzpIGwMIGtMQswCQYDVQQGEwJCUjELMAkGA1UECBMC
+U1AxEjAQBgNVBAcTCVNhbyBQYXVsbzEqMCgGA1UEChMhRGViaWFuIEZvciBBbGl4
+IC0gRFVNTVkgQ0hBTkdFIElUMRcwFQYDVQQLEw5MaW51eCBQcm9qZWN0czEbMBkG
+A1UEAxMSRGViaWFuIEZvciBBbGl4IENBMRswGQYJKoZIhvcNAQkBFgxuby1tYWls
+QHNpdGWCCQCOaOKbBsvRZTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC
+BaAwDQYJKoZIhvcNAQEFBQADgYEAJ4umghdyneUxtRRYoUCTFVBH1nP/VXnLvNbj
+5dcbXXfIraQf8Cqj3oFPWIe5OElCaVNRh3m6I0hRXbEZiKBsohx5w38CYmFWPh9z
+7ObRMyLtPWA6NaSMB4jMJbLYLKzbR6SmcjDjCQwPbb3nv7d3r4mOict+I2udQn6z
+Itmq4Gc=
+-----END CERTIFICATE-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl-test.site.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBvTCCASYCAQAwfTELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQH
+EwlTYW8gUGF1bG8xGDAWBgNVBAoTD0RlYmlhbiBGb3IgQWxpeDEWMBQGA1UEAxMN
+Y3JsLXRlc3Quc2l0ZTEbMBkGCSqGSIb3DQEJARYMbm8tbWFpbEBzaXRlMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs06
+1MfPvPiOiIWcWSb+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBf
+kLwFlRz9moLkQYG7qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5Kvn
+qQqF5HJTjQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAsuPOQdbzTcvMTrZPpn9r
+Aqpi+vcLt1g1B5NF4qlw1MhJ2bavIimsQYhT/PM+i8722QJL+K7VJr0Y9VgRI2Rg
+qPUquHVsXkZQN3d0+q/YRK6W0WFJEJaF85gDzIlyNBNKuBJq9ADafRugDrz2xcM7
+cy0OZCunFhH3MdCqXdRqLrw=
+-----END CERTIFICATE REQUEST-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl-test.site.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDF6qEJ0ACvB1QSbJaD3CpuENtXDKlwjs061MfPvPiOiIWcWSb+
+lJN4pn5IQc54ElUcGGCTZqs1mxBgZ0hu5e8B1iszJHNmulBfkLwFlRz9moLkQYG7
+qEXDmgmji3oA/gCfvc8VQltTOA2NtJDJJvMrqt6k6esc5KvnqQqF5HJTjQIDAQAB
+AoGAZo88XiJciFbK2TVOFgx8LEct8oEMONi3PxpOZLcvMmVKn4ePbnM9rFLSs8zu
+GkidtA5p1VhptkChjuNWpKkgXbDBTRYbrUOnXrUgToW10C4E5ftztbcRQ847OE1G
+eMjznSd9SiLElV3REyY6BzTYciRo987MoBrtqi02EPDYbv0CQQDraopLMDQml1Kl
+1cluGuTJ8ZNxDKWkDfr5BvEMpn5v1W82k1dWLkJDMYIuKu76OfevxAibLpNL3Q06
+wLb8c4nTAkEA1zi2PaBAiPgDXPUl3LnDNrr4kjXc8KJZpmCf/kgKVc+pYppDsUiG
+wC4mWcVuerrankeLFbkOPW0GBjsrDVfxHwJAJDkMdm1AWP/Hs8Slbc+tjHUjXq23
+fvq3t0GeLXgg1ExfBGK/eX88quIfScNJai8pMV5UhKwx9eZZdsTYYxfUCQJAMvog
+2Fnzzz2HdmYukKiDX5xLsj4F1g1uVKVAYDdqE0c7pLpLXFuEZ1LHDK5h67oEfEcP
+35ZUlCIVsjYjjWaOGwJBAJC0swnzK5wdMDzzF+oqOnGs2EzptfuUQ9JlabffbL4Y
+9mbuCu12IDMLDmY73Dnk1BWzi8TyfTD2fEDU8seNl28=
+-----END RSA PRIVATE KEY-----

ANW-URB/openvpn/easy-rsa/2.0/keys/crl.pem

@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBiTCB8zANBgkqhkiG9w0BAQQFADCBrTELMAkGA1UEBhMCQlIxCzAJBgNVBAgT
+AlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xKjAoBgNVBAoTIURlYmlhbiBGb3IgQWxp
+eCAtIERVTU1ZIENIQU5HRSBJVDEXMBUGA1UECxMOTGludXggUHJvamVjdHMxGzAZ
+BgNVBAMTEkRlYmlhbiBGb3IgQWxpeCBDQTEbMBkGCSqGSIb3DQEJARYMbm8tbWFp
+bEBzaXRlFw0xMjA1MTIwMzAyMzhaFw0xMjA2MTEwMzAyMzhaMBQwEgIBARcNMTIw
+NTEyMDMwMjM4WjANBgkqhkiG9w0BAQQFAAOBgQAJRVAq3T2gjUsKSjg5dLuy3pGl
+jVguEybZuOJn80LX1a9Jha367CZVuuww6GX2EUBiFKxXS4BHsV56q2XJaUlWaCXb
+4pjHWNm5i/JW7VwtG1fConY2BRaJrVCXu8wazx6vzbxYNuyMwtaoUvvPaGlQxen5
+TMe+Qpp6nw8ppaHAPg==
+-----END X509 CRL-----

ANW-URB/openvpn/easy-rsa/2.0/keys/dh1024.pem

@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAKPTQ3STxQjGe+kIuQrOhyIXruP3ttLox+Zlieb9wRoblR8PNGyyUv7t
+4X/7Bk+vzrwkqUYwUX91Hm5GMBDqhuchk0iY9r+y7XucD69yct3ivF6oKqqNjQyN
+I2mpbMWKZTbSrfKKcd5NTOVDQUxpIIVRJhp2nfNW24jvHI4hIgjjAgEC
+-----END DH PARAMETERS-----

ANW-URB/openvpn/easy-rsa/2.0/keys/index.txt

@@ -0,0 +1,3 @@
+R	220510030228Z	120512030238Z	01	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix/CN=crl-test.site/emailAddress=no-mail@site
+V	220510030325Z		02	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=alix.site/emailAddress=no-mail@site
+V	220510030631Z		03	unknown	/C=BR/ST=SP/L=Sao Paulo/O=Debian For Alix - DUMMY CHANGE IT/OU=Linux Projects/CN=vpn01.site/emailAddress=no-mail@site

ANW-URB/openvpn/easy-rsa/2.0/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes