Initial commit

B3-Bornim/README.txt

@@ -0,0 +1,25 @@
+
+Notice:
+   You have to change some configuration files becaus the because
+   the configuration of network interfaces must not be equal.
+
+   !! Take care, to use the right device names !!
+   Maybe they are called i.e. 'enp0sXX', but you can rename it.
+   See also : README.rename.netdevices
+
+   For the backup gateway host:
+      eth1 --> LAN
+      eth2 --> WAN or ppp0 (DSL device)
+
+      eth0 --> WLAN or second LAN or what ever
+      or
+      br0  --> WLAN or second LAN or what ever
+
+
+   So you have to change the following files
+      dsl-provider.B3-Bornim: ppp0 comes over eth2
+      interfaces.B3-Bornim: see above
+      default_isc-dhcp-server.B3-Bornim
+      ipt-firewall.B3-Bornim: LAN device (mostly ) = eth1
+                                second LAN WLAN or what ever (if present) = eth0
+         

B3-Bornim/bin/clean_log_files.sh

@@ -0,0 +1 @@
+admin-stuff/clean_log_files.sh

B3-Bornim/bind/bind.keys

@@ -0,0 +1,69 @@
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options.  To use the built-in DLV key, set
+# "dnssec-lookaside auto;".  Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of Feburary 2017.  If any key fails to
+# initialize correctly, it may have expired.  In that event you should
+# replace this file with a current version.  The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        #
+        # NOTE: The ISC DLV zone is being phased out as of February 2017;
+        # the key will remain in place but the zone will be otherwise empty.
+        # Configuring "dnssec-lookaside auto;" to activate this key is
+        # harmless, but is no longer useful and is not recommended.
+        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+                TDN0YUuWrBNh";
+
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+        # for current trust anchor information.
+        #
+        # These keys are activated by setting "dnssec-validation auto;"
+        # in named.conf.
+        #
+        # This key (19036) is to be phased out starting in 2017. It will
+        # remain in the root zone for some time after its successor key
+        # has been added. It will remain this file until it is removed from
+        # the root zone.
+        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+                QxA+Uk1ihz0=";
+
+        # This key (20326) is to be published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                R1AkUTV74bU=";
+};

B3-Bornim/bind/db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

B3-Bornim/bind/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

B3-Bornim/bind/db.192.168.42.0

@@ -0,0 +1,55 @@
+;
+; BIND reverse data file for local local.netz zone
+;
+$TTL  43600
+@  IN SOA   ns.b3-bornim.netz. ckubu.oopen.de. (
+      2017032501     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+@            IN NS     ns.b3-bornim.netz.
+
+
+; - Gateway/Firewall
+254         IN PTR    gw-b3.b3-bornim.netz.
+
+
+; - (Caching ) Nameserver
+1           IN PTR    ns.b3-bornim.netz.
+
+
+; - Fileserver
+10          IN PTR    bbb-server.b3-bornim.netz.
+
+; - Alter Fileserver
+20          IN PTR   bbb-server-alt.b3-bornim.netz.
+
+
+; - Accesspoint  - FRITZ!Box
+60          IN PTR    fritzbox.b3-bornim.netz.
+
+
+; - Drucker
+56          IN PTR    hp-8610.b3-bornim.netz.
+58          IN PTR    hp-8610-wlan.b3-bornim.netz.
+
+
+; - PC's
+
+; - gerd Zimmer A ( dose 2 )
+110         IN PTR    rme.b3-bornim.netz.
+
+
+; - susi Zwischenraum ( linux + dose 3? )
+112        IN PTR     prakti-desktop.b3-bornim.netz.
+113        IN PTR     susi-desktop.b3-bornim.netz.
+114        IN PTR     ingo-laptop.b3-bornim.netz.
+119        IN PTR     mp-laptop.b3-bornim.netz.
+
+43         IN PTR     ingo-laptop-wlan.b3-bornim.netz.
+49         IN PTR     mp-laptop-wlan.b3-bornim.netz.
+
+

B3-Bornim/bind/db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

B3-Bornim/bind/db.b3-bornim.netz

@@ -0,0 +1,78 @@
+;
+; BIND data file for local b3-bornim.netz zone
+;
+$TTL  43600
+@  IN SOA   ns.b3-bornim.netz. ckubu.oopen.de. (
+      2017032501     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+
+@                 IN NS    ns.b3-bornim.netz.
+
+; - Gateway/Firewall
+gw-b3             IN A     192.168.42.254
+gate              IN CNAME gw-b3
+gw                IN CNAME gw-b3
+b3gate            IN CNAME gw-b3
+
+; - IPMI Gateway
+gw-ipmi           IN A     172.16.42.15
+
+
+; - (Caching ) Nameserver
+ns                IN A     192.168.42.1
+nscache           IN CNAME ns
+
+; - Fileserver
+bbb-server        IN A     192.168.42.10
+file              IN CNAME bbb-server
+file-b3           IN CNAME bbb-server
+samba             IN CNAME bbb-server
+ntp               IN CNAME bbb-server
+
+; - Alter Fileserver
+bbb-server-alt    IN A     192.168.42.20
+fnrprojekt        IN CNAME bbb-server-alt
+mysql             IN CNAME bbb-server-alt
+phprojekt         IN CNAME bbb-server-alt
+webmail           IN CNAME bbb-server-alt
+www               IN CNAME bbb-server-alt
+
+phprojekt-test    IN CNAME bbb-server-alt
+imap              IN CNAME bbb-server-alt
+
+
+; - IPMI Fileserver
+file-ipmi         IN A     192.168.42.15
+
+
+; - Drucker
+
+hp-8610           IN A     192.168.42.56
+hp-8610-wlan      IN A     192.168.42.58
+
+
+; - Accesspoint - FRITZ!BOX
+fritzbox          IN A     192.168.42.60
+accesspoint       IN CNAME fritzbox
+
+
+; - PC's
+
+; - sb-desktop (Ubuntu 12.04)
+prakti-desktop    IN A     192.168.42.112
+sb-desktop        IN CNAME prakti-desktop
+
+; - susi-desktop (Ubuntu 12.04)
+susi-desktop      IN A     192.168.42.113
+
+ingo-laptop       IN A     192.168.42.114
+mp-laptop         IN A     192.168.42.119
+
+ingo-laptop-wlan  IN A     192.168.42.43
+mp-laptop-wlan    IN A     192.168.42.49
+

B3-Bornim/bind/db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

B3-Bornim/bind/db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

B3-Bornim/bind/db.root

@@ -0,0 +1,90 @@
+;       This file holds the information on root name servers needed to
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:    February 17, 2016
+;       related version of root zone:   2016021701
+;
+; formerly NS.INTERNIC.NET
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:84::b
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file

B3-Bornim/bind/named.conf

@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";

B3-Bornim/bind/named.conf.default-zones

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/etc/bind/db.root";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+

B3-Bornim/bind/named.conf.local

@@ -0,0 +1,18 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+zone "b3-bornim.netz" {
+   type master;
+   file "/etc/bind/db.b3-bornim.netz";
+};
+
+zone "42.168.192.in-addr.arpa" {
+   type master;
+   file "/etc/bind/db.192.168.42.0";
+};
+

B3-Bornim/bind/named.conf.local.ORIG

@@ -0,0 +1,8 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

B3-Bornim/bind/named.conf.options

@@ -0,0 +1,94 @@
+options {
+   directory "/var/cache/bind";
+
+   // If there is a firewall between you and nameservers you want
+   // to talk to, you may need to fix the firewall to allow multiple
+   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+   // If your ISP provided one or more IP addresses for stable
+   // nameservers, you probably want to use them as forwarders.
+   // Uncomment the following block, and insert the addresses replacing
+   // the all-0's placeholder.
+
+   // forwarders {
+   //    0.0.0.0;
+   // };
+
+   //========================================================================
+   // If BIND logs error messages about the root key being expired,
+   // you will need to update your keys.  See https://www.isc.org/bind-keys
+   //========================================================================
+   dnssec-validation auto;
+
+   // Security options
+   listen-on port 53 {
+      127.0.0.1;
+      172.16.42.1;
+      192.168.42.1;
+   };
+
+   allow-query {
+      127.0.0.1;
+      172.16.0.0/16;
+      192.168.0.0/16;
+      10.0.0.0/8;
+   };
+
+   // caching name services
+   recursion yes;
+   allow-recursion {
+      127.0.0.1;
+      172.16.0.0/16;
+      192.168.0.0/16;
+      10.0.0.0/16;
+   };
+
+   allow-transfer { none; };
+
+   auth-nxdomain no;    # conform to RFC1035
+   listen-on-v6 { any; };
+};
+
+logging {
+   channel simple_log {
+      file "/var/log/named/bind.log" versions 3 size 5m;
+      //severity warning;
+      severity info;
+      print-time yes;
+      print-severity yes;
+      print-category  yes;
+   };
+   channel queries_log {
+      file "/var/log/named/query.log" versions 10 size 5m;
+      severity debug;
+      //severity notice;
+      print-time yes;
+      print-severity yes;
+      print-category no;
+   };
+   channel log_zone_transfers {
+      file "/var/log/named/axfr.log" versions 5 size 2m;
+      severity info;
+      print-time yes;
+      print-severity yes;
+      print-category yes;
+   };
+   category resolver {
+      queries_log;
+   };
+   category queries {
+      queries_log;
+   };
+   category xfer-in {
+      log_zone_transfers;
+   };
+   category xfer-out {
+      log_zone_transfers;
+   };
+   category notify {
+      log_zone_transfers;
+   };
+   category default{
+      simple_log;
+   };
+};

B3-Bornim/bind/named.conf.options.ORIG

@@ -0,0 +1,26 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation auto;
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+

B3-Bornim/bind/rndc.key

@@ -0,0 +1,4 @@
+key "rndc-key" {
+	algorithm hmac-md5;
+	secret "e7SPwyNbq97vSf4q075JNg==";
+};

B3-Bornim/bind/zones.rfc1918

@@ -0,0 +1,20 @@
+zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+ 
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

B3-Bornim/chap-secrets.B3-Bornim

@@ -0,0 +1,4 @@
+# Secrets for authentication using CHAP
+# client	server	secret			IP addresses
+
+"t-online-com/8TB0LIXKXV82@t-online-com.de" * "38460707"

B3-Bornim/check_net-logrotate.B3-Bornim

@@ -0,0 +1,10 @@
+/var/log/check_net.log
+{
+   rotate 7
+   daily
+   missingok
+   notifempty
+   copytruncate
+   delaycompress
+   compress
+}

B3-Bornim/check_net.service.B3-Bornim

@@ -0,0 +1,16 @@
+[Unit]
+Description=Configure Routing for Internet Connections;
+After=network.target
+After=rc-local.service
+
+[Service]
+ExecStart=/usr/local/sbin/check_net.sh
+ExecStartPre=rm -rf /tmp/check_net.sh.LOCK
+ExecStopPost=rm -rf /tmp/check_net.sh.LOCK
+KillMode=control-group
+SendSIGKILL=yes
+TimeoutStopSec=2
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

B3-Bornim/check_net/check_net.conf

@@ -0,0 +1,133 @@
+# - Configuration file for scrupts check_net.sh and netconfig.sh
+# -
+
+LOGGING_CONSOLE=false
+DEBUG=false
+
+# - Where are your scripts located?
+# -
+check_script=/usr/local/sbin/check_net.sh
+netconfig_script=/usr/local/sbin/netconfig.sh
+
+log_file=/var/log/check_net.log
+
+
+# - Put in your DSL devices (refers to your network configuration)
+# - youe wish be congigured by that script
+# -
+# - Notice:
+# -    If not using multiple default gatways, declare the list in the order of your 
+# -    preferred default gatway devices
+# -
+# -    Example:
+# -       _INITIAL_DEVICE_LIST="eth0:192.168.63.254 ppp-light"
+# -
+_INITIAL_DEVICE_LIST="ppp-b3"
+
+# - Set to "false" uses "0.0.0.0" as remote gateway instead of the real address
+# -
+USE_REMOTE_GATEWAY_ADDRESS=true
+#USE_REMOTE_GATEWAY_ADDRESS=false
+
+# - Set default gw (roundrobin)
+# -
+# - !! SET_MULTIPLE_DEFAULT_GW=true does not work for now..
+# -
+SET_MULTIPLE_DEFAULT_GW=false
+#SET_MULTIPLE_DEFAULT_GW=true
+
+
+# - Set to false uses "0.0.0.0" as default gateway adress instaed of real remote address
+# -
+USE_DEFAULT_GW_ADDRESS=true
+#USE_DEFAULT_GW_ADDRESS=false
+
+
+# - Hostnames for ping test
+# -
+# - Note: The first two reachable hosts will be used for ping test. 
+# -
+# - Space separated list
+# -
+PING_TEST_HOSTS="oopen.de google.com heise.de debian.org ubuntu.com"
+
+
+admin_email=root
+from_address="check-inet-devices@`hostname -f`"
+company="B3 Bornim"
+content_type='Content-Type: text/plain;\n charset="utf-8"'
+
+
+# - rule_local_ips
+# -
+# - Add rule(s) for routing local ip-address(es) through a given extern interface
+# -
+# - Space separated list of entries '<ext-interface>:<local-ip>'
+# -    rule_local_ips="<ext-interface>:<local-ip> [<ext-interface>:<local-ip>] [.."
+# -
+# - Example:
+# - ========
+# - local ip 192.168.10.1 through extern interface ppp-st and 
+# - local ip 192.168.10.13 through extern interface ppp-surf1
+# -     rule_local_ips="ppp-st:192.168.10.1 ppp-surf1:192.168.10.13"
+# -
+rule_local_ips=""
+
+# - rule_remote_ips
+# -
+# - Add rule(s) for routing remote ip-address(es) through a given extern interface
+# -
+# - Space separated list of entries '<ext-interface>:<remote-ip>'
+# -    rule_remote_ips="<ext-interface>:<remote-ip> [<ext-interface>:<remote-ip>] [.."
+# -
+# - Example:
+# - ========
+# - route remote ip-address  141.1.1.1 through extern interface ppp-ckubu and 
+# - also route ip-address 8.8.8.8 through through extern interface ppp-ckubu
+# -     rule_remote_ips="ppp-ckubu:141.1.1.1 ppp-ckubu:8.8.8.8"
+# - 
+rule_remote_ips=""
+
+# - rule_local_nets
+# -
+# - Add rule(s) for routing local networks through a given extern interface out
+# -
+# - Space separated list of entries '<extern-interface>:<local-net>'
+# -    rule_local_nets="<extern-interface>:<local-net> [<extern-interface>:<local-net>] [.."
+# -
+# -
+# - Example:
+# - ========
+# -     rule_local_nets="ppp-st:192.168.11.0/25 ppp-surf1:192.168.11.128/25"
+# -
+rule_local_nets=""
+
+
+
+## ====================================
+## - Don't make changes after this Line
+## ====================================
+
+# ---
+# - Add rule(s) for routing local ip-address(es)
+# ---
+declare -a rule_local_ip_arr
+for _str in $rule_local_ips ; do
+   rule_local_ip_arr+=("$_str")
+done
+
+# ---
+# - Add rule(s) for routing remote ip-address(es)
+# ---
+declare -a rule_remote_ip_arr
+for _str in $rule_remote_ips ; do
+   rule_remote_ip_arr+=("$_str")
+done
+
+# ---
+# - Add rule(s) for routing local networks
+# ---
+declare -a rule_local_net_arr
+for _str in $rule_local_nets ; do
+   rule_local_net_arr+=("$_str")
+done

B3-Bornim/cron_root.B3-Bornim

@@ -0,0 +1,47 @@
+# DO NOT EDIT THIS FILE - edit the master and reinstall.
+# (/tmp/crontab.b4E9C4/crontab installed on Tue Oct 24 12:45:33 2017)
+# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
+# Edit this file to introduce tasks to be run by cron.
+# 
+# Each task to run has to be defined through a single line
+# indicating with different fields when the task will be run
+# and what command to run for the task
+# 
+# To define the time you can provide concrete values for
+# minute (m), hour (h), day of month (dom), month (mon),
+# and day of week (dow) or use '*' in these fields (for 'any').# 
+# Notice that tasks will be started based on the cron's system
+# daemon's notion of time and timezones.
+# 
+# Output of the crontab jobs (including errors) is sent through
+# email to the user the crontab file belongs to (unless redirected).
+# 
+# For example, you can run a backup of all your user accounts
+# at 5 a.m every week with:
+# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
+# 
+# For more information see the manual pages of crontab(5) and cron(8)
+# 
+# m h  dom mon dow   command
+PATH=/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+
+# check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
+# if not set this entry to "1"
+#
+0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
+
+
+# check if openvpn is running if not restart the service
+#
+0-59/30 * * * * /root/bin/monitoring/check_vpn.sh
+
+
+# check if DynDNS ip is correct, adjust if needed
+# -
+27 * * * * /root/bin/monitoring/check_dyndns.sh b3.homelinux.org
+
+
+# - copy gatewy configuration
+# -
+11 3 * * * /root/bin/manage-gw-config/copy_gateway-config.sh B3-Bornim

B3-Bornim/ddclient.conf.B3-Bornim

@@ -0,0 +1,10 @@
+# Configuration file for ddclient generated by debconf
+#
+# /etc/ddclient.conf
+
+protocol=dyndns2
+use=web, web=checkip.dyndns.com, web-skip='IP Address'
+server=members.dyndns.org
+login=ckubu
+password='7213b4e6178a11e6ab1362f831f6741e'
+b3.homelinux.org

B3-Bornim/default_isc-dhcp-server.B3-Bornim

@@ -0,0 +1,21 @@
+# Defaults for isc-dhcp-server initscript
+# sourced by /etc/init.d/isc-dhcp-server
+# installed at /etc/default/isc-dhcp-server by the maintainer scripts
+
+#
+# This is a POSIX shell fragment
+#
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPD_CONF=/etc/dhcp/dhcpd.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPD_PID=/var/run/dhcpd.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACES=""

B3-Bornim/dhcpd.conf.B3-Bornim

@@ -0,0 +1,195 @@
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+option subnet-mask 255.255.255.0;
+option broadcast-address 192.168.42.255;
+
+
+option domain-name "b3-bornim.netz";
+option domain-name-servers 192.168.42.1;
+
+option routers 192.168.42.254;
+
+default-lease-time 43200;
+max-lease-time 86400;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+subnet 192.168.42.0 netmask 255.255.255.0 {
+   range 192.168.42.30 192.168.42.250;
+   option domain-name "b3-bornim.netz";
+   option domain-name-servers 192.168.42.1;
+   option subnet-mask 255.255.255.0;
+   option broadcast-address 192.168.42.255;
+   option routers 192.168.42.254;
+
+}
+
+# - Alter server
+# -
+host ex-server  {
+   hardware ethernet 00:30:48:be:cc:8c ;
+   fixed-address bbb-server-alt.b3-bornim.netz ;
+}
+
+# - Susi Desktop - LAN
+# -
+host susi-desktop {
+   hardware ethernet 50:af:73:1f:d6:66;
+   fixed-address susi-desktop.b3-bornim.netz ;
+}
+
+# - Ingo Laptop - LAN
+# -
+host ingo-laptop {
+   hardware ethernet 3c:97:0e:7e:69:ad;
+   fixed-address ingo-laptop.b3-bornim.netz ;
+}
+
+# - Ingo Laptop - WLAN
+# -
+host ingo-laptop-wlan {
+   hardware ethernet 00:90:a2:ce:6a:f9;
+   fixed-address ingo-laptop-wlan.b3-bornim.netz ;
+}
+
+# - Matthias Laptop - LAN
+# -
+host mp-laptop {
+   hardware ethernet 00:22:64:54:7b:be;
+   fixed-address mp-laptop.b3-bornim.netz ;
+}
+
+# - Matthias Laptop - WLAN
+# -
+host mp-laptop-wlan {
+   hardware ethernet 00:21:5d:18:23:2e;
+   fixed-address mp-laptop-wlan.b3-bornim.netz ;
+}
+
+# - sb-desktop ( Ubuntu 12.04 )
+# -
+# - Praktikanten Rechner
+# -
+host prakti-desktop {
+   hardware ethernet 00:e0:4c:46:c0:ec ;
+   fixed-address prakti-desktop.b3-bornim.netz ;
+}
+
+
+
+# - Drucker - HP Officejet Pro 8610
+# - 
+host hp-8610 {
+   hardware ethernet 94:57:A5:9E:11:B3 ;
+   fixed-address hp-8610.b3-bornim.netz ;
+}
+host hp-8610-wlan {
+   hardware ethernet 94:57:A5:9E:11:B4 ;
+   fixed-address hp-8610-wlan.b3-bornim.netz ;
+}
+
+
+
+## - wlan router
+#host wlan {
+#   hardware ethernet 00:0f:b5:99:33:ee;
+#   fixed-address wlan.b3-bornim.netz;
+#}
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.fugue.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.fugue.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

B3-Bornim/dhcpd6.conf.B3-Bornim

@@ -0,0 +1,102 @@
+# Server configuration file example for DHCPv6
+# From the file used for TAHI tests - addresses chosen
+# to match TAHI rather than example block.
+
+# IPv6 address valid lifetime
+#  (at the end the address is no longer usable by the client)
+#  (set to 30 days, the usual IPv6 default)
+default-lease-time 2592000;
+
+# IPv6 address preferred lifetime
+#  (at the end the address is deprecated, i.e., the client should use
+#   other addresses for new connections)
+#  (set to 7 days, the	usual IPv6 default)
+preferred-lifetime 604800;
+
+# T1, the delay before Renew
+#  (default is 1/2 preferred lifetime)
+#  (set to 1 hour)
+option dhcp-renewal-time 3600;
+
+# T2, the delay before Rebind (if Renews failed)
+#  (default is 3/4 preferred lifetime)
+#  (set to 2 hours)
+option dhcp-rebinding-time 7200;
+
+# Enable RFC 5007 support (same than for DHCPv4)
+allow leasequery;
+
+# Global definitions for name server address(es) and domain search list
+option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:3f3e;
+option dhcp6.domain-search "test.example.com","example.com";
+
+# Set preference to 255 (maximum) in order to avoid waiting for
+# additional servers when there is only one
+##option dhcp6.preference 255;
+
+# Server side command to enable rapid-commit (2 packet exchange)
+##option dhcp6.rapid-commit;
+
+# The delay before information-request refresh
+#  (minimum is 10 minutes, maximum one day, default is to not refresh)
+#  (set to 6 hours)
+option dhcp6.info-refresh-time 21600;
+
+# Static definition (must be global)
+#host myclient {
+#	# The entry is looked up by this
+#	host-identifier option
+#		dhcp6.client-id 00:01:00:01:00:04:93:e0:00:00:00:00:a2:a2;
+#
+#	# A fixed address
+#	fixed-address6 3ffe:501:ffff:100::1234;
+#
+#	# A fixed prefix
+#	fixed-prefix6 3ffe:501:ffff:101::/64;
+#
+#	# Override of the global definitions,
+#	# works only when a resource (address or prefix) is assigned
+#	option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:4f4e;
+#
+#	# For debug (to see when the entry statements are executed)
+#	#  (log "sol" when a matching Solicitation is received)
+#	##if packet(0,1) = 1 { log(debug,"sol"); }
+#}
+#
+#host otherclient {
+#        # This host entry is hopefully matched if the client supplies a DUID-LL
+#        # or DUID-LLT containing this MAC address.
+#        hardware ethernet 01:00:80:a2:55:67;
+#
+#        fixed-address6 3ffe:501:ffff:100::4321;
+#}
+
+# The subnet where the server is attached
+#  (i.e., the server has an address in this subnet)
+#subnet6 3ffe:501:ffff:100::/64 {
+#	# Two addresses available to clients
+#	#  (the third client should get NoAddrsAvail)
+#	range6 3ffe:501:ffff:100::10 3ffe:501:ffff:100::11;
+#
+#	# Use the whole /64 prefix for temporary addresses
+#	#  (i.e., direct application of RFC 4941)
+#	range6 3ffe:501:ffff:100:: temporary;
+#
+#	# Some /64 prefixes available for Prefix Delegation (RFC 3633)
+#	prefix6 3ffe:501:ffff:100:: 3ffe:501:ffff:111:: /64;
+#}
+
+# A second subnet behind a relay agent
+#subnet6 3ffe:501:ffff:101::/64 {
+#	range6 3ffe:501:ffff:101::10 3ffe:501:ffff:101::11;
+#
+#	# Override of the global definitions,
+#	# works only when a resource (address or prefix) is assigned
+#	option dhcp6.name-servers 3ffe:501:ffff:101:200:ff:fe00:3f3e;
+#
+#}
+
+# A third subnet behind a relay agent chain
+#subnet6 3ffe:501:ffff:102::/64 {
+#	range6 3ffe:501:ffff:102::10 3ffe:501:ffff:102::11;
+#}

B3-Bornim/hostname.B3-Bornim

@@ -0,0 +1 @@
+gw-b3

B3-Bornim/hosts.B3-Bornim

@@ -0,0 +1,8 @@
+127.0.0.1	localhost
+
+192.168.42.254	gw-b3.b3-bornim.netz	gw-b3
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

B3-Bornim/interfaces.B3-Bornim

@@ -0,0 +1,97 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+
+
+#-----------------------------
+# eth0 - WLAN
+#-----------------------------
+
+auto eth0
+iface eth0 inet static
+   address 192.168.43.254
+   network 192.168.43.0
+   netmask 255.255.255.0
+   broadcast 192.168.43.255
+
+
+#-----------------------------
+# eth1 - LAN
+#-----------------------------
+
+auto eth1 eth1:ns
+iface eth1 inet static
+   address 192.168.42.254
+   network 192.168.42.0
+   netmask 255.255.255.0
+   broadcast 192.168.42.255
+
+iface eth1:ns inet static
+   address 192.168.42.1
+   network 192.168.42.1
+   netmask 255.255.255.255
+   broadcast 192.168.42.1
+
+
+#-----------------------------
+# eth2 - WAN
+#-----------------------------
+
+# The primary network interface
+auto eth2
+iface eth2 inet static
+	address 172.16.42.1
+	netmask 255.255.255.0
+	network 172.16.42.0
+	broadcast 172.16.42.255
+	gateway 172.16.42.254
+   #post-up vconfig add eth2 7
+   #post-down vconfig rem eth2.7
+	## dns-* options are implemented by the resolvconf package, if installed
+	#dns-nameservers 172.16.42.1
+	#dns-search b3-bornim.netz
+
+#iface eth2 inet static
+#	address 172.17.42.1
+#	netmask 255.255.255.0
+#	network 172.17.42.0
+#	broadcast 172.17.42.255
+#	gateway 172.17.42.254
+#   post-up vconfig add eth2 7
+#   post-down vconfig rem eth2.7
+#	# dns-* options are implemented by the resolvconf package, if installed
+#	dns-nameservers 172.16.42.1
+#	dns-search b3-bornim.netz
+
+#auto eth2:atb
+#iface eth2:atb inet static
+#   address 10.2.1.50
+#   netmask 255.255.255.0
+#   network 10.2.1.0
+
+
+#auto dsl-b3
+#iface dsl-b3 inet ppp
+#   pre-up /sbin/ifconfig eth2 up # line maintained by pppoeconf
+#   pre-up /sbin/ifconfig eth2.7 up # line maintained by pppoeconf
+#   provider dsl-b3
+
+
+
+
+#-----------------------------
+# eth3 - ATB
+#-----------------------------
+
+#auto eth3
+#iface eth3 inet static
+#   address 10.2.1.50
+#   netmask 255.255.255.0
+#   network 10.2.1.0
+#   #gateway 10.2.1.1

B3-Bornim/ipt-firewall.service.B3-Bornim

@@ -0,0 +1,14 @@
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+SyslogIdentifier="ipt-gateway"
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-gateway start
+ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
+User=root
+
+[Install]
+WantedBy=multi-user.target

B3-Bornim/ipt-firewall/default_ports.conf

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Ports for Services out
+# =============
+
+standard_ident_port=113
+standard_silc_port=706
+standard_irc_port=6667
+standard_jabber_port=5222
+standard_smtp_port=25
+standard_ssh_port=22
+standard_http_port=80
+standard_https_port=443
+standard_ftp_port=21
+standard_tftp_udp_port=69
+standard_ntp_port=123
+standard_snmp_port=161
+standard_snmp_trap_port=162
+standard_timeserver_port=37
+standard_pgp_keyserver_port=11371
+standard_telnet_port=23
+standard_whois_port=43
+standard_cpan_wait_port=1404
+standard_xymon_port=1984
+standard_hbci_port=3000
+standard_mysql_port=3306
+standard_ipp_port=631
+standard_cups_port=$standard_ipp_port
+standard_print_raw_port=515
+standard_print_port=9100
+standard_remote_console_port=5900
+
+# - IPsec - Internet Security Association and
+# -  Key Management Protocol
+standard_isakmp_port=500
+standard_ipsec_nat_t=4500
+
+
+# - Comma separated lists
+# -
+standard_http_ports="80,443"
+standard_mailuser_ports="587,465,110,995,143,993"
+

B3-Bornim/ipt-firewall/include_functions.conf

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Some functions
+# =============
+
+# - Is this script running on terminal ?
+# -
+if [[ -t 1 ]] ; then
+      terminal=true
+else
+   terminal=false
+fi
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mdone\033[m ]"
+   else
+      echo " [ done ]"
+   fi
+}
+echo_ok() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mok\033[m ]"
+   else
+      echo " [ ok ]"
+   fi
+}
+echo_warning() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+   else
+      echo " [ warning ]"
+   fi
+}
+echo_failed(){
+   if $terminal ; then
+      echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+   else
+      echo ' [ failed! ]'
+   fi
+}
+echo_skipped() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[37mskipped\033[m ]"
+   else
+      echo " [ skipped ]"
+   fi
+}
+
+
+fatal (){
+   echo ""
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
+      echo ""
+      echo -e "\t\033[31m\033[1m           Firewall Script will be interrupted..\033[m\033[m"
+   else
+      echo "fatal: $*"
+      echo "Firewall Script will be interrupted.."
+   fi
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   else
+      echo "Error: $*"
+   fi
+   echo ""
+}
+
+warn (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   else
+      echo "Warning: $*"
+   fi
+   echo ""
+}
+
+info (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   else
+      echo "Info: $*"
+   fi
+   echo ""
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+

B3-Bornim/ipt-firewall/interfaces_ipv4.conf

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Network Interfaces / Ip-Adresses / Ports
+# =============
+
+# - Extern Interfaces DSL Lines
+# -    (blank separated list)
+ext_if_dsl_1="ppp-b3"
+ext_if_dsl_2=""
+ext_if_dsl_3=""
+ext_if_dsl_4=""
+
+ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
+
+# - Extern Interfaces Static Lines
+# -    (blank separated list)
+ext_if_static_1="eth2"
+ext_if_static_2=""
+ext_if_static_3=""
+
+ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
+
+# - VPN Interfaces
+# -    (blank separated list)
+vpn_ifs="tun+"
+
+# - Local Interfaces
+local_if_1="eth0"
+local_if_2="eth1"
+local_if_3=""
+local_if_4=""
+local_if_5=""
+local_if_6=""
+local_if_7=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
+# -
+# - Blank separated list
+# -
+nat_devices=""
+
+# - Are local alias interfaces like eth0:0 defined"
+# -
+local_alias_interfaces=true

B3-Bornim/ipt-firewall/interfaces_ipv4.conf.sample

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Network Interfaces / Ip-Adresses / Ports
+# =============
+
+# - Extern Interfaces DSL Lines
+# -    (blank separated list)
+ext_if_dsl_1=""
+ext_if_dsl_2=""
+ext_if_dsl_3=""
+ext_if_dsl_4=""
+
+ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
+
+# - Extern Interfaces Static Lines
+# -    (blank separated list)
+ext_if_static_1=""
+ext_if_static_2=""
+ext_if_static_3=""
+
+ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
+
+# - VPN Interfaces
+# -    (blank separated list)
+vpn_ifs="tun+"
+
+# - Local Interfaces
+local_if_1=""
+local_if_2=""
+local_if_3=""
+local_if_4=""
+local_if_5=""
+local_if_6=""
+local_if_7=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
+# -
+# - Blank separated list
+# -
+nat_devices=""
+
+# - Are local alias interfaces like eth0:0 defined"
+# -
+local_alias_interfaces=true

B3-Bornim/ipt-firewall/interfaces_ipv6.conf.sample

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Network Interfaces / Ip-Adresses / Ports
+# =============
+
+# - Extern Interfaces DSL Lines
+# -    (blank separated list)
+ext_if_dsl_1=""
+ext_if_dsl_2=""
+ext_if_dsl_3=""
+ext_if_dsl_4=""
+
+ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
+
+# - Extern Interfaces Static Lines
+# -    (blank separated list)
+# -
+# - Example:
+# -    ext_if_static_1="sixxs"
+# -
+ext_if_static_1=""
+ext_if_static_2=""
+ext_if_static_3=""
+
+ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
+
+# - VPN Interfaces
+# -    (blank separated list)
+vpn_ifs="tun+"
+
+# - Local Interfaces
+local_if_1=""
+local_if_2=""
+local_if_3=""
+local_if_4=""
+local_if_5=""
+local_if_6=""
+local_if_7=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
+
+# - Are local alias interfaces like eth0:0 defined"
+# -
+local_alias_interfaces=true

B3-Bornim/ipt-firewall/load_modules_ipv4.conf

@@ -0,0 +1,36 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+# - Note:! 
+# -    Since Kernel 4.7 the automatic conntrack helper assignment
+# -    is disabled by default (net.netfilter.nf_conntrack_helper = 0).
+# -    Enable it by setting this variable in file /etc/sysctl.conf:
+# -
+# -       net.netfilter.nf_conntrack_helper = 1
+# -
+# -    Reboot or type "sysctl -p"
+
+
+ip_tables
+
+iptable_nat
+iptable_filter
+iptable_mangle
+iptable_raw
+
+# - Load base modules for tracking
+# -
+nf_conntrack
+nf_nat
+
+# - Load module for FTP Connection tracking and NAT
+# -
+nf_conntrack_ftp
+nf_nat_ftp
+
+# - Load modules for SIP VOIP
+# -
+nf_conntrack_sip
+nf_nat_sip
+

B3-Bornim/ipt-firewall/load_modules_ipv6.conf

@@ -0,0 +1,9 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+ip6_tables
+ip6table_filter
+ip6t_REJECT
+
+ip6table_mangle

B3-Bornim/ipt-firewall/logging_ipv4.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=false
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv4:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

B3-Bornim/ipt-firewall/logging_ipv6.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=false
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv6:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

B3-Bornim/ipt-firewall/post_decalrations.conf

@@ -0,0 +1,505 @@
+#!/usr/bin/env bash
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+# ---
+# - Masquerade TCP Connections
+# ---
+
+declare -a nat_network_arr
+for _net in $nat_networks ; do
+   nat_network_arr+=("$_net")
+done
+
+declare -a masquerade_tcp_con_arr
+for _str in $masquerade_tcp_cons ; do
+   masquerade_tcp_con_arr+=("$_str")
+done
+
+
+# ---
+# - Extern Network interfaces (DSL, Staic Lines, All together)
+# ---
+declare -a nat_device_arr
+declare -a dsl_device_arr
+declare -a ext_if_arr
+for _dev in $ext_ifs_dsl ; do
+   dsl_device_arr+=("$_dev")
+   ext_if_arr+=("$_dev")
+   nat_device_arr+=("$_dev")
+done
+for _dev in $ext_ifs_static ; do
+   ext_if_arr+=("$_dev")
+done
+for _dev in $nat_devices ; do
+   if ! containsElement $_dev "${nat_device_arr[@]}" ; then
+      nat_device_arr+=("$_dev")
+   fi
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Allow these local networks any access to the internet
+# ---
+declare -a any_access_to_inet_network_arr
+for _net in $any_access_to_inet_networks ; do
+   any_access_to_inet_network_arr+=("$_net")
+done
+
+declare -a any_access_from_inet_network_arr
+for _net in $any_access_from_inet_networks ; do
+   any_access_from_inet_network_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given extern networks
+# ---
+declare -a allow_ext_net_to_local_service_arr 
+for _val in $allow_ext_net_to_local_service ; do
+   allow_ext_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from extern address/network to local address/network
+# ---
+declare -a allow_ext_net_to_local_net_arr
+for _val in $allow_ext_net_to_local_net ; do
+   allow_ext_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Block all extern traffic to (given) local network
+# ---
+declare -a block_all_ext_to_local_net_arr
+for _net in $block_all_ext_to_local_net ; do
+   block_all_ext_to_local_net_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given local networks
+# ---
+declare -a allow_local_net_to_local_service_arr 
+for _val in $allow_local_net_to_local_service ; do
+   allow_local_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local network to local ip-address
+# ---
+declare -a allow_local_net_to_local_ip_arr
+for _val in $allow_local_net_to_local_ip ; do
+   allow_local_net_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local ip-address to local network
+# ---
+declare -a allow_local_ip_to_local_net_arr
+for _val in $allow_local_ip_to_local_net ; do
+   allow_local_ip_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from (one) local network to (another) local network
+# ---
+declare -a allow_local_net_to_local_net_arr
+for _val in $allow_local_net_to_local_net ; do
+   allow_local_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow local ip address from given local interface
+# ---
+declare -a allow_local_if_to_local_ip_arr
+for _val in $allow_local_if_to_local_ip ; do
+   allow_local_if_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Separate local Networks
+# ---
+declare -a separate_local_network_arr
+for _net in $separate_local_networks ; do
+   separate_local_network_arr+=("$_net")
+done
+
+# ---
+# - Separate local Interfaces
+# ---
+declare -a separate_local_if_arr
+for _net in $separate_local_ifs ; do
+   separate_local_if_arr+=("$_net")
+done
+
+# ---
+# - Generally block ports on extern interfaces
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Not wanted on intern interfaces
+# ---
+declare -a not_wanted_on_gw_tcp_port_arr
+for _port in $not_wanted_on_gw_tcp_ports ; do
+   not_wanted_on_gw_tcp_port_arr+=("$_port")
+done
+
+declare -a not_wanted_on_gw_udp_port_arr
+for _port in $not_wanted_on_gw_udp_ports ; do
+   not_wanted_on_gw_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses to log
+# ---
+declare -a log_ip_arr
+for _ip in $log_ips ; do
+   log_ip_arr+=("$_ip")
+done
+
+# ---
+# - Network Devices local DHCP Client
+# ---
+declare -a dhcp_client_interfaces_arr
+for _dev in $dhcp_client_interfaces ; do
+   dhcp_client_interfaces_arr+=("$_dev")
+done
+
+# ---
+# - IP Addresses DHCP Failover Server
+# ---
+declare -a dhcp_failover_server_ip_arr
+for _ip in $dhcp_failover_server_ips ; do
+   dhcp_failover_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses DNS Server
+# ---
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SSH Server only at ocal Networks
+# ---
+declare -a ssh_server_only_local_ip_arr
+for _ip in $ssh_server_only_local_ips ; do
+   ssh_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses HTTP Server only local Networks
+# ---
+declare -a http_server_only_local_ip_arr
+for _ip in $http_server_only_local_ips ; do
+   http_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mail Server only local Networks
+# ---
+declare -a mail_server_only_local_ip_arr
+for _ip in $mail_server_only_local_ips ; do
+   mail_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+declare -a ftp_server_only_local_ip_arr
+for _ip in $ftp_server_only_local_ips ; do
+   ftp_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Samba Server
+# ---
+declare -a samba_server_local_ip_arr
+for _ip in $samba_server_local_ips ; do
+   samba_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses LDAP Server
+# ---
+declare -a ldap_server_local_ip_arr
+for _ip in $ldap_server_local_ips ; do
+   ldap_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Telephone Systems
+# ---
+declare -a tele_sys_ip_arr
+for _ip in $tele_sys_ips ; do
+   tele_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SNMP Server
+# ---
+declare -a snmp_server_ip_arr
+for _ip in $snmp_server_ips ; do
+   snmp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Munin Service 
+# ---
+declare -a munin_local_server_ip_arr
+for _ip in $munin_local_server_ips ; do
+   munin_local_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses IPMI interface
+# ---
+declare -a ipmi_server_ip_arr
+for _ip in $ipmi_server_ips ; do
+   ipmi_server_ip_arr+=("$_ip")
+done
+
+# ---
+# -IP Addresses Ubiquiti Unifi Accesspoints
+# ---
+declare -a unifi_ap_local_ip_arr
+for _ip in $unifi_ap_local_ips ; do
+   unifi_ap_local_ip_arr+=("$_ip")
+done
+declare -a unifi_controller_gateway_ip_arr
+for _ip in $unifi_controller_gateway_ips ; do
+   unifi_controller_gateway_ip_arr+=("$_ip")
+done
+declare -a unify_controller_local_net_ip_arr
+for _ip in $unify_controller_local_net_ips ; do
+   unify_controller_local_net_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Printer
+# -
+declare -a printer_ip_arr
+for _ip in $printer_ips ; do
+   printer_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Adresses Brother Scanner (brscan)
+# ---
+declare -a brother_scanner_ip_arr
+for _ip in $brother_scanner_ips ; do
+   brother_scanner_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses PCNS Server
+# ---
+declare -a pcns_server_ip_arr
+for _ip in $pcns_server_ips ; do
+   pcns_server_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Addresses VNC Service
+# ---
+declare -a rm_server_ip_arr
+for _ip in $rm_server_ips ; do
+   rm_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - Other local Services
+# ---
+declare -a other_service_arr
+for _val in $other_services ; do
+   other_service_arr+=("$_val")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - Cisco kompartible VPN Ports
+# ---
+declare -a cisco_vpn_out_port_arr
+for _port in $cisco_vpn_out_ports ; do
+   cisco_vpn_out_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+declare -a vpn_gw_port_arr
+for _port in $vpn_gw_ports ; do
+   vpn_gw_port_arr+=("$_port")
+done
+declare -a vpn_local_net_port_arr
+for _port in $vpn_local_net_ports ; do
+   vpn_local_net_port_arr+=("$_port")
+done
+declare -a vpn_out_port_arr
+for _port in $vpn_out_ports ; do
+   vpn_out_port_arr+=("$_port")
+done
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+# ---
+# - Samba Ports
+# ---
+
+declare -a samba_udp_port_arr
+for _port in $samba_udp_ports ; do
+   samba_udp_port_arr+=("$_port")
+done
+
+declare -a samba_tcp_port_arr
+for _port in $samba_tcp_ports ; do
+   samba_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - LDAP Ports
+# ---
+
+declare -a ldap_udp_port_arr
+for _port in $ldap_udp_ports ; do
+   ldap_udp_port_arr+=("$_port")
+done
+
+declare -a ldap_tcp_port_arr
+for _port in $ldap_tcp_ports ; do
+   ldap_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - IPMI
+# ---
+
+declare -a ipmi_udp_port_arr
+for _port in $ipmi_udp_ports ; do
+   ipmi_udp_port_arr+=("$_port")
+done
+
+declare -a ipmi_tcp_port_arr
+for _port in $ipmi_tcp_ports ; do
+   ipmi_tcp_port_arr+=("$_port")
+done
+
+
+# ---
+# - Portforwrds TCP
+# ---
+declare -a portforward_tcp_arr
+for _str in $portforward_tcp ; do
+   portforward_tcp_arr+=("$_str")
+done
+
+# ---
+# - Portforwrds UDP
+# ---
+declare -a portforward_udp_arr
+for _str in $portforward_udp ; do
+   portforward_udp_arr+=("$_str")
+done
+
+# ---
+# - MAC Address Filtering
+# ---
+declare -a allow_all_mac_src_address_arr
+for _mac in $allow_all_mac_src_addresses ; do
+   allow_all_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_local_mac_src_address_arr
+for _mac in $allow_local_mac_src_addresses ; do
+   allow_local_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_remote_mac_src_address_arr
+for _mac in $allow_remote_mac_src_addresses ; do
+   allow_remote_mac_src_address_arr+=("$_mac")
+done
+

B3-Bornim/mailname.B3-Bornim

@@ -0,0 +1 @@
+gw-b3.b3-bornim.netz

B3-Bornim/main.cf.B3-Bornim

@@ -0,0 +1,270 @@
+# ============ Basic settings ============
+
+compatibility_level = 2
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = /usr/share/doc/postfix
+html_directory = /usr/share/doc/postfix/html
+
+## - The Internet protocols Postfix will attempt to use when making 
+## - or accepting connections.
+## - DEFAULT: ipv4
+inet_protocols = ipv4
+
+#inet_interfaces = all
+inet_interfaces =
+   127.0.0.1
+   #192.168.42.254
+
+myhostname = gw-b3.b3-bornim.netz
+
+mydestination = 
+   gw-b3.b3-bornim.netz
+   localhost
+
+## - The list of "trusted" SMTP clients that have more 
+## - privileges than "strangers"
+## -
+mynetworks = 
+   127.0.0.0/8
+   192.168.42.254/32
+
+#smtp_bind_address = 192.168.42.254
+#smtp_bind_address6 = 
+
+
+## - The method to generate the default value for the mynetworks parameter.
+## -
+## -   mynetworks_style = host" when Postfix should "trust" only the local machine
+## -   mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP 
+## -                       clients in the same IP subnetworks as the local machine.
+## -   mynetworks_style = class" when Postfix should "trust" SMTP clients in the same 
+## -                      IP class A/B/C networks as the local machine.
+## -
+#mynetworks_style = host
+
+
+## - The maximal size of any local(8) individual mailbox or maildir file, 
+## - or zero (no limit). In fact, this limits the size of any file that is 
+## - written to upon local delivery, including files written by external 
+## - commands that are executed by the local(8) delivery agent. 
+## -
+mailbox_size_limit = 0
+
+## - The maximal size in bytes of a message, including envelope information.
+## -
+## - we user 50MB
+## -
+message_size_limit = 52480000
+
+## - The system-wide recipient address extension delimiter
+## -
+recipient_delimiter = +
+
+## - The alias databases that are used for local(8) delivery.
+## -
+alias_maps =
+   hash:/etc/aliases
+
+## - The alias databases for local(8) delivery that are updated 
+## - with "newaliases" or with "sendmail -bi". 
+## -
+alias_database =
+   hash:/etc/aliases
+
+
+## - The maximal time a message is queued before it is sent back as 
+## - undeliverable. Defaults to 5d (5 days)
+## - Specify 0 when mail delivery should be tried only once.
+## - 
+maximal_queue_lifetime = 3d
+bounce_queue_lifetime = $maximal_queue_lifetime
+
+## - delay_warning_time (default: 0h)
+## -
+## - The time after which the sender receives a copy of the message 
+## - headers of mail that is still queued. To enable this feature, 
+## - specify a non-zero time value (an integral value plus an optional 
+## - one-letter suffix that specifies the time unit). 
+## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 
+## - The default time unit is h (hours). 
+delay_warning_time = 1d
+
+
+
+# ============ Relay parameters ============
+
+#relayhost =
+
+
+# ============ SASL authentication ============
+
+# Enable SASL authentication
+smtp_sasl_auth_enable = yes
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [b.mx.oopen.de]
+
+# File including login data
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+
+# Force using a (TLS) security connection
+# obsulete - use smtp_tls_security_level instead
+#smtp_use_tls = yes
+#smtp_tls_enforce_peername = no
+smtp_tls_security_level = encrypt
+
+# Disallow methods that allow anonymous authentication.
+smtp_sasl_security_options = noanonymous
+
+
+
+# ============ TLS parameters ============
+
+## - Aktiviert TLS für den Mailempfang
+## -
+## - may:
+## - Opportunistic TLS. Use TLS if this is supported by the remote 
+## - SMTP server, otherwise use plaintext
+## -
+## - This overrides the obsolete parameters smtpd_use_tls and 
+## - smtpd_enforce_tls. This parameter is ignored with 
+## - "smtpd_tls_wrappermode = yes".
+#smtpd_use_tls=yes
+smtp_tls_security_level=encrypt
+
+## - Aktiviert TLS für den Mailversand
+## -
+## - may:
+## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+## - but do not require that clients use TLS encryption.
+# smtp_use_tls=yes
+smtpd_tls_security_level=may
+
+## -    0 Disable logging of TLS activity. 
+## -    1 Log TLS handshake and certificate information. 
+## -    2 Log levels during TLS negotiation. 
+## -    3 Log hexadecimal and ASCII dump of TLS negotiation process. 
+## -    4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. 
+## -
+smtpd_tls_loglevel = 1
+smtp_tls_loglevel = 1
+
+smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
+smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
+## -
+#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
+## - also possible to use 2048 key with that parameter
+## -
+smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. 
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
+## -
+smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
+
+
+## - File containing CA certificates of root CAs trusted to sign either remote SMTP 
+## - server certificates or intermediate CA certificates. These are loaded into 
+## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
+## - 
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
+## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
+## - necessary "hash" links with, for example, "
+## - /bin/c_rehash /etc/postfix/certs". 
+## -
+## - !! Note !!
+## - To use this option in chroot mode, this directory (or a copy) must be inside 
+## - the chroot jail. 
+## -
+## - Note that a chrooted daemon resolves all filenames relative to the Postfix 
+## - queue directory (/var/spool/postfix)
+## -
+#smtpd_tls_CApath = /etc/postfix/certs
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# 
+# List of TLS protocols that the Postfix SMTP server will exclude or  
+# include with opportunistic TLS encryption.  
+smtpd_tls_protocols = !SSLv2, !SSLv3
+# 
+# The SSL/TLS protocols accepted by the Postfix SMTP server  
+# with mandatory TLS encryption. 
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP client 
+#  
+# List of TLS protocols that the Postfix SMTP client will exclude or  
+# include with opportunistic TLS encryption.  
+smtp_tls_protocols = !SSLv2, !SSLv3
+# 
+# List of SSL/TLS protocols that the Postfix SMTP client will use  
+# with mandatory TLS encryption 
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
+## -    openssl > 1.0
+## -
+smtpd_tls_eecdh_grade = strong
+
+# standard list cryptographic algorithm
+tls_preempt_cipherlist = yes
+
+# Disable ciphers which are less than 256-bit:
+#
+#smtpd_tls_mandatory_ciphers = high
+#
+# opportunistic
+smtpd_tls_ciphers = high
+
+
+# Exclude ciphers
+#smtpd_tls_exclude_ciphers =
+#   RC4
+#   aNULL
+#   SEED-SHA
+#   EXP
+#   MD5
+smtpd_tls_exclude_ciphers =
+   aNULL
+   eNULL
+   EXPORT
+   DES
+   RC4
+   MD5
+   PSK
+   aECDH
+   EDH-DSS-DES-CBC3-SHA
+   EDH-RSA-DES-CDC3-SHA
+   KRB5-DE5, CBC3-SHA
+
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+

B3-Bornim/openvpn/ccd/server-gw-ckubu/B3-VPN-gw-ckubu

@@ -0,0 +1,5 @@
+ifconfig-push 10.1.42.2 255.255.255.0
+push "route 192.168.42.0 255.255.255.0 10.1.42.1"
+push "route 172.16.42.0 255.255.255.0 10.1.42.1"
+iroute 192.168.63.0 255.255.255.0
+iroute 192.168.64.0 255.255.255.0

B3-Bornim/openvpn/ccd/server-home/B3-VPN-chris

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.42.3 255.255.255.0
+#push "route 192.168.42.0 255.255.255.0"

B3-Bornim/openvpn/ccd/server-home/B3-VPN-matthias

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.42.2 255.255.255.0
+#push "route 192.168.42.0 255.255.255.0"

B3-Bornim/openvpn/crl.pem

@@ -0,0 +1 @@
+keys/crl.pem

B3-Bornim/openvpn/easy-rsa/build-ca

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-ca

B3-Bornim/openvpn/easy-rsa/build-dh

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-dh

B3-Bornim/openvpn/easy-rsa/build-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-inter

B3-Bornim/openvpn/easy-rsa/build-key

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key

B3-Bornim/openvpn/easy-rsa/build-key-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pass

B3-Bornim/openvpn/easy-rsa/build-key-pkcs12

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pkcs12

B3-Bornim/openvpn/easy-rsa/build-key-server

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-server

B3-Bornim/openvpn/easy-rsa/build-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req

B3-Bornim/openvpn/easy-rsa/build-req-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req-pass

B3-Bornim/openvpn/easy-rsa/clean-all

@@ -0,0 +1 @@
+/usr/share/easy-rsa/clean-all

B3-Bornim/openvpn/easy-rsa/inherit-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/inherit-inter

B3-Bornim/openvpn/easy-rsa/list-crl

@@ -0,0 +1 @@
+/usr/share/easy-rsa/list-crl

B3-Bornim/openvpn/easy-rsa/openssl-0.9.6.cnf

@@ -0,0 +1,268 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

B3-Bornim/openvpn/easy-rsa/openssl-0.9.8.cnf

@@ -0,0 +1,293 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

B3-Bornim/openvpn/easy-rsa/openssl-1.0.0.cnf

@@ -0,0 +1,288 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 3650			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

B3-Bornim/openvpn/easy-rsa/openssl-1.1.0.cnf

@@ -0,0 +1,288 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 3650			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

B3-Bornim/openvpn/easy-rsa/openssl.cnf

@@ -0,0 +1 @@
+openssl-1.0.0.cnf

B3-Bornim/openvpn/easy-rsa/pkitool

@@ -0,0 +1 @@
+/usr/share/easy-rsa/pkitool

B3-Bornim/openvpn/easy-rsa/revoke-full

@@ -0,0 +1 @@
+/usr/share/easy-rsa/revoke-full

B3-Bornim/openvpn/easy-rsa/sign-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/sign-req

B3-Bornim/openvpn/easy-rsa/vars

@@ -0,0 +1,95 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+export BASE_DIR="/etc/openvpn"
+export EASY_RSA="$BASE_DIR/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="$BASE_DIR/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+##export CA_EXPIRE=3650
+export CA_EXPIRE=11688
+
+# In how many days should certificates expire?
+##export KEY_EXPIRE=3650
+export KEY_EXPIRE=7305
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+export KEY_COUNTRY="DE"
+##export KEY_PROVINCE="CA"
+export KEY_PROVINCE="Berlin"
+##export KEY_CITY="SanFrancisco"
+export KEY_CITY="Berlin"
+##export KEY_ORG="Fort-Funston"
+export KEY_ORG="O.OPEN"
+##export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL="ckubu-adm@oopen.de"
+##export KEY_OU="MyOrganizationalUnit"
+export KEY_OU="Network Services"
+
+# X509 Subject Field
+##export KEY_NAME="EasyRSA"
+export KEY_NAME="VPN B3"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+## export KEY_CN="CommonName"
+export KEY_CN="VPN-B3"
+
+export KEY_ALTNAMES="VPN B3"

B3-Bornim/openvpn/easy-rsa/vars.ORIG

@@ -0,0 +1,80 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
+export KEY_EMAIL="me@myhost.mydomain"
+export KEY_OU="MyOrganizationalUnit"
+
+# X509 Subject Field
+export KEY_NAME="EasyRSA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"

B3-Bornim/openvpn/easy-rsa/whichopensslcnf

@@ -0,0 +1 @@
+/usr/share/easy-rsa/whichopensslcnf

B3-Bornim/openvpn/keys/01.pem

@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:22:16 2017 GMT
+            Not After : Mar 22 02:22:16 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-server/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cc:97:ca:e4:d5:10:43:3b:8d:1e:a3:37:01:01:
+                    1d:09:b1:98:cc:f2:86:f8:c5:e9:a6:11:34:93:22:
+                    0a:7e:ec:9a:08:34:1d:b2:d3:db:49:8b:85:f7:a7:
+                    44:63:06:32:76:dc:93:ff:80:34:7a:8c:a1:a6:b4:
+                    0b:d3:2f:32:6f:52:bf:37:19:4d:03:6f:30:f3:6f:
+                    c2:cd:28:2c:d7:4a:bf:ec:90:35:7e:d6:93:26:ed:
+                    b6:24:ac:0f:c7:e7:04:60:c4:ed:01:cf:54:14:a1:
+                    9b:66:6b:17:82:be:ff:1e:30:2e:05:3a:a0:75:60:
+                    d6:8e:af:38:70:db:5f:72:79:3f:60:40:82:2b:97:
+                    26:82:8a:8a:f5:bb:17:9d:75:01:e0:7d:6d:4c:9c:
+                    15:7e:cd:fb:5e:01:f5:73:71:29:73:43:ab:6d:b6:
+                    08:1c:97:27:d0:5c:57:8e:7f:f8:b4:62:95:e0:a8:
+                    79:bc:e8:66:71:b7:8e:56:7c:65:49:b1:ca:9c:1d:
+                    0d:12:8c:ae:fb:95:c2:46:7b:5e:8c:db:63:7b:fe:
+                    48:fa:7b:7a:c6:d3:80:84:89:dd:ff:81:59:f6:c6:
+                    51:96:7a:21:58:c8:5d:57:06:ca:9b:e2:d0:3c:4e:
+                    4f:fa:1e:7b:e9:0a:cc:d6:85:b1:67:18:32:85:e0:
+                    45:53
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                FB:4E:20:BC:76:45:51:1F:F4:B4:28:8C:9F:B2:6C:45:01:88:12:E7
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         ab:2c:b0:a8:a6:df:75:a7:9b:c4:f5:00:c4:a5:06:4a:16:d0:
+         17:7d:61:35:f5:97:3e:6b:14:a7:32:31:6b:f8:68:3f:45:13:
+         cb:72:20:fb:6b:ff:cb:b9:b2:60:3e:eb:b5:6d:5f:10:4a:39:
+         cd:1e:bc:ec:8d:cb:0d:b7:40:e7:d7:2d:ba:c3:e3:f4:ec:24:
+         34:9d:e0:0d:d3:d7:30:6a:e1:ed:50:1a:f2:47:51:57:5d:6f:
+         5c:cb:11:d3:c4:f1:ea:f4:09:ee:c2:5a:3c:92:41:54:01:5f:
+         1a:33:fb:f1:8e:f9:0a:8f:8f:74:f8:9b:39:8d:ef:10:06:3f:
+         b1:3d:e2:80:0c:4f:76:fe:d8:c2:04:d7:58:d7:4d:2c:a5:cb:
+         74:91:13:71:e8:33:93:db:e9:81:9c:bc:0b:88:6f:57:15:3b:
+         9b:3d:6e:3e:54:ee:1a:46:45:25:20:a1:dc:3a:a2:6e:c8:b2:
+         a2:4a:00:3a:67:89:61:c8:4a:32:ec:6c:39:a3:9b:65:3a:65:
+         f4:93:23:ba:59:0c:59:10:7f:e3:3f:61:b1:8d:31:8e:44:3c:
+         36:38:46:df:f9:4c:c4:69:5a:b6:3e:65:94:27:d1:38:90:d3:
+         7b:a1:e3:0d:f7:1f:6d:41:85:77:f1:15:bb:92:46:44:50:58:
+         21:97:40:65
+-----BEGIN CERTIFICATE-----
+MIIFUDCCBDigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyMjE2WhcNMzcwMzIyMDIyMjE2WjCBpzELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxFjAUBgNVBAMTDUIz
+LVZQTi1zZXJ2ZXIxDzANBgNVBCkTBlZQTiBCMzEhMB8GCSqGSIb3DQEJARYSY2t1
+YnUtYWRtQG9vcGVuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zJfK5NUQQzuNHqM3AQEdCbGYzPKG+MXpphE0kyIKfuyaCDQdstPbSYuF96dEYwYy
+dtyT/4A0eoyhprQL0y8yb1K/NxlNA28w82/CzSgs10q/7JA1ftaTJu22JKwPx+cE
+YMTtAc9UFKGbZmsXgr7/HjAuBTqgdWDWjq84cNtfcnk/YECCK5cmgoqK9bsXnXUB
+4H1tTJwVfs37XgH1c3Epc0OrbbYIHJcn0FxXjn/4tGKV4Kh5vOhmcbeOVnxlSbHK
+nB0NEoyu+5XCRntejNtje/5I+nt6xtOAhInd/4FZ9sZRlnohWMhdVwbKm+LQPE5P
++h576QrM1oWxZxgyheBFUwIDAQABo4IBhzCCAYMwCQYDVR0TBAIwADARBglghkgB
+hvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBT
+ZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPtOILx2RVEf9LQojJ+ybEUBiBLn
+MIHYBgNVHSMEgdAwgc2AFB8uXrBADZKnCYPaJWwZIJ7JYM0hoYGppIGmMIGjMQsw
+CQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzAN
+BgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAGA1UE
+AxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZWUE4gQjMxITAfBgkqhkiG9w0BCQEWEmNr
+dWJ1LWFkbUBvb3Blbi5kZYIJAOWbjDrr526ZMBMGA1UdJQQMMAoGCCsGAQUFBwMB
+MAsGA1UdDwQEAwIFoDARBgNVHREECjAIggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQAD
+ggEBAKsssKim33Wnm8T1AMSlBkoW0Bd9YTX1lz5rFKcyMWv4aD9FE8tyIPtr/8u5
+smA+67VtXxBKOc0evOyNyw23QOfXLbrD4/TsJDSd4A3T1zBq4e1QGvJHUVddb1zL
+EdPE8er0Ce7CWjySQVQBXxoz+/GO+QqPj3T4mzmN7xAGP7E94oAMT3b+2MIE11jX
+TSyly3SRE3HoM5Pb6YGcvAuIb1cVO5s9bj5U7hpGRSUgodw6om7IsqJKADpniWHI
+SjLsbDmjm2U6ZfSTI7pZDFkQf+M/YbGNMY5EPDY4Rt/5TMRpWrY+ZZQn0TiQ03uh
+4w33H21BhXfxFbuSRkRQWCGXQGU=
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/02.pem

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:24:54 2017 GMT
+            Not After : Mar 22 02:24:54 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-chris/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e3:b0:23:45:0e:07:84:b2:29:3d:0b:66:32:ca:
+                    ac:7f:ac:8a:2d:6b:11:eb:87:20:25:d0:3b:94:6a:
+                    05:b9:da:82:32:28:4e:cf:a8:9b:dc:6a:6b:1b:95:
+                    13:75:6e:ed:fb:fc:1d:8d:fe:23:cd:a1:0b:74:41:
+                    b1:4b:c8:59:9e:2d:5e:ff:46:21:83:32:19:fb:2a:
+                    ba:5b:9d:3c:f1:64:95:be:c3:cd:79:c4:ca:ef:71:
+                    6a:65:6f:81:0d:45:75:11:79:47:51:5e:db:85:c1:
+                    1b:c2:a2:c7:10:d3:39:09:ae:3a:e7:d1:15:91:08:
+                    fd:c8:25:cb:35:08:cf:fd:41:96:e3:59:6b:63:8a:
+                    e8:4a:12:bd:ee:b0:c2:97:fa:4f:3c:fe:98:02:58:
+                    2c:f4:d0:29:48:e9:5c:3d:f0:3a:f6:9c:b3:70:f9:
+                    a0:fb:f7:99:0a:5f:27:09:5e:de:0b:b1:02:26:c7:
+                    91:e0:3f:47:61:c6:52:13:2f:11:a5:77:45:2e:b9:
+                    40:3c:a3:40:10:5a:6c:5b:16:c7:2d:9e:aa:7f:45:
+                    c0:35:cb:11:45:89:00:38:08:9b:43:c3:01:bc:3a:
+                    3c:96:5e:56:03:67:69:b6:18:7a:ad:7f:22:44:8a:
+                    5c:6d:41:96:b6:08:87:fa:d5:99:6a:02:38:91:43:
+                    2d:ed
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                9E:9D:71:FC:38:46:22:BC:2B:8C:79:FE:09:44:0A:48:9D:AD:3E:5B
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         03:72:39:b6:b0:4d:c8:9a:8d:39:b0:9f:43:8a:9d:93:17:06:
+         c7:45:40:00:21:d1:49:9c:69:55:e3:cb:19:fa:fe:94:c2:8c:
+         5e:18:74:a3:9b:95:b1:91:9a:4b:3c:cd:ec:47:d4:49:2d:8b:
+         e9:87:0c:cc:02:ea:e9:c7:51:14:f9:9c:c7:08:2a:c2:7d:c6:
+         49:d4:38:13:29:b6:f9:6f:60:c5:59:0b:96:a8:24:0c:c1:bd:
+         94:6a:48:66:aa:4d:b0:06:9c:2c:59:da:d1:43:35:f4:12:2a:
+         b3:3d:e1:43:e2:1d:46:dd:19:02:93:50:92:48:27:4b:77:9e:
+         29:7c:4d:db:05:fd:1d:4a:4a:09:70:f4:48:0c:4b:12:b8:fe:
+         94:3f:af:38:8e:c8:77:5a:c3:c3:2c:d1:cf:0e:4a:5d:40:62:
+         cd:be:52:6f:c7:55:b4:ac:59:5b:13:0f:ed:51:56:bf:4f:67:
+         d0:7d:4e:08:7c:84:b7:76:9d:a0:91:26:dc:12:38:ac:e2:b4:
+         57:b7:0c:5e:00:37:6f:f3:b0:3d:d5:28:d8:a5:9f:31:4c:32:
+         66:c6:56:a6:8c:57:2e:f8:a5:11:7b:69:c1:be:59:3e:f7:a5:
+         81:3b:d6:64:28:4e:72:be:cd:43:37:38:ca:16:1d:3a:5a:20:
+         19:46:f8:d3
+-----BEGIN CERTIFICATE-----
+MIIFNDCCBBygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNDU0WhcNMzcwMzIyMDIyNDU0WjCBpjELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxFTATBgNVBAMTDEIz
+LVZQTi1jaHJpczEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3Vi
+dS1hZG1Ab29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj
+sCNFDgeEsik9C2Yyyqx/rIotaxHrhyAl0DuUagW52oIyKE7PqJvcamsblRN1bu37
+/B2N/iPNoQt0QbFLyFmeLV7/RiGDMhn7KrpbnTzxZJW+w815xMrvcWplb4ENRXUR
+eUdRXtuFwRvCoscQ0zkJrjrn0RWRCP3IJcs1CM/9QZbjWWtjiuhKEr3usMKX+k88
+/pgCWCz00ClI6Vw98Dr2nLNw+aD795kKXycJXt4LsQImx5HgP0dhxlITLxGld0Uu
+uUA8o0AQWmxbFsctnqp/RcA1yxFFiQA4CJtDwwG8OjyWXlYDZ2m2GHqtfyJEilxt
+QZa2CIf61ZlqAjiRQy3tAgMBAAGjggFsMIIBaDAJBgNVHRMEAjAAMC0GCWCGSAGG
++EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FJ6dcfw4RiK8K4x5/glECkidrT5bMIHYBgNVHSMEgdAwgc2AFB8uXrBADZKnCYPa
+JWwZIJ7JYM0hoYGppIGmMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGlu
+MQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0
+d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZWUE4g
+QjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAOWbjDrr526Z
+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggVj
+aHJpczANBgkqhkiG9w0BAQsFAAOCAQEAA3I5trBNyJqNObCfQ4qdkxcGx0VAACHR
+SZxpVePLGfr+lMKMXhh0o5uVsZGaSzzN7EfUSS2L6YcMzALq6cdRFPmcxwgqwn3G
+SdQ4Eym2+W9gxVkLlqgkDMG9lGpIZqpNsAacLFna0UM19BIqsz3hQ+IdRt0ZApNQ
+kkgnS3eeKXxN2wX9HUpKCXD0SAxLErj+lD+vOI7Id1rDwyzRzw5KXUBizb5Sb8dV
+tKxZWxMP7VFWv09n0H1OCHyEt3adoJEm3BI4rOK0V7cMXgA3b/OwPdUo2KWfMUwy
+ZsZWpoxXLvilEXtpwb5ZPvelgTvWZChOcr7NQzc4yhYdOlogGUb40w==
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/03.pem

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:25:44 2017 GMT
+            Not After : Mar 22 02:25:44 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-gw-ckubu/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a0:12:ec:ae:52:b3:19:53:4d:f4:ca:96:dc:4f:
+                    b8:94:e3:ff:77:97:93:2c:63:1f:af:b2:d5:e9:d4:
+                    32:16:ea:b5:62:93:c6:49:e4:48:1d:38:8b:a3:ac:
+                    11:82:50:05:24:6c:d4:5e:9b:d6:06:e5:a3:a2:77:
+                    eb:3c:14:23:2c:d0:3c:2d:15:32:8e:79:74:47:2d:
+                    1b:1b:e6:bc:bb:cd:f1:d7:e4:25:67:27:d9:e7:14:
+                    96:78:2f:f2:2e:a8:76:df:0f:20:18:ab:d6:54:31:
+                    72:88:81:be:17:2c:0d:e1:65:9f:17:b9:88:e2:b8:
+                    d4:ec:3e:a4:61:46:db:03:da:69:2d:be:2e:24:b9:
+                    53:59:9d:3d:ef:2b:75:ef:1b:40:ea:f7:a6:b2:7f:
+                    3c:b7:46:e4:f7:6c:db:8b:cc:4a:cc:3c:df:0e:a7:
+                    8c:39:2b:30:53:4a:19:10:84:34:f7:17:19:94:eb:
+                    fa:63:84:ce:4b:8f:09:04:19:38:98:24:19:24:96:
+                    6a:cf:f1:3e:42:8a:9e:cd:16:c5:39:de:bd:1e:fc:
+                    e6:57:12:3f:b5:59:d0:50:b7:38:d7:75:99:b0:4d:
+                    62:d7:95:64:fb:b5:8c:68:20:61:78:7a:04:45:c4:
+                    15:8c:92:60:b9:9e:24:3f:b5:54:fe:92:4a:1f:4b:
+                    09:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                01:0E:AD:99:D6:AD:30:D2:45:B3:FF:56:26:D4:E7:8F:BA:BD:41:86
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         16:30:40:fa:eb:4f:06:12:81:ee:94:67:b7:22:67:53:af:f5:
+         23:29:43:7f:fe:9d:50:94:cf:ab:a5:a9:f4:85:36:4c:2a:38:
+         f4:46:b4:01:5c:0f:59:3b:d7:39:2c:a7:d5:64:b5:63:83:ff:
+         e7:98:c8:94:69:cc:a5:8a:03:ac:61:c5:0a:20:46:7b:f8:86:
+         71:39:ad:a4:bc:fd:cb:dc:ed:27:95:2e:d7:f9:2f:0a:26:1e:
+         e0:1e:4e:77:94:c1:08:11:b7:5f:6c:e7:5f:a1:98:4e:a2:8f:
+         46:d2:e3:c4:b8:fb:c0:51:8d:5f:d3:3e:a0:81:e8:c6:46:ef:
+         89:57:7a:8f:d8:af:e8:48:c2:c6:64:ef:d3:1e:77:72:17:c4:
+         57:87:19:97:e2:04:e5:27:11:40:28:52:a1:fc:79:85:56:69:
+         69:0d:04:a5:8d:b8:fe:4b:ca:6e:4b:6e:bb:7e:a8:10:54:6a:
+         45:ae:49:2f:10:8c:8e:cf:d8:b1:00:97:62:ed:14:84:1c:1b:
+         5b:b6:3c:44:e3:8e:8c:ac:25:33:39:6f:9d:7b:db:7c:0a:4c:
+         ec:70:d6:17:32:e2:93:8e:33:fe:aa:e1:12:f1:99:1e:f5:f8:
+         5f:b7:94:77:83:4f:6a:de:48:1a:db:9a:62:dc:7e:87:00:87:
+         c1:73:fc:ae
+-----BEGIN CERTIFICATE-----
+MIIFOjCCBCKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNTQ0WhcNMzcwMzIyMDIyNTQ0WjCBqTELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD0Iz
+LVZQTi1ndy1ja3VidTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJj
+a3VidS1hZG1Ab29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCgEuyuUrMZU030ypbcT7iU4/93l5MsYx+vstXp1DIW6rVik8ZJ5EgdOIujrBGC
+UAUkbNRem9YG5aOid+s8FCMs0DwtFTKOeXRHLRsb5ry7zfHX5CVnJ9nnFJZ4L/Iu
+qHbfDyAYq9ZUMXKIgb4XLA3hZZ8XuYjiuNTsPqRhRtsD2mktvi4kuVNZnT3vK3Xv
+G0Dq96ayfzy3RuT3bNuLzErMPN8Op4w5KzBTShkQhDT3FxmU6/pjhM5LjwkEGTiY
+JBkklmrP8T5Cip7NFsU53r0e/OZXEj+1WdBQtzjXdZmwTWLXlWT7tYxoIGF4egRF
+xBWMkmC5niQ/tVT+kkofSwk3AgMBAAGjggFvMIIBazAJBgNVHRMEAjAAMC0GCWCG
+SAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFAEOrZnWrTDSRbP/VibU54+6vUGGMIHYBgNVHSMEgdAwgc2AFB8uXrBADZKn
+CYPaJWwZIJ7JYM0hoYGppIGmMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZW
+UE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAOWbjDrr
+526ZMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDATBgNVHREEDDAK
+gghndy1ja3VidTANBgkqhkiG9w0BAQsFAAOCAQEAFjBA+utPBhKB7pRntyJnU6/1
+IylDf/6dUJTPq6Wp9IU2TCo49Ea0AVwPWTvXOSyn1WS1Y4P/55jIlGnMpYoDrGHF
+CiBGe/iGcTmtpLz9y9ztJ5Uu1/kvCiYe4B5Od5TBCBG3X2znX6GYTqKPRtLjxLj7
+wFGNX9M+oIHoxkbviVd6j9iv6EjCxmTv0x53chfEV4cZl+IE5ScRQChSofx5hVZp
+aQ0EpY24/kvKbktuu36oEFRqRa5JLxCMjs/YsQCXYu0UhBwbW7Y8ROOOjKwlMzlv
+nXvbfApM7HDWFzLik44z/qrhEvGZHvX4X7eUd4NPat5IGtuaYtx+hwCHwXP8rg==
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/04.pem

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:26:25 2017 GMT
+            Not After : Mar 22 02:26:25 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-ingo/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:ab:6d:d9:5b:fe:ce:60:c5:fd:f3:66:77:57:
+                    2a:05:af:c6:f9:ac:97:6d:29:43:d4:4a:9c:1c:8f:
+                    c1:00:38:47:6a:cc:55:5f:00:a9:98:fc:62:7e:ae:
+                    41:52:b9:44:a0:47:69:d1:e3:7a:db:0b:d0:0d:cf:
+                    71:d2:bc:43:92:9a:e9:80:ee:f0:d8:9d:67:3d:b1:
+                    da:39:f3:83:f5:d7:87:17:e9:b3:bb:0f:74:c3:7e:
+                    9f:c4:3c:0f:6d:43:94:63:e6:b6:55:c6:ec:d6:f1:
+                    08:b6:eb:cf:ae:a5:a8:61:f4:79:b0:a4:3f:e0:55:
+                    86:3b:22:a2:79:a9:04:ce:ba:78:1a:96:3b:e4:2e:
+                    1a:89:ba:1a:81:6c:9d:ea:54:6a:30:71:db:31:7b:
+                    c5:17:d1:40:8c:66:c8:8a:a5:c4:50:5d:97:0c:9a:
+                    42:2e:a6:41:67:8b:ef:93:af:28:42:b8:3f:65:0e:
+                    1d:1c:15:69:6f:4b:09:e1:54:d3:f9:fe:2a:a6:e8:
+                    cd:01:0f:ec:97:5a:62:28:7a:14:ab:f9:30:ed:5b:
+                    e0:e2:e6:02:9b:50:65:ac:1e:35:0f:76:b4:4e:ad:
+                    44:7a:66:5a:33:28:7c:b2:46:c2:ea:67:5f:cf:be:
+                    74:aa:0d:a8:f8:8e:4c:e9:95:d2:ca:11:ad:cc:f6:
+                    67:9b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                51:5B:AE:97:12:72:A4:2A:44:72:38:38:53:BF:14:F6:8F:88:0E:18
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:ingo
+    Signature Algorithm: sha256WithRSAEncryption
+         63:66:7e:a1:53:e4:7c:55:5c:4a:cb:51:9e:10:b2:c4:21:b5:
+         9c:7d:3f:c0:b6:ea:cb:a9:07:32:76:eb:ad:0d:cf:cc:2a:85:
+         ca:d7:86:e3:6e:00:f0:70:29:f0:5f:73:1d:13:e2:bf:2d:99:
+         e6:33:65:af:6a:5b:d5:c1:4b:74:df:07:ab:a0:6f:49:7b:e3:
+         92:09:89:88:ce:3a:67:6e:d6:8f:fb:b8:9b:93:87:ad:1a:25:
+         b8:db:8e:92:d1:18:a5:f0:e1:c9:ab:0b:f6:9d:46:79:5d:d0:
+         24:44:eb:4b:5f:59:1b:f4:e3:92:ad:55:5e:af:af:2d:44:e3:
+         95:c5:de:1c:eb:c6:07:f6:5c:94:84:4d:41:33:c9:94:86:53:
+         63:95:e6:41:14:42:32:e2:88:b8:e8:23:44:fb:d4:19:0d:e6:
+         69:db:ff:97:e1:87:7f:72:4b:4e:3f:6a:49:50:60:eb:66:b4:
+         b5:4f:c6:db:93:fd:e8:b6:d1:b6:e4:b8:90:9d:65:e4:77:10:
+         d2:a5:0c:c3:0e:5f:7d:1d:0d:fb:ff:ca:1b:4f:d3:1c:c4:ba:
+         b8:c3:69:f1:04:ef:6d:21:93:11:4b:59:29:09:2c:e9:37:91:
+         c1:9c:17:3a:d2:55:e5:2f:0a:1a:4a:82:ae:d9:37:58:12:15:
+         8e:2d:19:f2
+-----BEGIN CERTIFICATE-----
+MIIFMjCCBBqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNjI1WhcNMzcwMzIyMDIyNjI1WjCBpTELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxFDASBgNVBAMTC0Iz
+LVZQTi1pbmdvMQ8wDQYDVQQpEwZWUE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1
+LWFkbUBvb3Blbi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGr
+bdlb/s5gxf3zZndXKgWvxvmsl20pQ9RKnByPwQA4R2rMVV8AqZj8Yn6uQVK5RKBH
+adHjetsL0A3PcdK8Q5Ka6YDu8NidZz2x2jnzg/XXhxfps7sPdMN+n8Q8D21DlGPm
+tlXG7NbxCLbrz66lqGH0ebCkP+BVhjsionmpBM66eBqWO+QuGom6GoFsnepUajBx
+2zF7xRfRQIxmyIqlxFBdlwyaQi6mQWeL75OvKEK4P2UOHRwVaW9LCeFU0/n+Kqbo
+zQEP7JdaYih6FKv5MO1b4OLmAptQZaweNQ92tE6tRHpmWjMofLJGwupnX8++dKoN
+qPiOTOmV0soRrcz2Z5sCAwEAAaOCAWswggFnMAkGA1UdEwQCMAAwLQYJYIZIAYb4
+QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+UVuulxJypCpEcjg4U78U9o+IDhgwgdgGA1UdIwSB0DCBzYAUHy5esEANkqcJg9ol
+bBkgnslgzSGhgamkgaYwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
+DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3
+b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlWUE4tQjMtY2ExDzANBgNVBCkTBlZQTiBC
+MzEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA5ZuMOuvnbpkw
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaCBGlu
+Z28wDQYJKoZIhvcNAQELBQADggEBAGNmfqFT5HxVXErLUZ4QssQhtZx9P8C26sup
+BzJ2660Nz8wqhcrXhuNuAPBwKfBfcx0T4r8tmeYzZa9qW9XBS3TfB6ugb0l745IJ
+iYjOOmdu1o/7uJuTh60aJbjbjpLRGKXw4cmrC/adRnld0CRE60tfWRv045KtVV6v
+ry1E45XF3hzrxgf2XJSETUEzyZSGU2OV5kEUQjLiiLjoI0T71BkN5mnb/5fhh39y
+S04/aklQYOtmtLVPxtuT/ei20bbkuJCdZeR3ENKlDMMOX30dDfv/yhtP0xzEurjD
+afEE720hkxFLWSkJLOk3kcGcFzrSVeUvChpKgq7ZN1gSFY4tGfI=
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/05.pem

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:27:04 2017 GMT
+            Not After : Mar 22 02:27:04 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-matthias/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d2:22:e5:ab:8d:2b:28:95:69:10:c3:ba:f2:9e:
+                    f4:f8:47:f2:81:fc:b1:35:70:fc:70:f4:e1:d1:4c:
+                    4e:b4:2b:7c:65:76:b0:88:15:07:11:c8:47:16:4b:
+                    91:98:80:c1:f2:51:1b:8c:77:87:e5:ca:06:14:7c:
+                    5b:2c:c4:ee:6c:de:2c:af:11:1c:2e:0b:74:73:6a:
+                    9f:8f:7f:1c:6a:5b:24:28:01:19:86:3a:ff:6d:48:
+                    56:7e:20:7c:94:d5:db:2e:a9:9f:f1:08:7d:9f:ec:
+                    b2:6e:8d:6b:6f:20:df:47:28:a8:e5:b8:29:92:b5:
+                    a0:93:29:b7:42:d0:0d:06:12:ec:39:fb:39:73:b8:
+                    ce:5d:9d:7c:a6:01:c3:e9:6d:39:83:07:16:8e:89:
+                    d0:69:c1:17:27:a5:5b:0c:41:41:36:86:10:62:73:
+                    ae:3e:88:48:bb:96:bb:aa:be:b8:5f:98:a6:4f:22:
+                    b8:01:c2:37:b2:36:9c:de:f0:a4:86:75:af:9a:ed:
+                    1c:71:29:78:5d:0d:65:18:85:91:7a:4f:ea:4a:93:
+                    1c:9c:be:7d:cd:95:eb:d0:28:f4:a7:c5:8a:2d:9e:
+                    c8:30:93:51:15:4c:8a:f0:ed:a2:ae:72:77:60:26:
+                    66:c2:df:7e:4b:aa:dc:dc:5c:cb:27:7d:7b:37:2e:
+                    d1:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                D7:D3:A3:1A:84:6C:91:0A:6D:57:6E:BC:19:6B:25:50:5F:FC:27:9D
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:matthias
+    Signature Algorithm: sha256WithRSAEncryption
+         b5:74:5e:d8:6c:a7:82:02:02:17:b2:db:f8:8b:a2:40:af:e4:
+         50:b1:bf:04:42:91:21:80:b5:b1:29:ef:d6:d8:03:9d:bf:a9:
+         73:13:02:8b:74:02:0c:07:6c:4a:79:e8:49:ae:e5:63:a6:61:
+         01:bf:18:a2:2f:00:5f:ef:ac:79:bd:62:93:5c:1a:1f:7e:50:
+         29:ca:51:e6:f8:aa:c3:96:5b:6c:cd:71:19:20:24:3f:c6:95:
+         22:62:1b:51:cb:80:6c:0d:5c:1c:ca:5c:a1:95:1a:fd:27:61:
+         6c:ce:cf:81:19:78:2e:08:9e:14:35:05:0e:0f:a3:b9:d5:44:
+         97:f1:35:9a:94:fb:3a:ee:c2:16:21:07:59:d8:ae:21:47:73:
+         24:da:7d:ba:d4:ab:63:80:2d:79:44:04:fc:51:0f:3b:fb:b3:
+         1e:3b:d8:f8:27:34:22:63:4f:ad:aa:43:99:a1:ac:39:1e:99:
+         ca:df:46:bd:4d:c6:69:3d:63:e6:f4:c1:8a:71:3a:9a:e6:05:
+         a7:04:38:f1:d8:31:f4:31:3d:f9:a7:28:94:73:bc:1a:27:c6:
+         35:9b:5a:ad:c1:58:de:eb:9a:cc:0a:93:a7:be:4e:3f:90:c3:
+         d7:23:6d:4d:eb:48:dc:da:d4:0f:cd:9e:51:7c:d8:39:eb:1d:
+         f9:d0:73:2d
+-----BEGIN CERTIFICATE-----
+MIIFOjCCBCKgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNzA0WhcNMzcwMzIyMDIyNzA0WjCBqTELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD0Iz
+LVZQTi1tYXR0aGlhczEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJj
+a3VidS1hZG1Ab29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDSIuWrjSsolWkQw7rynvT4R/KB/LE1cPxw9OHRTE60K3xldrCIFQcRyEcWS5GY
+gMHyURuMd4flygYUfFssxO5s3iyvERwuC3Rzap+PfxxqWyQoARmGOv9tSFZ+IHyU
+1dsuqZ/xCH2f7LJujWtvIN9HKKjluCmStaCTKbdC0A0GEuw5+zlzuM5dnXymAcPp
+bTmDBxaOidBpwRcnpVsMQUE2hhBic64+iEi7lruqvrhfmKZPIrgBwjeyNpze8KSG
+da+a7RxxKXhdDWUYhZF6T+pKkxycvn3NlevQKPSnxYotnsgwk1EVTIrw7aKucndg
+JmbC335LqtzcXMsnfXs3LtHBAgMBAAGjggFvMIIBazAJBgNVHRMEAjAAMC0GCWCG
+SAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFNfToxqEbJEKbVduvBlrJVBf/CedMIHYBgNVHSMEgdAwgc2AFB8uXrBADZKn
+CYPaJWwZIJ7JYM0hoYGppIGmMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZW
+UE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAOWbjDrr
+526ZMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDATBgNVHREEDDAK
+gghtYXR0aGlhczANBgkqhkiG9w0BAQsFAAOCAQEAtXRe2GynggICF7Lb+IuiQK/k
+ULG/BEKRIYC1sSnv1tgDnb+pcxMCi3QCDAdsSnnoSa7lY6ZhAb8Yoi8AX++seb1i
+k1waH35QKcpR5viqw5ZbbM1xGSAkP8aVImIbUcuAbA1cHMpcoZUa/SdhbM7PgRl4
+LgieFDUFDg+judVEl/E1mpT7Ou7CFiEHWdiuIUdzJNp9utSrY4AteUQE/FEPO/uz
+HjvY+Cc0ImNPrapDmaGsOR6Zyt9GvU3GaT1j5vTBinE6muYFpwQ48dgx9DE9+aco
+lHO8GifGNZtarcFY3uuazAqTp75OP5DD1yNtTetI3NrUD82eUXzYOesd+dBzLQ==
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/06.pem

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:27:47 2017 GMT
+            Not After : Mar 22 02:27:47 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-susi/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b5:8e:d4:bd:3e:87:19:e5:f6:39:0a:48:5d:91:
+                    75:a4:cd:b7:ad:0e:cd:20:2f:c9:6c:b0:ba:49:28:
+                    e0:21:de:be:89:76:94:b9:5c:94:00:28:8d:74:15:
+                    8e:55:78:84:2f:95:46:59:f4:1d:52:12:2b:f6:b6:
+                    28:6a:c2:31:e1:3f:9c:25:e9:89:9c:80:eb:1e:50:
+                    42:7d:0d:01:bd:7f:d3:f1:33:21:20:1a:8f:1a:35:
+                    e1:bd:a7:d2:2d:c0:82:38:12:ae:6d:05:a1:64:f2:
+                    ce:29:9c:3e:f2:06:57:bd:7d:e7:f7:a1:a9:4e:6c:
+                    ae:4d:ec:20:78:88:4c:9a:ae:4d:26:9c:79:08:dc:
+                    27:79:86:ec:ca:fa:9f:ec:9c:c3:16:10:27:63:5a:
+                    c6:8b:e2:f3:21:e1:d1:00:16:db:a2:06:8a:c3:33:
+                    1b:08:52:df:46:1d:94:4d:04:7f:e0:d6:d4:71:72:
+                    7a:71:eb:5a:5e:e5:a1:cd:85:08:b7:9a:42:a9:0f:
+                    b3:3f:ae:b2:bf:a5:e3:87:18:9c:85:e3:c8:f8:41:
+                    c6:61:94:19:6c:6b:23:61:ca:9d:6b:84:c9:68:00:
+                    09:5e:a1:10:8c:db:37:75:17:f0:9d:78:09:8a:ad:
+                    89:3f:77:8f:74:41:72:83:31:14:c6:60:ea:cd:65:
+                    f5:b3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                73:B2:AC:2A:36:FA:71:6E:E3:A6:61:37:63:BF:41:8B:6F:6F:FF:6C
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:susi
+    Signature Algorithm: sha256WithRSAEncryption
+         7d:b8:7d:f0:07:06:3c:f3:66:eb:e4:8b:dc:f4:23:24:9a:ee:
+         19:6d:20:bc:e3:50:80:2e:56:6d:21:ee:d5:8a:6c:d1:17:56:
+         29:79:c5:c0:97:ff:cb:c1:2e:85:c1:c8:28:ff:77:8d:eb:62:
+         08:2a:37:ed:89:f1:7f:04:81:90:db:4a:5b:69:c6:22:75:36:
+         07:78:1a:af:94:db:d6:3c:3a:74:c1:53:47:80:8e:f7:90:3f:
+         e8:55:79:8d:b4:e8:ab:24:08:a4:37:1d:b2:7a:a6:56:21:d3:
+         63:3c:fc:58:cd:d3:f4:4d:7a:fc:7a:3f:6f:77:d9:2a:01:50:
+         a0:6a:6d:b8:68:bc:d7:60:ee:8c:57:ae:72:26:b6:c8:66:f2:
+         b7:19:d4:29:bf:df:ea:47:1c:53:b1:22:98:e1:eb:26:85:fe:
+         52:47:a8:2c:f7:5f:d1:4d:01:34:8d:8c:94:78:76:9c:98:94:
+         51:4f:1e:bf:ac:87:74:ce:76:de:76:97:a4:67:28:32:16:eb:
+         c9:cc:e8:cf:d1:f2:dc:57:b6:af:c8:7a:df:c5:82:8d:20:af:
+         e2:83:fe:7e:17:4a:36:7f:e3:7a:bb:76:4e:81:ca:f7:43:c7:
+         5a:6c:28:50:5d:57:5b:e0:c3:ba:f4:3b:5c:1a:4b:ae:35:3a:
+         8e:1d:09:c7
+-----BEGIN CERTIFICATE-----
+MIIFMjCCBBqgAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNzQ3WhcNMzcwMzIyMDIyNzQ3WjCBpTELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxFDASBgNVBAMTC0Iz
+LVZQTi1zdXNpMQ8wDQYDVQQpEwZWUE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1
+LWFkbUBvb3Blbi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALWO
+1L0+hxnl9jkKSF2RdaTNt60OzSAvyWywukko4CHevol2lLlclAAojXQVjlV4hC+V
+Rln0HVISK/a2KGrCMeE/nCXpiZyA6x5QQn0NAb1/0/EzISAajxo14b2n0i3AgjgS
+rm0FoWTyzimcPvIGV7195/ehqU5srk3sIHiITJquTSaceQjcJ3mG7Mr6n+ycwxYQ
+J2Naxovi8yHh0QAW26IGisMzGwhS30YdlE0Ef+DW1HFyenHrWl7loc2FCLeaQqkP
+sz+usr+l44cYnIXjyPhBxmGUGWxrI2HKnWuEyWgACV6hEIzbN3UX8J14CYqtiT93
+j3RBcoMxFMZg6s1l9bMCAwEAAaOCAWswggFnMAkGA1UdEwQCMAAwLQYJYIZIAYb4
+QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+c7KsKjb6cW7jpmE3Y79Bi29v/2wwgdgGA1UdIwSB0DCBzYAUHy5esEANkqcJg9ol
+bBkgnslgzSGhgamkgaYwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
+DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3
+b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlWUE4tQjMtY2ExDzANBgNVBCkTBlZQTiBC
+MzEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA5ZuMOuvnbpkw
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaCBHN1
+c2kwDQYJKoZIhvcNAQELBQADggEBAH24ffAHBjzzZuvki9z0IySa7hltILzjUIAu
+Vm0h7tWKbNEXVil5xcCX/8vBLoXByCj/d43rYggqN+2J8X8EgZDbSltpxiJ1Ngd4
+Gq+U29Y8OnTBU0eAjveQP+hVeY206KskCKQ3HbJ6plYh02M8/FjN0/RNevx6P293
+2SoBUKBqbbhovNdg7oxXrnImtshm8rcZ1Cm/3+pHHFOxIpjh6yaF/lJHqCz3X9FN
+ATSNjJR4dpyYlFFPHr+sh3TOdt52l6RnKDIW68nM6M/R8txXtq/Iet/Fgo0gr+KD
+/n4XSjZ/43q7dk6ByvdDx1psKFBdV1vgw7r0O1waS641Oo4dCcc=
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/ca.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE2TCCA8GgAwIBAgIJAOWbjDrr526ZMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJ
+VlBOLUIzLWNhMQ8wDQYDVQQpEwZWUE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1
+LWFkbUBvb3Blbi5kZTAeFw0xNzAzMjIwMjE5MjVaFw00OTAzMjIwMjE5MjVaMIGj
+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4x
+DzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZWUE4gQjMxITAfBgkqhkiG9w0BCQEW
+EmNrdWJ1LWFkbUBvb3Blbi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMzzVaCu/oIRHn9CaLJdwurZvlnnZ1xI+HtWlVnVY60QBzw38Rc36VUOH+bf
+NRM+aV95Pe6h0icFmiDfnSHQwogO56tkZFq6OW9RfnC/wSVXEfVrdvV8H9JgPiLM
+WdyRIgjdeM74EdZ0tFN8sO34Bf/dv3OYGUz7qJgFnKdy7ByTgv2maRmITds9Dk58
+H8h5wl0TnGRS+A8zOz1TAIjVjdPWEFOwkKLGRCSbiWIm2qqXzbhlwYYpxifxRkXW
+tcSLOB3lKtAM53l22Qvux6J5+s0UH3+WoPo+6Gc65Jtg6SUGxTpvJZgRyMpRKLNI
+JEFzo8JMYSb50TmC/9j6ZOX82VsCAwEAAaOCAQwwggEIMB0GA1UdDgQWBBQfLl6w
+QA2SpwmD2iVsGSCeyWDNITCB2AYDVR0jBIHQMIHNgBQfLl6wQA2SpwmD2iVsGSCe
+yWDNIaGBqaSBpjCBozELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
+A1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsg
+U2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1jYTEPMA0GA1UEKRMGVlBOIEIzMSEw
+HwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGWCCQDlm4w66+dumTAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAmLrMjjb3MV6gjBZCIDJag6X9+
+WOLY6UJfNGXyg9qt4SxKFqvBSCC+ZB+39rvl/+ReAULKCjggM3usRuPZfcK63Ncm
+FRqkxA+3xk+c60KZd3DP+4yRdY3j1GeHip8FJloT91eVkGdCGDAFwz3njBex40BA
+qpIPOoYDKJDZElrunB/8z0KW/12HqxowEnPQaSkTiFeb9hRJMB71/LvS0OZoWPj9
+4kvNGJq8H3VdWjzLDAXfX+VYI1gTWYax47klQM6QnKBOuQGPpHvVWBr0ifFsa6Wh
+eoBxJ50RuMwLoXNZqqJD6TH8vCv7IqARnhiNKhNiDQQr5CZyr4Nwn7gT4yw1
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDM81Wgrv6CER5/
+QmiyXcLq2b5Z52dcSPh7VpVZ1WOtEAc8N/EXN+lVDh/m3zUTPmlfeT3uodInBZog
+350h0MKIDuerZGRaujlvUX5wv8ElVxH1a3b1fB/SYD4izFnckSII3XjO+BHWdLRT
+fLDt+AX/3b9zmBlM+6iYBZyncuwck4L9pmkZiE3bPQ5OfB/IecJdE5xkUvgPMzs9
+UwCI1Y3T1hBTsJCixkQkm4liJtqql824ZcGGKcYn8UZF1rXEizgd5SrQDOd5dtkL
+7seiefrNFB9/lqD6PuhnOuSbYOklBsU6byWYEcjKUSizSCRBc6PCTGEm+dE5gv/Y
++mTl/NlbAgMBAAECggEBAIar/sAvPR3Kkfedc56A7evUWLhKzihd6qlhI5J8HZtC
+xP5U5B8VpkU1mtDiKsYSZLtPt9puiuEJVVX0mhP2UV2GLcT5mtfjNopnSmZcGlam
++C4EB48XmPFsPGgxT3sYAv1ASnn1mAMLfNK/RKOaLpcK5xrV/woO86GxTlbZtTyw
+oz0mEOGmR98vOtImIJ9ABTb5RWHqpAyeKcxjI+qb1MC+VZcSUvLbhr6mfq/vAWKk
+Rido3YAlVfzo8kRx6HeXSDZekfQcNPfnAfv3sKNujw9LdEneAbTPB7l5YTTIOxEn
+/vZi1BE+LMA8O1WFf6vlOlRWQqY0/kfRko60cODzzkECgYEA+xxKZVIzSWGw9WqH
+yU+EKU9IGRZ5HszSBOEGVqHjCSvNtFxkvKgpjZFhukLYruqTEOGTNDUnm+3grX08
+9eIaFHQrqrqAkMKertwlU5joSNN95UOJFJJCStQcKS8BToHR4sA5nHlKmvu/CKVM
+es1NUg9+5Er+o0TMax2AIhVEeh8CgYEA0PDzTkE52nMJin8IV8WqSdRnC96FBNN2
+n1n8xBJqgjQqRwI8H0dUs8GcRKUxP5JUfHjzVlWayW9Jn2jX4KR5/HE75mlCeeHP
++Ue+6m+hqNtTV0KmVAjF5dvH4Hsz5mNFh2pET7HPtB4gxn5/jfUYcWjlOYoXBXTJ
+EQuFrVvYMUUCgYEAqGP0T7Wrxs3ICQsDO7AjBECyLICxgEIBpFvyEC5HPWMucoBy
+3UA3fUO8sVcaT1HmhS9/s0bh5OLEBBMzyf9xVb4Bel/Oz0RzfPcL4N9tBUkt54w+
+ZJkf82YB7GwlCCxuPwyAlbmQmhWvqXCPtNnvu9PAV/8iewIrwrjpr/FrFikCgYEA
+gKD1iGWLUjqj0wllf3OG5DDIx3vT9CaiznM9sw+LVmD67gAoNzFYqdk1dOUlrndN
+X9uuIqZMxlmmv2ZyEC/xkUG8mJqQfCxSNqq+k+DpauSrJ/s2HmHQQzPMlxwB1YGj
+2jvHljBnKAGsN8bEjAYpaBgllgi3J3rAFag8QX9bVukCgYA9mbo9CbOvv+n6oYlZ
+vZLBQ4wDZGGOQpUCpYxY18wjxYc4k9AoXh3iruuzQBxmlDIMKUlAPByCVHfCOpDb
+eKQj8Azda37up0QMYsKMuLOFPREJDGZEbastPBH39Thl965As6iKOsd3R4jZ+2Ld
+GHmoTvHKwwKy9rmRgMFMpUkMIw==
+-----END PRIVATE KEY-----

B3-Bornim/openvpn/keys/chris.crt

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:24:54 2017 GMT
+            Not After : Mar 22 02:24:54 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-chris/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e3:b0:23:45:0e:07:84:b2:29:3d:0b:66:32:ca:
+                    ac:7f:ac:8a:2d:6b:11:eb:87:20:25:d0:3b:94:6a:
+                    05:b9:da:82:32:28:4e:cf:a8:9b:dc:6a:6b:1b:95:
+                    13:75:6e:ed:fb:fc:1d:8d:fe:23:cd:a1:0b:74:41:
+                    b1:4b:c8:59:9e:2d:5e:ff:46:21:83:32:19:fb:2a:
+                    ba:5b:9d:3c:f1:64:95:be:c3:cd:79:c4:ca:ef:71:
+                    6a:65:6f:81:0d:45:75:11:79:47:51:5e:db:85:c1:
+                    1b:c2:a2:c7:10:d3:39:09:ae:3a:e7:d1:15:91:08:
+                    fd:c8:25:cb:35:08:cf:fd:41:96:e3:59:6b:63:8a:
+                    e8:4a:12:bd:ee:b0:c2:97:fa:4f:3c:fe:98:02:58:
+                    2c:f4:d0:29:48:e9:5c:3d:f0:3a:f6:9c:b3:70:f9:
+                    a0:fb:f7:99:0a:5f:27:09:5e:de:0b:b1:02:26:c7:
+                    91:e0:3f:47:61:c6:52:13:2f:11:a5:77:45:2e:b9:
+                    40:3c:a3:40:10:5a:6c:5b:16:c7:2d:9e:aa:7f:45:
+                    c0:35:cb:11:45:89:00:38:08:9b:43:c3:01:bc:3a:
+                    3c:96:5e:56:03:67:69:b6:18:7a:ad:7f:22:44:8a:
+                    5c:6d:41:96:b6:08:87:fa:d5:99:6a:02:38:91:43:
+                    2d:ed
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                9E:9D:71:FC:38:46:22:BC:2B:8C:79:FE:09:44:0A:48:9D:AD:3E:5B
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         03:72:39:b6:b0:4d:c8:9a:8d:39:b0:9f:43:8a:9d:93:17:06:
+         c7:45:40:00:21:d1:49:9c:69:55:e3:cb:19:fa:fe:94:c2:8c:
+         5e:18:74:a3:9b:95:b1:91:9a:4b:3c:cd:ec:47:d4:49:2d:8b:
+         e9:87:0c:cc:02:ea:e9:c7:51:14:f9:9c:c7:08:2a:c2:7d:c6:
+         49:d4:38:13:29:b6:f9:6f:60:c5:59:0b:96:a8:24:0c:c1:bd:
+         94:6a:48:66:aa:4d:b0:06:9c:2c:59:da:d1:43:35:f4:12:2a:
+         b3:3d:e1:43:e2:1d:46:dd:19:02:93:50:92:48:27:4b:77:9e:
+         29:7c:4d:db:05:fd:1d:4a:4a:09:70:f4:48:0c:4b:12:b8:fe:
+         94:3f:af:38:8e:c8:77:5a:c3:c3:2c:d1:cf:0e:4a:5d:40:62:
+         cd:be:52:6f:c7:55:b4:ac:59:5b:13:0f:ed:51:56:bf:4f:67:
+         d0:7d:4e:08:7c:84:b7:76:9d:a0:91:26:dc:12:38:ac:e2:b4:
+         57:b7:0c:5e:00:37:6f:f3:b0:3d:d5:28:d8:a5:9f:31:4c:32:
+         66:c6:56:a6:8c:57:2e:f8:a5:11:7b:69:c1:be:59:3e:f7:a5:
+         81:3b:d6:64:28:4e:72:be:cd:43:37:38:ca:16:1d:3a:5a:20:
+         19:46:f8:d3
+-----BEGIN CERTIFICATE-----
+MIIFNDCCBBygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNDU0WhcNMzcwMzIyMDIyNDU0WjCBpjELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxFTATBgNVBAMTDEIz
+LVZQTi1jaHJpczEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3Vi
+dS1hZG1Ab29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj
+sCNFDgeEsik9C2Yyyqx/rIotaxHrhyAl0DuUagW52oIyKE7PqJvcamsblRN1bu37
+/B2N/iPNoQt0QbFLyFmeLV7/RiGDMhn7KrpbnTzxZJW+w815xMrvcWplb4ENRXUR
+eUdRXtuFwRvCoscQ0zkJrjrn0RWRCP3IJcs1CM/9QZbjWWtjiuhKEr3usMKX+k88
+/pgCWCz00ClI6Vw98Dr2nLNw+aD795kKXycJXt4LsQImx5HgP0dhxlITLxGld0Uu
+uUA8o0AQWmxbFsctnqp/RcA1yxFFiQA4CJtDwwG8OjyWXlYDZ2m2GHqtfyJEilxt
+QZa2CIf61ZlqAjiRQy3tAgMBAAGjggFsMIIBaDAJBgNVHRMEAjAAMC0GCWCGSAGG
++EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FJ6dcfw4RiK8K4x5/glECkidrT5bMIHYBgNVHSMEgdAwgc2AFB8uXrBADZKnCYPa
+JWwZIJ7JYM0hoYGppIGmMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGlu
+MQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0
+d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZWUE4g
+QjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAOWbjDrr526Z
+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggVj
+aHJpczANBgkqhkiG9w0BAQsFAAOCAQEAA3I5trBNyJqNObCfQ4qdkxcGx0VAACHR
+SZxpVePLGfr+lMKMXhh0o5uVsZGaSzzN7EfUSS2L6YcMzALq6cdRFPmcxwgqwn3G
+SdQ4Eym2+W9gxVkLlqgkDMG9lGpIZqpNsAacLFna0UM19BIqsz3hQ+IdRt0ZApNQ
+kkgnS3eeKXxN2wX9HUpKCXD0SAxLErj+lD+vOI7Id1rDwyzRzw5KXUBizb5Sb8dV
+tKxZWxMP7VFWv09n0H1OCHyEt3adoJEm3BI4rOK0V7cMXgA3b/OwPdUo2KWfMUwy
+ZsZWpoxXLvilEXtpwb5ZPvelgTvWZChOcr7NQzc4yhYdOlogGUb40w==
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/chris.csr

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC7DCCAdQCAQAwgaYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRUwEwYDVQQDEwxCMy1WUE4tY2hyaXMxDzANBgNVBCkTBlZQTiBC
+MzEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA47AjRQ4HhLIpPQtmMsqsf6yKLWsR64cgJdA7
+lGoFudqCMihOz6ib3GprG5UTdW7t+/wdjf4jzaELdEGxS8hZni1e/0YhgzIZ+yq6
+W5088WSVvsPNecTK73FqZW+BDUV1EXlHUV7bhcEbwqLHENM5Ca4659EVkQj9yCXL
+NQjP/UGW41lrY4roShK97rDCl/pPPP6YAlgs9NApSOlcPfA69pyzcPmg+/eZCl8n
+CV7eC7ECJseR4D9HYcZSEy8RpXdFLrlAPKNAEFpsWxbHLZ6qf0XANcsRRYkAOAib
+Q8MBvDo8ll5WA2dpthh6rX8iRIpcbUGWtgiH+tWZagI4kUMt7QIDAQABoAAwDQYJ
+KoZIhvcNAQELBQADggEBAMx4Vsu3nIBZoE/Y4L6aE89+tA1Y44pgrHGIwqBfpqvp
+0YWMtG50wbgUZvetbQ0ttnqQeVeqzOr+x63UVURkubO3lDOEME5XXjxV90sDvq2m
+VJswYoeneCtZ0T6fUdh0x5nNQtegV8lycqmrRZoupefeswaCwCNkBjRLIe1e0bsW
+y0wmbTj3HTC2X6sw6QaHfSt9uST5bOvMy5d/5nwZ0DDu15Vy4fESZEqFLRRtClIo
+frge1K1KPuVQLQC9q54z0R8cD2Y4JiKy95QWfr/7I+YsxB/SAvIoJ9eCJjTcxZOu
+azhQRGHXEYKUbqOlc6q0yYi47hXZbbBTTt0ujCOe6P0=
+-----END CERTIFICATE REQUEST-----

B3-Bornim/openvpn/keys/chris.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIkeGWXvvuPJ0CAggA
+MBQGCCqGSIb3DQMHBAg4m/SzcARAfwSCBMiYFmYOVQU7NW4SiZhjv2s/Ciy1Lli4
+D0RdT6kcrHuPmm53FQB4aJY6wT7bPGn1bVn+Kbhv8gloe83v8wJrp3AJ2rnb5hUW
+dwJvuppTj4+gzFHsB0rOYeIhFq0DZDkg2tXFXlwdyQUW3/dkaWMqMDIEbWGrIBhB
+JRJc83W6DZClSGlyBQD6Ef0Ij0uoytVbnYPWSrG1mS/6PQ7JkvFDBqJKoORwWEzZ
+kfQVkwhDU1rv/iCsr4ADAaxgUVapa8ESdkgzGbDmBjcefAWjDOMnFgNwJHqiqdng
+jIbp/8s4ZotT3r79IpxpvXrubXl6qUlUtWURQ7WJRy4w7fuBwy2gJ8UEzL1zYECq
+gR0goGOUQxX6iECydc8/ppDo4000IxTxO/TUE59Im+Xxc3twIGgiWITu4iQY5DQz
+CB4fd/okj46hfOpJi4ND4g1BYQd7wCo/Rhn96FQAdhMHfD7sC9Wsrgx5uAUsTIym
+ZYc+60Iu9hdfP4zNz/ZnYNui9qEbQCr1W3nVk5Q4wR2XS4TjtOkKPJYRYcX1ngLm
+p/B1Wy79T3tFvN5n6/5Z5uiplqcij16Tfw7u9i6EqOeTy/33EkF1PkRP8EqP7jXw
+d4sbSYS0TjrY3TUrERCxG2DT1NU/ruZwTka+mnYIzQXJ+LsnG21zTrRB4dLuM4zz
+pOGGL+sYBGwg5/67w1W7xzar8XDlAj8OJDlrUw7syEsXDyoLf2o8tYXAOOd5jXuX
+76XZ90s2YrXCHFVnUdTK9xzdrbnoErDHa6wZ0d1mS7DVDnymQRHnSIidAOQ+f3za
+NajEsEBBN1rsPE3qajbflRINIzs5hRwPBfUxkRG2IR6GuDxmJYQAS5uwLhFd1vJl
+7/SnSB6spqWTR8xPz/Lb+Vu/0aUN01Gd4m3toGFiIgdjyIZbZSEtAK/sGmAAxOoz
+GuSOF4AwSrmCp5/sSvFuhlwMe/pqRbidgbW0TZiOzrupzkTgPyaixdHPfycTT0Y5
+wB3N76LdmO8Bkc0wQoBUEWWUFbXzywo/EjTslBv1mTK0RGkMnDDZkrJbPYTTckzU
+yU+b98diD4B6VSf460a4YEdeZpc52Wmbv+cTkeWSEaQ79hWSRXLPBXwdXwOfzr94
+S10yBDKWBU/w3ynCBPM8WlMjkFX/BlNoPPRzgw6ozeH9KMmuJlAHOw352N/8QtZE
+n3baGa1mdxplc4JV9SgDkH4OyEyan/ytpr6R2oCCNnHo+OOerft2rZolKIsLGOEP
+ds7QJjj7hc1FtcePNXsC0piKjTq1eHTVtIT851q0+TNfpPesUnhNzRU8fgDswJoM
+ssjdt9BsOuwO1jPt/Wuh4gwIHyLKY6DWkmjXVSoLrRWZaRK+m2AARCH0/oCDk/9v
+Dr0zRA0z1KNRUmHRp2CR6pY+bcDus0RLon3SjHq1EvPgOCnGT9F7H/hZwtzcegF8
+qcOj+rXs3l439t4HLDwZ8hqVsSOnQZ8Ztxc5T+TQ3bscTg2JrkF36Nl+E1x53U7+
+akClupFKOE6H63TSy582zPmaecBUU0xqZmms9jkXGdwBVyJXXqKLlMkZIK6kBeu2
+cHuWFrOuSzZFhQGaLxkJYTrxnyGInD8Wha6IVo/AuBXKauT/bi+VCCfvxLfPEhOX
+hVs=
+-----END ENCRYPTED PRIVATE KEY-----

B3-Bornim/openvpn/keys/crl.pem

@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIIB6jCB0zANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUxDzANBgNVBAgT
+BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNV
+BAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1jYTEPMA0GA1UE
+KRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGUXDTE4
+MDExMjA0MDc0NVoXDTI4MDExMDA0MDc0NVowDQYJKoZIhvcNAQELBQADggEBAGI8
+7CEDAWKfmJr6JJgkqAk8XVGKNU4yGZBmC4OFpEFHNdnyVRz4V8UMEUjVp+pKXhIe
+hldECPYxYnCxwWh3HORz1tZl0m+fwYyxZCXsEpr7lwwdrn+vACh1rsaWr84540oI
+cceKx4QegU8u8hMSjfux9YGarl1qBGVg/Gl7v6NKuhAiMwJ+9/03i3sKEuzZ3dL0
+wwpl/tBoaPhCsh6aMbeN1t6ZTCWxjzDSTJYCIMIf2C/7EhsfcVGzWAqyV2yG3iLd
+vnwcw6OUVZS2Dh8759MdvJUowtiIozHzYwCN69XB6EBN40RvR/aXXkbfDOKDIGwb
+HmeHzYuk+k/DPckTOcI=
+-----END X509 CRL-----

B3-Bornim/openvpn/keys/dh2048.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAnXqnqyXh6ONT/Xa2OupiIMCOeEPoidhdLpFV+voegHYuKRhIHUMd
+K7NgTQIsGid6bqFg6UplUOlh0ut6ASv8MG/u/Avy1HEq148Xrkxxe8eHhCrRd4n7
+g7huGLNkgnzGbRQaTuiUj5QFpobUI0QEN9SqHenmJoqCG0goQTqthQ0nBdmiV25T
+vL5eRm6Y+62Ye4G9J19h6Yyu8PElPdepYxDDhY0kI9zJHorWy+7ymudmwCA9+B3q
+/5WmvMsFvd5c99UFKWKn3zhjbwWSjdWYU8v4jl4DMALbPhc9dZnPDvkq4Jr59QTI
+vHoN9MabWkRMqUHAjukSTmwe7qWN0gjnEwIBAg==
+-----END DH PARAMETERS-----

B3-Bornim/openvpn/keys/gw-ckubu.crt

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:25:44 2017 GMT
+            Not After : Mar 22 02:25:44 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-gw-ckubu/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a0:12:ec:ae:52:b3:19:53:4d:f4:ca:96:dc:4f:
+                    b8:94:e3:ff:77:97:93:2c:63:1f:af:b2:d5:e9:d4:
+                    32:16:ea:b5:62:93:c6:49:e4:48:1d:38:8b:a3:ac:
+                    11:82:50:05:24:6c:d4:5e:9b:d6:06:e5:a3:a2:77:
+                    eb:3c:14:23:2c:d0:3c:2d:15:32:8e:79:74:47:2d:
+                    1b:1b:e6:bc:bb:cd:f1:d7:e4:25:67:27:d9:e7:14:
+                    96:78:2f:f2:2e:a8:76:df:0f:20:18:ab:d6:54:31:
+                    72:88:81:be:17:2c:0d:e1:65:9f:17:b9:88:e2:b8:
+                    d4:ec:3e:a4:61:46:db:03:da:69:2d:be:2e:24:b9:
+                    53:59:9d:3d:ef:2b:75:ef:1b:40:ea:f7:a6:b2:7f:
+                    3c:b7:46:e4:f7:6c:db:8b:cc:4a:cc:3c:df:0e:a7:
+                    8c:39:2b:30:53:4a:19:10:84:34:f7:17:19:94:eb:
+                    fa:63:84:ce:4b:8f:09:04:19:38:98:24:19:24:96:
+                    6a:cf:f1:3e:42:8a:9e:cd:16:c5:39:de:bd:1e:fc:
+                    e6:57:12:3f:b5:59:d0:50:b7:38:d7:75:99:b0:4d:
+                    62:d7:95:64:fb:b5:8c:68:20:61:78:7a:04:45:c4:
+                    15:8c:92:60:b9:9e:24:3f:b5:54:fe:92:4a:1f:4b:
+                    09:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                01:0E:AD:99:D6:AD:30:D2:45:B3:FF:56:26:D4:E7:8F:BA:BD:41:86
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         16:30:40:fa:eb:4f:06:12:81:ee:94:67:b7:22:67:53:af:f5:
+         23:29:43:7f:fe:9d:50:94:cf:ab:a5:a9:f4:85:36:4c:2a:38:
+         f4:46:b4:01:5c:0f:59:3b:d7:39:2c:a7:d5:64:b5:63:83:ff:
+         e7:98:c8:94:69:cc:a5:8a:03:ac:61:c5:0a:20:46:7b:f8:86:
+         71:39:ad:a4:bc:fd:cb:dc:ed:27:95:2e:d7:f9:2f:0a:26:1e:
+         e0:1e:4e:77:94:c1:08:11:b7:5f:6c:e7:5f:a1:98:4e:a2:8f:
+         46:d2:e3:c4:b8:fb:c0:51:8d:5f:d3:3e:a0:81:e8:c6:46:ef:
+         89:57:7a:8f:d8:af:e8:48:c2:c6:64:ef:d3:1e:77:72:17:c4:
+         57:87:19:97:e2:04:e5:27:11:40:28:52:a1:fc:79:85:56:69:
+         69:0d:04:a5:8d:b8:fe:4b:ca:6e:4b:6e:bb:7e:a8:10:54:6a:
+         45:ae:49:2f:10:8c:8e:cf:d8:b1:00:97:62:ed:14:84:1c:1b:
+         5b:b6:3c:44:e3:8e:8c:ac:25:33:39:6f:9d:7b:db:7c:0a:4c:
+         ec:70:d6:17:32:e2:93:8e:33:fe:aa:e1:12:f1:99:1e:f5:f8:
+         5f:b7:94:77:83:4f:6a:de:48:1a:db:9a:62:dc:7e:87:00:87:
+         c1:73:fc:ae
+-----BEGIN CERTIFICATE-----
+MIIFOjCCBCKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNTQ0WhcNMzcwMzIyMDIyNTQ0WjCBqTELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD0Iz
+LVZQTi1ndy1ja3VidTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJj
+a3VidS1hZG1Ab29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCgEuyuUrMZU030ypbcT7iU4/93l5MsYx+vstXp1DIW6rVik8ZJ5EgdOIujrBGC
+UAUkbNRem9YG5aOid+s8FCMs0DwtFTKOeXRHLRsb5ry7zfHX5CVnJ9nnFJZ4L/Iu
+qHbfDyAYq9ZUMXKIgb4XLA3hZZ8XuYjiuNTsPqRhRtsD2mktvi4kuVNZnT3vK3Xv
+G0Dq96ayfzy3RuT3bNuLzErMPN8Op4w5KzBTShkQhDT3FxmU6/pjhM5LjwkEGTiY
+JBkklmrP8T5Cip7NFsU53r0e/OZXEj+1WdBQtzjXdZmwTWLXlWT7tYxoIGF4egRF
+xBWMkmC5niQ/tVT+kkofSwk3AgMBAAGjggFvMIIBazAJBgNVHRMEAjAAMC0GCWCG
+SAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFAEOrZnWrTDSRbP/VibU54+6vUGGMIHYBgNVHSMEgdAwgc2AFB8uXrBADZKn
+CYPaJWwZIJ7JYM0hoYGppIGmMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZW
+UE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAOWbjDrr
+526ZMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDATBgNVHREEDDAK
+gghndy1ja3VidTANBgkqhkiG9w0BAQsFAAOCAQEAFjBA+utPBhKB7pRntyJnU6/1
+IylDf/6dUJTPq6Wp9IU2TCo49Ea0AVwPWTvXOSyn1WS1Y4P/55jIlGnMpYoDrGHF
+CiBGe/iGcTmtpLz9y9ztJ5Uu1/kvCiYe4B5Od5TBCBG3X2znX6GYTqKPRtLjxLj7
+wFGNX9M+oIHoxkbviVd6j9iv6EjCxmTv0x53chfEV4cZl+IE5ScRQChSofx5hVZp
+aQ0EpY24/kvKbktuu36oEFRqRa5JLxCMjs/YsQCXYu0UhBwbW7Y8ROOOjKwlMzlv
+nXvbfApM7HDWFzLik44z/qrhEvGZHvX4X7eUd4NPat5IGtuaYtx+hwCHwXP8rg==
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/gw-ckubu.csr

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC7zCCAdcCAQAwgakxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRgwFgYDVQQDEw9CMy1WUE4tZ3ctY2t1YnUxDzANBgNVBCkTBlZQ
+TiBCMzEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBLsrlKzGVNN9MqW3E+4lOP/d5eTLGMf
+r7LV6dQyFuq1YpPGSeRIHTiLo6wRglAFJGzUXpvWBuWjonfrPBQjLNA8LRUyjnl0
+Ry0bG+a8u83x1+QlZyfZ5xSWeC/yLqh23w8gGKvWVDFyiIG+FywN4WWfF7mI4rjU
+7D6kYUbbA9ppLb4uJLlTWZ097yt17xtA6vemsn88t0bk92zbi8xKzDzfDqeMOSsw
+U0oZEIQ09xcZlOv6Y4TOS48JBBk4mCQZJJZqz/E+QoqezRbFOd69HvzmVxI/tVnQ
+ULc413WZsE1i15Vk+7WMaCBheHoERcQVjJJguZ4kP7VU/pJKH0sJNwIDAQABoAAw
+DQYJKoZIhvcNAQELBQADggEBADVuBSLICq4H4uHH5Kelj4xkfahSVfwgX69uumJI
+qqmX4ByVxmbdrJ+6ySGJUeI4kIQxLnR/ah2SNRVChUMe1/yx9UEdX8VzL0kAeyT2
+8fve2gJzL8W9Kmmi9BXpwmfoK3yvlP2W/PI8i3yDinXigSjRNMe8tPqYF+7hP3f5
+le7TkTC5a9ztVFm6il+VO3JY9y9bzV14DMOU6YFrtaTQoHwyk0X8BDqJTVt3/5lU
+Q8x6w/GJ2AKQvWlbynubF69fti3j/PtpmFgX5zVLAs5W7INGwDs0o6FHakJJFShO
+alfv8G9WIZkloe4TE9aXaKZCL3/w1AekCLEFWTY6tCt3ezE=
+-----END CERTIFICATE REQUEST-----

B3-Bornim/openvpn/keys/gw-ckubu.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFoCf5M5Q7nwCAggA
+MBQGCCqGSIb3DQMHBAg/IMWDanMqPwSCBMgU7zQul5AkX/TrxXfYu6f1PRJEpfb/
+v6F9NXOH42JaWp7VDTI/aQgToi0q+qZRE3GCj9eCGsv7XcltWVtt0c0Qd3jHB+N3
+IRXAqNH5dUhpuBJstMBFrYL01TbPkg7fhGhtYYJIJz11BTiwllZULGEJXTXyiusI
+zWnkt37KdnhOaWVhAHaf+gWQayB/rMiI5HM4dkdgHm/VQKBrOQGJYn8LMqLqmHKd
+kLYeYultYkPtcqDRpnxERbtLXItC2PneKU2WKPwsmCsCy6CTIJoSF6FAxluv8jhO
+etLKAzLiDRg9Q/xB+50o8ouRHtNLFSo4FoF7BSeS7ZfdVfRKMMpzUzzRys4KVQry
+vXng3IQVxLzHEEZAP9HXcGNuvXeFq5LC72oCSob0ynpPdaTnI00O8vLBib93RfIh
+Wn4Tsc7w8Ls3AWhFStkz+8sJ6iewgcp0BlhWLBbTn38sIhW9vG20zAR/CvOpT5vT
+8lxLrphsbOuf1HsH7vsYbzsXAwB5Jpu6NCpuiDS4NaBKZAAVmBi37tAc3KbTlUzx
+BUhxlrwwDSdQ8j2KXk+/LAXpXM3oj9fKyDOIzuQtFXP7dV9ohX6YHocwMoQCgCl/
+ab7mw0ouIb5uUwR5s8dFfFl8scWPsvs9/BALC+ZAfvWBaWvq9dCrngdciM90Sg1c
+CQjsBSGMbUTSSgxQE/DdI/mMRa+gqVLe6IniRB/RoKyyBdufkkqhNf2D/d0Ll5uF
+yPKvuOJxYHwGPnwknGQrBCe2KMRotzCRliMZ2ua5SPe2fhnVJ0E3jTgABz+ArZhN
+XNBAjY/lM80App2NFP6A2p1ryxf5M9j/qbiGFyPaXsnFHT/8Iku+FErWzRQ0fASQ
+SC/8kuGWWafwKig6wjHDv6yrIYrtzWiLd5OTpi6QqD1JY19s4pP04v50XL9F9scK
+ypESdCcZz9+Q18N4yxREKbCviThpTy3FBoWa1v4SZeerAroUdhGJjXzWfypzmHo4
+21J004Dhb7XXKfqsE6MU1TVDQ64Qg/NalULs3LAdHCfur/JR2Htme7/k3jAuJNDF
+SPu8PNVH9lnUcxaMVOIMfYtcwMCCn6lW25WqbKPG/VIir4WG2HmGxqbEqugNgt1H
+VTxV2uYU1CGEGTlR/EgiI0QDGjVfVLHgugvnTY0T3w7r1kfYKhyyggQ5k3mqvPFX
+4B5lm2cCUYBlg4hkWsCTOs+dBG4zB54fl1kfkZ34u9BoTSOFoBi5v0Jhg1CQEgxH
+Gesw0YH/gqR2UiWzzwQf/K3WFHaawSmK94ChEMLX6FIUbLwBC4Y9I4J0oT2wfXgi
+pzyXR2BL8ccCXlSIzvxDLie3jCgBtuwxAUkK3QifE2+ksM2+3cZk9FMXVlVnGYyz
+bTqTxZ/RJCNFIZr2Z2gl2uBhU3Q1k8aWyF6Yu+q1FxtMzIyltYgTUia72vkyGCLG
+O0mqRbsxW5RaPpIC7P1fj3IQ5IjvamDPhpG0nXX9RXNlGjRn8QbPX7NEk6WCVgc7
+dpNAaZOY68LoQpw344GVWXl5O8sQvrQuLMzoIeeMNlGxK9fjFsf/vUDz3JNy0Q8Q
+dni2K4UplAMnfeG+A2DcGQRQ11MRLLJ9cIT2z4lLvv1Vd+Lbv31O1ucdh6kuQbMG
+WXY=
+-----END ENCRYPTED PRIVATE KEY-----

B3-Bornim/openvpn/keys/index.txt

@@ -0,0 +1,6 @@
+V	370322022216Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-server/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022454Z		02	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-chris/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022544Z		03	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-gw-ckubu/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022625Z		04	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-ingo/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022704Z		05	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-matthias/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022747Z		06	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-susi/name=VPN B3/emailAddress=ckubu-adm@oopen.de

B3-Bornim/openvpn/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

B3-Bornim/openvpn/keys/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

B3-Bornim/openvpn/keys/index.txt.old

@@ -0,0 +1,5 @@
+V	370322022216Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-server/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022454Z		02	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-chris/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022544Z		03	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-gw-ckubu/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022625Z		04	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-ingo/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+V	370322022704Z		05	unknown	/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=B3-VPN-matthias/name=VPN B3/emailAddress=ckubu-adm@oopen.de

B3-Bornim/openvpn/keys/ingo.crt

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:26:25 2017 GMT
+            Not After : Mar 22 02:26:25 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-ingo/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:ab:6d:d9:5b:fe:ce:60:c5:fd:f3:66:77:57:
+                    2a:05:af:c6:f9:ac:97:6d:29:43:d4:4a:9c:1c:8f:
+                    c1:00:38:47:6a:cc:55:5f:00:a9:98:fc:62:7e:ae:
+                    41:52:b9:44:a0:47:69:d1:e3:7a:db:0b:d0:0d:cf:
+                    71:d2:bc:43:92:9a:e9:80:ee:f0:d8:9d:67:3d:b1:
+                    da:39:f3:83:f5:d7:87:17:e9:b3:bb:0f:74:c3:7e:
+                    9f:c4:3c:0f:6d:43:94:63:e6:b6:55:c6:ec:d6:f1:
+                    08:b6:eb:cf:ae:a5:a8:61:f4:79:b0:a4:3f:e0:55:
+                    86:3b:22:a2:79:a9:04:ce:ba:78:1a:96:3b:e4:2e:
+                    1a:89:ba:1a:81:6c:9d:ea:54:6a:30:71:db:31:7b:
+                    c5:17:d1:40:8c:66:c8:8a:a5:c4:50:5d:97:0c:9a:
+                    42:2e:a6:41:67:8b:ef:93:af:28:42:b8:3f:65:0e:
+                    1d:1c:15:69:6f:4b:09:e1:54:d3:f9:fe:2a:a6:e8:
+                    cd:01:0f:ec:97:5a:62:28:7a:14:ab:f9:30:ed:5b:
+                    e0:e2:e6:02:9b:50:65:ac:1e:35:0f:76:b4:4e:ad:
+                    44:7a:66:5a:33:28:7c:b2:46:c2:ea:67:5f:cf:be:
+                    74:aa:0d:a8:f8:8e:4c:e9:95:d2:ca:11:ad:cc:f6:
+                    67:9b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                51:5B:AE:97:12:72:A4:2A:44:72:38:38:53:BF:14:F6:8F:88:0E:18
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:ingo
+    Signature Algorithm: sha256WithRSAEncryption
+         63:66:7e:a1:53:e4:7c:55:5c:4a:cb:51:9e:10:b2:c4:21:b5:
+         9c:7d:3f:c0:b6:ea:cb:a9:07:32:76:eb:ad:0d:cf:cc:2a:85:
+         ca:d7:86:e3:6e:00:f0:70:29:f0:5f:73:1d:13:e2:bf:2d:99:
+         e6:33:65:af:6a:5b:d5:c1:4b:74:df:07:ab:a0:6f:49:7b:e3:
+         92:09:89:88:ce:3a:67:6e:d6:8f:fb:b8:9b:93:87:ad:1a:25:
+         b8:db:8e:92:d1:18:a5:f0:e1:c9:ab:0b:f6:9d:46:79:5d:d0:
+         24:44:eb:4b:5f:59:1b:f4:e3:92:ad:55:5e:af:af:2d:44:e3:
+         95:c5:de:1c:eb:c6:07:f6:5c:94:84:4d:41:33:c9:94:86:53:
+         63:95:e6:41:14:42:32:e2:88:b8:e8:23:44:fb:d4:19:0d:e6:
+         69:db:ff:97:e1:87:7f:72:4b:4e:3f:6a:49:50:60:eb:66:b4:
+         b5:4f:c6:db:93:fd:e8:b6:d1:b6:e4:b8:90:9d:65:e4:77:10:
+         d2:a5:0c:c3:0e:5f:7d:1d:0d:fb:ff:ca:1b:4f:d3:1c:c4:ba:
+         b8:c3:69:f1:04:ef:6d:21:93:11:4b:59:29:09:2c:e9:37:91:
+         c1:9c:17:3a:d2:55:e5:2f:0a:1a:4a:82:ae:d9:37:58:12:15:
+         8e:2d:19:f2
+-----BEGIN CERTIFICATE-----
+MIIFMjCCBBqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNjI1WhcNMzcwMzIyMDIyNjI1WjCBpTELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxFDASBgNVBAMTC0Iz
+LVZQTi1pbmdvMQ8wDQYDVQQpEwZWUE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1
+LWFkbUBvb3Blbi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGr
+bdlb/s5gxf3zZndXKgWvxvmsl20pQ9RKnByPwQA4R2rMVV8AqZj8Yn6uQVK5RKBH
+adHjetsL0A3PcdK8Q5Ka6YDu8NidZz2x2jnzg/XXhxfps7sPdMN+n8Q8D21DlGPm
+tlXG7NbxCLbrz66lqGH0ebCkP+BVhjsionmpBM66eBqWO+QuGom6GoFsnepUajBx
+2zF7xRfRQIxmyIqlxFBdlwyaQi6mQWeL75OvKEK4P2UOHRwVaW9LCeFU0/n+Kqbo
+zQEP7JdaYih6FKv5MO1b4OLmAptQZaweNQ92tE6tRHpmWjMofLJGwupnX8++dKoN
+qPiOTOmV0soRrcz2Z5sCAwEAAaOCAWswggFnMAkGA1UdEwQCMAAwLQYJYIZIAYb4
+QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+UVuulxJypCpEcjg4U78U9o+IDhgwgdgGA1UdIwSB0DCBzYAUHy5esEANkqcJg9ol
+bBkgnslgzSGhgamkgaYwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
+DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3
+b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlWUE4tQjMtY2ExDzANBgNVBCkTBlZQTiBC
+MzEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA5ZuMOuvnbpkw
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaCBGlu
+Z28wDQYJKoZIhvcNAQELBQADggEBAGNmfqFT5HxVXErLUZ4QssQhtZx9P8C26sup
+BzJ2660Nz8wqhcrXhuNuAPBwKfBfcx0T4r8tmeYzZa9qW9XBS3TfB6ugb0l745IJ
+iYjOOmdu1o/7uJuTh60aJbjbjpLRGKXw4cmrC/adRnld0CRE60tfWRv045KtVV6v
+ry1E45XF3hzrxgf2XJSETUEzyZSGU2OV5kEUQjLiiLjoI0T71BkN5mnb/5fhh39y
+S04/aklQYOtmtLVPxtuT/ei20bbkuJCdZeR3ENKlDMMOX30dDfv/yhtP0xzEurjD
+afEE720hkxFLWSkJLOk3kcGcFzrSVeUvChpKgq7ZN1gSFY4tGfI=
+-----END CERTIFICATE-----

B3-Bornim/openvpn/keys/ingo.csr

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRQwEgYDVQQDEwtCMy1WUE4taW5nbzEPMA0GA1UEKRMGVlBOIEIz
+MSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDBq23ZW/7OYMX982Z3VyoFr8b5rJdtKUPUSpwc
+j8EAOEdqzFVfAKmY/GJ+rkFSuUSgR2nR43rbC9ANz3HSvEOSmumA7vDYnWc9sdo5
+84P114cX6bO7D3TDfp/EPA9tQ5Rj5rZVxuzW8Qi268+upahh9HmwpD/gVYY7IqJ5
+qQTOungaljvkLhqJuhqBbJ3qVGowcdsxe8UX0UCMZsiKpcRQXZcMmkIupkFni++T
+ryhCuD9lDh0cFWlvSwnhVNP5/iqm6M0BD+yXWmIoehSr+TDtW+Di5gKbUGWsHjUP
+drROrUR6ZlozKHyyRsLqZ1/PvnSqDaj4jkzpldLKEa3M9mebAgMBAAGgADANBgkq
+hkiG9w0BAQsFAAOCAQEAcfANYU+IUWT3uOG53DqENmx0gbVB7UirvBEHqh7EFDLK
+JJ+VTpR0K7bPXHLWZoKFhTXt8jPD2bpx25+Kwboh+9uR17loNgis6Ifr0SgXDI1t
+Qn+IfB6Y6P1IJNTL5hMeuIs1x5wuU6EA1P3wM/42ZzJyBOrPgUkRMkf5hmrVimwB
+hR3LsnnBr7AGqzFBZuN2I3tNsHqIOcbIHmEZJfIEwITDHVEJ+wEEZVA9pjXsj3Cd
+3hbsUf8eXGniRdSbeDZPI4Ekab4dR+SiR1Z+M/UC45PNjS0rfK3M7I/1rCipT506
+CwUSXCeuN23Ld7KGUCIg78ZqvQySKOubTN8hPfH4rA==
+-----END CERTIFICATE REQUEST-----

B3-Bornim/openvpn/keys/ingo.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIrr3UfJ98RGcCAggA
+MBQGCCqGSIb3DQMHBAiiGKJtZCU09wSCBMg27Hq3ED23Yh7iKrmDLyLvSMyFmlJm
+n6Pn6URs29Urh6PryZSnbVxjwtCJPU4A3BwXmvyHLZOIJZbji09QCPkQvCfxUnVP
+ti6D/SowdEgdv0GFGH1X4ZiFOSFciDlt7bQBKIY4LppVqd9TxwXOe07RFQZVlJdo
+3FHo+6ct5qiXwa+vLvAu+zuRGpQdFKXRNx5l7e28hlusIOD4aAysddKaYGL3w0MO
+XWsv7T0ezv5a7gHBBOz9mMTHQz3x0xiE1Xy4bKTJVyeglDrSvnkZhb/L9GH5ycw2
+/0IEEaWE/GCNWWDzT2/v6HYIrH+83QR7j241R7Q3HtJmfiGqaBI9oElUf8tcR6re
+qoHzomzGSUc+fbtDhSPLlYdt8av7SbTmD/YL41eaeATqk0d7gWzXsl54jHEo//UC
+wWbxA8cR+hVs0wiByXQoT7DtczPOl2u6cwWwR+7btFO5oNEcciOwmyVBltW9ksKK
+nHGasx8c5e2pqzEA3yKr13HwewrhJ90i5gPzHDkzyXWt2IGWC2HDeWDXuxbHDUPM
+1lwacx90RDSM9a+Nfiy9Pk3WLfpScaeN0M6ir+QKvDKaZfFfRvOyB2PfnNorm9ce
+i+1M+6MZhi0p8n1VriFYjdjvzRGrdzWgDjrnDNR5/0LL71u/ltLCZE1pt9KuLWYk
+Qpi1gcBG4bb0xb4Kbte0YdJ7dlrTSbfQFNt5LKw+M8kRvLkRRirb9JpTE2w8IC7W
+jrFN+xjbFOjkxdef0CluGL9rhAZ8fk/WpOm2WpsBoXy0/JDURMQYLXGdgRoaVArJ
+fc7J3Hh8/v0EvbbP7L43I9vIOsqwq6GsdndIRjak5XElT7wsACTaFD6qO5xIGgkk
+MK8YLIpt5Pe4hvwbHNMKBcYgpWof3f/yOT0ZxzTkSR6c7bFJP58N88zf0OWtUL1P
+Lc3t38DRkPFrk4W36tQyLWStxfKGyY77VbtwGj6+3H4qIeYuG+aORDcjPWnbcksH
+dSDmLYprcpXeiYRLpnjRLqkMzeq2e5auNygVIB1lOamztjgOJcn3TsX7yxEgvaYX
+ll76FIcaZ3T3vspRRe7Q6tk7LH7mArxAjAVBVpxrIhqWlou5Vl2G5lkpWXZ5kXdt
+AQ2S8UK6BwFkXzggekR2IxOceE7iIdJvXFTsKVWb9yau3wbS5+gzTxmKWkz1Xk7I
+KGjs9Y/ar9XjtTh2kKkYgqqFt77pZ1rm0HVVnhJn7aRDG4Fj5z4vAG3mmVZt/v6n
+kTANOIe4RnLLuD+A1HMIVjiKCuhEYuvemSsGJdT9qPQPzgXS1mjToOwXYa1fFC90
+xfEgSGuvIalrS1jL5+6sRb/8JNRfBwUbGyPXRNBlzQngVeR7Dc68Q7hWCliZ5DxJ
+EWKx8/1NiMvHWV9NEUbYvwkxgw1HkXgu1m3Dl/27goHzmTG9QIrXnXpugS5RqaRg
+0r4t45WMUq4CqrNzV9YGG4kJw6Go+YpY8jgkpesxA9qQvWuKOu+3JdM8i/5BVglb
+0NcNqYOIHVxdV/u+4eR62cL0KQ7WUugvaFoDBiuunAXIXatr6zLXX0JZzhuTKCNp
+XRXHTWgamSOVoXm88g3/CZW/XRWmvUGXWiC2ZEzJEuNKnu7RdQDdIULY/u3jKNKX
+FfQ=
+-----END ENCRYPTED PRIVATE KEY-----

B3-Bornim/openvpn/keys/matthias.crt

@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Validity
+            Not Before: Mar 22 02:27:04 2017 GMT
+            Not After : Mar 22 02:27:04 2037 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=B3-VPN-matthias/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d2:22:e5:ab:8d:2b:28:95:69:10:c3:ba:f2:9e:
+                    f4:f8:47:f2:81:fc:b1:35:70:fc:70:f4:e1:d1:4c:
+                    4e:b4:2b:7c:65:76:b0:88:15:07:11:c8:47:16:4b:
+                    91:98:80:c1:f2:51:1b:8c:77:87:e5:ca:06:14:7c:
+                    5b:2c:c4:ee:6c:de:2c:af:11:1c:2e:0b:74:73:6a:
+                    9f:8f:7f:1c:6a:5b:24:28:01:19:86:3a:ff:6d:48:
+                    56:7e:20:7c:94:d5:db:2e:a9:9f:f1:08:7d:9f:ec:
+                    b2:6e:8d:6b:6f:20:df:47:28:a8:e5:b8:29:92:b5:
+                    a0:93:29:b7:42:d0:0d:06:12:ec:39:fb:39:73:b8:
+                    ce:5d:9d:7c:a6:01:c3:e9:6d:39:83:07:16:8e:89:
+                    d0:69:c1:17:27:a5:5b:0c:41:41:36:86:10:62:73:
+                    ae:3e:88:48:bb:96:bb:aa:be:b8:5f:98:a6:4f:22:
+                    b8:01:c2:37:b2:36:9c:de:f0:a4:86:75:af:9a:ed:
+                    1c:71:29:78:5d:0d:65:18:85:91:7a:4f:ea:4a:93:
+                    1c:9c:be:7d:cd:95:eb:d0:28:f4:a7:c5:8a:2d:9e:
+                    c8:30:93:51:15:4c:8a:f0:ed:a2:ae:72:77:60:26:
+                    66:c2:df:7e:4b:aa:dc:dc:5c:cb:27:7d:7b:37:2e:
+                    d1:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                D7:D3:A3:1A:84:6C:91:0A:6D:57:6E:BC:19:6B:25:50:5F:FC:27:9D
+            X509v3 Authority Key Identifier: 
+                keyid:1F:2E:5E:B0:40:0D:92:A7:09:83:DA:25:6C:19:20:9E:C9:60:CD:21
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-B3-ca/name=VPN B3/emailAddress=ckubu-adm@oopen.de
+                serial:E5:9B:8C:3A:EB:E7:6E:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:matthias
+    Signature Algorithm: sha256WithRSAEncryption
+         b5:74:5e:d8:6c:a7:82:02:02:17:b2:db:f8:8b:a2:40:af:e4:
+         50:b1:bf:04:42:91:21:80:b5:b1:29:ef:d6:d8:03:9d:bf:a9:
+         73:13:02:8b:74:02:0c:07:6c:4a:79:e8:49:ae:e5:63:a6:61:
+         01:bf:18:a2:2f:00:5f:ef:ac:79:bd:62:93:5c:1a:1f:7e:50:
+         29:ca:51:e6:f8:aa:c3:96:5b:6c:cd:71:19:20:24:3f:c6:95:
+         22:62:1b:51:cb:80:6c:0d:5c:1c:ca:5c:a1:95:1a:fd:27:61:
+         6c:ce:cf:81:19:78:2e:08:9e:14:35:05:0e:0f:a3:b9:d5:44:
+         97:f1:35:9a:94:fb:3a:ee:c2:16:21:07:59:d8:ae:21:47:73:
+         24:da:7d:ba:d4:ab:63:80:2d:79:44:04:fc:51:0f:3b:fb:b3:
+         1e:3b:d8:f8:27:34:22:63:4f:ad:aa:43:99:a1:ac:39:1e:99:
+         ca:df:46:bd:4d:c6:69:3d:63:e6:f4:c1:8a:71:3a:9a:e6:05:
+         a7:04:38:f1:d8:31:f4:31:3d:f9:a7:28:94:73:bc:1a:27:c6:
+         35:9b:5a:ad:c1:58:de:eb:9a:cc:0a:93:a7:be:4e:3f:90:c3:
+         d7:23:6d:4d:eb:48:dc:da:d4:0f:cd:9e:51:7c:d8:39:eb:1d:
+         f9:d0:73:2d
+-----BEGIN CERTIFICATE-----
+MIIFOjCCBCKgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
+RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1CMy1j
+YTEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
+ZW4uZGUwHhcNMTcwMzIyMDIyNzA0WhcNMzcwMzIyMDIyNzA0WjCBqTELMAkGA1UE
+BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQK
+EwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD0Iz
+LVZQTi1tYXR0aGlhczEPMA0GA1UEKRMGVlBOIEIzMSEwHwYJKoZIhvcNAQkBFhJj
+a3VidS1hZG1Ab29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDSIuWrjSsolWkQw7rynvT4R/KB/LE1cPxw9OHRTE60K3xldrCIFQcRyEcWS5GY
+gMHyURuMd4flygYUfFssxO5s3iyvERwuC3Rzap+PfxxqWyQoARmGOv9tSFZ+IHyU
+1dsuqZ/xCH2f7LJujWtvIN9HKKjluCmStaCTKbdC0A0GEuw5+zlzuM5dnXymAcPp
+bTmDBxaOidBpwRcnpVsMQUE2hhBic64+iEi7lruqvrhfmKZPIrgBwjeyNpze8KSG
+da+a7RxxKXhdDWUYhZF6T+pKkxycvn3NlevQKPSnxYotnsgwk1EVTIrw7aKucndg
+JmbC335LqtzcXMsnfXs3LtHBAgMBAAGjggFvMIIBazAJBgNVHRMEAjAAMC0GCWCG
+SAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFNfToxqEbJEKbVduvBlrJVBf/CedMIHYBgNVHSMEgdAwgc2AFB8uXrBADZKn
+CYPaJWwZIJ7JYM0hoYGppIGmMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUIzLWNhMQ8wDQYDVQQpEwZW
+UE4gQjMxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAOWbjDrr
+526ZMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDATBgNVHREEDDAK
+gghtYXR0aGlhczANBgkqhkiG9w0BAQsFAAOCAQEAtXRe2GynggICF7Lb+IuiQK/k
+ULG/BEKRIYC1sSnv1tgDnb+pcxMCi3QCDAdsSnnoSa7lY6ZhAb8Yoi8AX++seb1i
+k1waH35QKcpR5viqw5ZbbM1xGSAkP8aVImIbUcuAbA1cHMpcoZUa/SdhbM7PgRl4
+LgieFDUFDg+judVEl/E1mpT7Ou7CFiEHWdiuIUdzJNp9utSrY4AteUQE/FEPO/uz
+HjvY+Cc0ImNPrapDmaGsOR6Zyt9GvU3GaT1j5vTBinE6muYFpwQ48dgx9DE9+aco
+lHO8GifGNZtarcFY3uuazAqTp75OP5DD1yNtTetI3NrUD82eUXzYOesd+dBzLQ==
+-----END CERTIFICATE-----