Initial commit

FLR-BRB/README.txt

@@ -0,0 +1,25 @@
+
+Notice:
+   You have to change some configuration files becaus the because
+   the configuration of network interfaces must not be equal.
+
+   !! Take care, to use the right device names !!
+   Maybe they are called i.e. 'enp0sXX', but you can rename it.
+   See also : README.rename.netdevices
+
+   For the backup gateway host:
+      eth1 --> LAN
+      eth2 --> WAN or ppp0 (DSL device)
+
+      eth0 --> WLAN or second LAN or what ever
+      or
+      br0  --> WLAN or second LAN or what ever
+
+
+   So you have to change the following files
+      dsl-provider.FLR-BRB: ppp0 comes over eth2
+      interfaces.FLR-BRB: see above
+      default_isc-dhcp-server.FLR-BRB
+      ipt-firewall.FLR-BRB: LAN device (mostly ) = eth1
+                                second LAN WLAN or what ever (if present) = eth0
+         

FLR-BRB/bin/get_revoked_keys.sh

@@ -0,0 +1 @@
+/usr/local/src/openvpn/get_revoked_keys.sh

FLR-BRB/bin/wakeup_fileserver.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env sh
+
+_NETW=192.168.102.0
+_MAC_FILESERVER="00:30:48:8c:de:c0"
+
+/usr/bin/wakeonlan -i $_NETW $_MAC_FILESERVER
+
+exit 0

FLR-BRB/bind/bind.keys

@@ -0,0 +1,69 @@
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options.  To use the built-in DLV key, set
+# "dnssec-lookaside auto;".  Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of Feburary 2017.  If any key fails to
+# initialize correctly, it may have expired.  In that event you should
+# replace this file with a current version.  The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        #
+        # NOTE: The ISC DLV zone is being phased out as of February 2017;
+        # the key will remain in place but the zone will be otherwise empty.
+        # Configuring "dnssec-lookaside auto;" to activate this key is
+        # harmless, but is no longer useful and is not recommended.
+        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+                TDN0YUuWrBNh";
+
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+        # for current trust anchor information.
+        #
+        # These keys are activated by setting "dnssec-validation auto;"
+        # in named.conf.
+        #
+        # This key (19036) is to be phased out starting in 2017. It will
+        # remain in the root zone for some time after its successor key
+        # has been added. It will remain this file until it is removed from
+        # the root zone.
+        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+                QxA+Uk1ihz0=";
+
+        # This key (20326) is to be published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                R1AkUTV74bU=";
+};

FLR-BRB/bind/db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

FLR-BRB/bind/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

FLR-BRB/bind/db.192.168.102.0

@@ -0,0 +1,43 @@
+;
+; BIND reverse data file for local 102.168.192.in-addr.arpa zone
+;
+$TTL  43600
+@  IN SOA   ns.flr.netz. ckubu.oopen.de. (
+      2017042001     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+@              IN NS    ns-flr.flr.netz.
+
+; - Gateway/Firewall
+254            IN PTR   gw-flr.flr.netz.
+
+
+; - (Caching ) Nameserver
+1              IN PTR   ns-flr.flr.netz.
+
+
+; - Fileserver
+10             IN PTR   file-flr.flr.netz.
+
+; - IPMI (Fileserver)
+11             IN PTR   file-ipmi.flr.netz.
+
+; - Drucker Brother MFC-9450CDN
+5              IN PTR   mfc-9450cdn.flr.netz.
+
+; - Drucker Brother MFC-9142CDN
+6              IN PTR   mfc-9142cdn.flr.netz.
+
+; - Office PCs
+101            IN PTR   pcbuero1.flr.netz.
+102            IN PTR   pcbuero2.flr.netz.
+103            IN PTR   pcbuero3.flr.netz.
+
+141            IN PTR   ivana-lan.flr.netz.
+142            IN PTR   lis-lan.flr.netz.
+143            IN PTR   sabrina-lan.flr.netz.
+143            IN PTR   flr-1-lan.flr.netz.

FLR-BRB/bind/db.192.168.103.0

@@ -0,0 +1,27 @@
+;
+; BIND reverse data file for local 103.168.192.in-addr.arpa zone
+;
+$TTL  43600
+@  IN SOA   ns.flr.netz. ckubu.oopen.de. (
+      2017042001     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+@              IN NS    ns-flr.flr.netz.
+
+; - Gateway/Firewall
+254            IN PTR   gw-flr-wlan.flr.netz.
+
+; Accesspoint - TP-Link WR841N
+253            IN PTR   tl-wr841n.flr.netz.
+
+
+; - Laptops
+
+141            IN PTR   ivana-laptop.flr.netz.
+142            IN PTR   lisa-laptop.flr.netz.
+143            IN PTR   sabrina-laptop.flr.netz.
+144            IN PTR   flr-1-laptop.flr.netz.

FLR-BRB/bind/db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

FLR-BRB/bind/db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

FLR-BRB/bind/db.flr.netz

@@ -0,0 +1,70 @@
+;
+; BIND data file for local flr.netz zone
+;
+$TTL  43600
+@  IN SOA   ns.flr.netz. ckubu.oopen.de. (
+      2017042001     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+
+@                 IN NS    ns-flr.flr.netz.
+
+; Gateway/Firewall
+gw-flr            IN A     192.168.102.254
+gate              IN CNAME gw-flr
+gw                IN CNAME gw-flr
+
+gw-flr-wlan       IN A     192.168.103.254
+
+
+; Accesspoint - TP-Link WR841N
+tl-wr841n         IN A     192.168.103.253  
+ap                IN CNAME tl-wr841n
+
+; (Caching ) Nameserver
+ns-flr            IN A      192.168.102.1
+ns                IN CNAME  ns-flr
+nscache           IN CNAME  ns-flr
+resolver          IN CNAME  ns-flr
+
+
+; - Fileserver
+file-flr          IN A      192.168.102.10
+file              IN CNAME  file-flr
+
+; - IPMI (Fileserver)
+file-ipmi         IN A      192.168.102.11
+ipmi              IN CNAME  file-ipmi
+
+; - Drucker Brother MFC-9450CDN
+mfc-9450cdn       IN A      192.168.102.5
+BRNF33586         IN CNAME  mfc-9450cdn
+
+; - Drucker Brother MFC-9142CDN
+mfc-9142cdn       IN A      192.168.102.6
+BRN30055C746BC0   IN CNAME  mfc-9142cdn
+drucker           IN CNAME  mfc-9142cdn
+
+
+; - Office PCs
+pcbuero1          IN A      192.168.102.101
+pcbuero2          IN A      192.168.102.102
+pcbuero3          IN A      192.168.102.103
+
+
+; Laptops LAN
+ivana-lan         IN A      192.168.102.141
+lisa-lan          IN A      192.168.102.142
+sabrina-lan       IN A      192.168.102.143
+flr-1-lan         IN A      192.168.102.144
+
+
+; - Laptops WLAN
+ivana-laptop      IN A      192.168.103.141
+lisa-laptop       IN A      192.168.103.142
+sabrina-laptop    IN A      192.168.103.143
+flr-1-laptop      IN A      192.168.103.144

FLR-BRB/bind/db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

FLR-BRB/bind/db.root

@@ -0,0 +1,90 @@
+;       This file holds the information on root name servers needed to
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:    February 17, 2016
+;       related version of root zone:   2016021701
+;
+; formerly NS.INTERNIC.NET
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:84::b
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file

FLR-BRB/bind/named.conf

@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";

FLR-BRB/bind/named.conf.default-zones

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/etc/bind/db.root";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+

FLR-BRB/bind/named.conf.local

@@ -0,0 +1,19 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+
+zone "flr.netz" {
+   type master;
+   file "/etc/bind/db.flr.netz";
+};
+
+zone "102.168.192.in-addr.arpa" {
+   type master;
+   file "/etc/bind/db.192.168.102.0";
+};
+

FLR-BRB/bind/named.conf.local.ORIG

@@ -0,0 +1,8 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

FLR-BRB/bind/named.conf.options

@@ -0,0 +1,91 @@
+options {
+   directory "/var/cache/bind";
+
+   // If there is a firewall between you and nameservers you want
+   // to talk to, you may need to fix the firewall to allow multiple
+   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+   // If your ISP provided one or more IP addresses for stable
+   // nameservers, you probably want to use them as forwarders.
+   // Uncomment the following block, and insert the addresses replacing
+   // the all-0's placeholder.
+
+   // forwarders {
+   //    0.0.0.0;
+   // };
+
+   //========================================================================
+   // If BIND logs error messages about the root key being expired,
+   // you will need to update your keys.  See https://www.isc.org/bind-keys
+   //========================================================================
+   dnssec-validation auto;
+
+   // Security options
+   listen-on port 53 {
+      127.0.0.1;
+      192.168.102.1;
+   };
+
+   allow-query {
+      127.0.0.1;
+      192.168.0.0/16;
+      10.0.0.0/8;
+   };
+
+   // caching name services
+   recursion yes;
+   allow-recursion {
+      127.0.0.1;
+      192.168.0.0/16;
+      10.0.0.0/16;
+   };
+
+   allow-transfer { none; };
+
+   auth-nxdomain no;    # conform to RFC1035
+   listen-on-v6 { any; };
+};
+
+logging {
+   channel simple_log {
+      file "/var/log/named/bind.log" versions 3 size 5m;
+      //severity warning;
+      severity info;
+      print-time yes;
+      print-severity yes;
+      print-category  yes;
+   };
+   channel queries_log {
+      file "/var/log/named/query.log" versions 10 size 5m;
+      severity debug;
+      //severity notice;
+      print-time yes;
+      print-severity yes;
+      print-category no;
+   };
+   channel log_zone_transfers {
+      file "/var/log/named/axfr.log" versions 5 size 2m;
+      severity info;
+      print-time yes;
+      print-severity yes;
+      print-category yes;
+   };
+   category resolver {
+      queries_log;
+   };
+   category queries {
+      queries_log;
+   };
+   category xfer-in {
+      log_zone_transfers;
+   };
+   category xfer-out {
+      log_zone_transfers;
+   };
+   category notify {
+      log_zone_transfers;
+   };
+   category default{
+      simple_log;
+   };
+};

FLR-BRB/bind/named.conf.options.ORIG

@@ -0,0 +1,26 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation auto;
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+

FLR-BRB/bind/rndc.key

@@ -0,0 +1,4 @@
+key "rndc-key" {
+	algorithm hmac-md5;
+	secret "hlqmXw2FiKndTvcEUP86Qw==";
+};

FLR-BRB/bind/zones.rfc1918

@@ -0,0 +1,20 @@
+zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+ 
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

FLR-BRB/chap-secrets.FLR-BRB

@@ -0,0 +1,5 @@
+# Secrets for authentication using CHAP
+# client	server	secret			IP addresses
+
+## - Fluechlingsrat BRB
+"0022044435885511150351780001@t-online.de" * "27475004"

FLR-BRB/cron_root.FLR-BRB

@@ -0,0 +1,51 @@
+# DO NOT EDIT THIS FILE - edit the master and reinstall.
+# (/tmp/crontab.9PMQig/crontab installed on Fri Jan 26 01:07:45 2018)
+# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
+# Edit this file to introduce tasks to be run by cron.
+# 
+# Each task to run has to be defined through a single line
+# indicating with different fields when the task will be run
+# and what command to run for the task
+# 
+# To define the time you can provide concrete values for
+# minute (m), hour (h), day of month (dom), month (mon),
+# and day of week (dow) or use '*' in these fields (for 'any').# 
+# Notice that tasks will be started based on the cron's system
+# daemon's notion of time and timezones.
+# 
+# Output of the crontab jobs (including errors) is sent through
+# email to the user the crontab file belongs to (unless redirected).
+# 
+# For example, you can run a backup of all your user accounts
+# at 5 a.m every week with:
+# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
+# 
+# For more information see the manual pages of crontab(5) and cron(8)
+# 
+# m h  dom mon dow   command
+PATH=/root/bin:/root/bin/admin-stuff:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# - Check if postfix mailservice is running. Restart service if needed.
+# -
+*/15 * * * * /root/bin/monitoring/check_postfix.sh
+
+# - check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
+# - if not set this entry to "1"
+#
+0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
+
+# - check if openvpn is running if not restart the service
+# -
+0-59/30 * * * * /root/bin/monitoring/check_vpn.sh
+
+# - check if nameservice (bind) is running if not restart the service
+# -
+*/10 * * * * /root/bin/monitoring/check_dns.sh
+
+# - check if DynDNS ip is correct, adjust if needed
+# -
+07,27,47 * * * * /root/bin/monitoring/check_dyndns.sh flr-brb.homelinux.org
+
+# - copy gateway configuration
+# -
+13 4 * * * /root/bin/manage-gw-config/copy_gateway-config.sh FLR-BRB

FLR-BRB/ddclient.conf.FLR-BRB

@@ -0,0 +1,15 @@
+# Configuration file for ddclient generated by debconf
+#
+# /etc/ddclient.conf
+
+protocol=dyndns2
+use=web, web=checkip.dyndns.com, web-skip='IP Address'
+server=members.dyndns.org
+login=ckubu
+password='7213b4e6178a11e6ab1362f831f6741e'
+flr-brb.homelinux.org
+mail=argus@oopen.de
+
+ssl=yes
+mail=argus@oopen.de
+mail-failure=root

FLR-BRB/default_isc-dhcp-server.FLR-BRB

@@ -0,0 +1,21 @@
+# Defaults for isc-dhcp-server initscript
+# sourced by /etc/init.d/isc-dhcp-server
+# installed at /etc/default/isc-dhcp-server by the maintainer scripts
+
+#
+# This is a POSIX shell fragment
+#
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPD_CONF=/etc/dhcp/dhcpd.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPD_PID=/var/run/dhcpd.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACES=""

FLR-BRB/dhcpd.conf.FLR-BRB

@@ -0,0 +1,227 @@
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+
+option subnet-mask 255.255.255.0;
+option broadcast-address 192.168.102.255;
+
+
+option domain-name "flr.netz";
+option domain-name-servers nscache.flr.netz;
+#option domain-name "example.org";
+#option domain-name-servers ns1.example.org, ns2.example.org;
+option routers gw-flr.flr.netz;
+
+
+default-lease-time 86400;
+max-lease-time 259200;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+subnet 192.168.102.0 netmask 255.255.255.0 {
+
+   # --- 192.168.102.160/27 ---
+   # network address....: 192.168.102.160
+   # Broadcast address..: 192.168.102.191
+   # netmask............: 255.255.255.224
+   # network range......: 192.168.102.160 - 192.168.102.191
+   # Usable range.......: 192.168.102.161 - 192.168.102.190
+
+   range 192.168.102.161 192.168.102.190;
+   option domain-name "flr.netz";
+   option domain-name-servers nscache.flr.netz;
+   option subnet-mask 255.255.255.0;
+   option broadcast-address 192.168.102.255;
+   option routers gw-flr.flr.netz;
+
+}
+
+host file-flr {
+   hardware ethernet 00:25:90:0b:77:90;
+   fixed-address file-flr.flr.netz ;
+}
+
+host file-ipmi {
+   hardware ethernet 00:25:90:0b:7f:3d;
+   fixed-address file-ipmi.flr.netz ;
+}
+
+host mfc-9142cdn.flr.netz {
+   hardware ethernet 30:05:5c:74:6b:c0;
+   fixed-address mfc-9142cdn.flr.netz ;
+}
+
+host pcbuero1 {
+   # - on chipset LAN
+   #hardware ethernet 00:1D:7D:E5:42:69;
+   # - Intel PRO/1000 GT
+   hardware ethernet 90:e2:ba:0c:bb:fb;
+   fixed-address pcbuero1.flr.netz ;
+}
+
+host pcbuero2 {
+   # - on chipset LAN
+   #hardware ethernet 00:1d:7d:e5:3f:9f;
+   # - Intel PRO/1000 GT
+   hardware ethernet 90:e2:ba:0c:bc:0e;
+   fixed-address pcbuero2.flr.netz ;
+}
+
+host pcbuero3 {
+   hardware ethernet 80:ee:73:b9:8a:d6;
+   fixed-address pcbuero3.flr.netz ;
+}
+
+host ivana-Laptop {
+   # - on chipset WLAN
+   hardware ethernet 5c:51:4f:ff:dc:cd;
+   fixed-address ivana-laptop.flr.netz ;
+}
+
+#host lisa-Laptop {
+#   # - on chipset WLAN
+#   hardware ethernet ;
+#   fixed-address lisa-laptop.flr.netz ;
+#}
+
+host lisa-lan {
+   # - on chipset LAN
+   hardware ethernet 3c:97:0e:d5:f0:f7;
+   fixed-address lisa-lan.flr.netz ;
+}
+
+host sabrina-Laptop {
+   # - on chipset LAN
+   hardware ethernet b4:6d:83:4a:ab:c3;
+   fixed-address sabrina-laptop.flr.netz ;
+}
+
+host sabrina-lan {
+   # - on chipset LAN
+   hardware ethernet 50:7b:9d:29:50:2f;
+   fixed-address sabrina-lan.flr.netz ;
+}
+
+host flr-1-lan {
+   # - on chipset LAN
+   hardware ethernet 1c:39:47:d8:75:ae;
+   fixed-address flr-1-lan.flr.netz ;
+}
+
+
+## - wireless LAN
+subnet 192.168.103.0 netmask 255.255.255.0 {
+
+   # --- 192.168.103.160/27 ---
+   # network address....: 192.168.103.160
+   # Broadcast address..: 192.168.103.191
+   # netmask............: 255.255.255.224
+   # network range......: 192.168.103.160 - 192.168.103.191
+   # Usable range.......: 192.168.103.161 - 192.168.103.190
+
+   range 192.168.103.161 192.168.103.190;
+   option domain-name "flr.netz";
+   option domain-name-servers nscache.flr.netz;
+   option subnet-mask 255.255.255.0;
+   option broadcast-address 192.168.103.255;
+   option routers gw-flr-wlan.flr.netz;
+
+   default-lease-time 86400;
+   max-lease-time 259200;
+}
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.fugue.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.fugue.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

FLR-BRB/dhcpd6.conf.FLR-BRB

@@ -0,0 +1,102 @@
+# Server configuration file example for DHCPv6
+# From the file used for TAHI tests - addresses chosen
+# to match TAHI rather than example block.
+
+# IPv6 address valid lifetime
+#  (at the end the address is no longer usable by the client)
+#  (set to 30 days, the usual IPv6 default)
+default-lease-time 2592000;
+
+# IPv6 address preferred lifetime
+#  (at the end the address is deprecated, i.e., the client should use
+#   other addresses for new connections)
+#  (set to 7 days, the	usual IPv6 default)
+preferred-lifetime 604800;
+
+# T1, the delay before Renew
+#  (default is 1/2 preferred lifetime)
+#  (set to 1 hour)
+option dhcp-renewal-time 3600;
+
+# T2, the delay before Rebind (if Renews failed)
+#  (default is 3/4 preferred lifetime)
+#  (set to 2 hours)
+option dhcp-rebinding-time 7200;
+
+# Enable RFC 5007 support (same than for DHCPv4)
+allow leasequery;
+
+# Global definitions for name server address(es) and domain search list
+option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:3f3e;
+option dhcp6.domain-search "test.example.com","example.com";
+
+# Set preference to 255 (maximum) in order to avoid waiting for
+# additional servers when there is only one
+##option dhcp6.preference 255;
+
+# Server side command to enable rapid-commit (2 packet exchange)
+##option dhcp6.rapid-commit;
+
+# The delay before information-request refresh
+#  (minimum is 10 minutes, maximum one day, default is to not refresh)
+#  (set to 6 hours)
+option dhcp6.info-refresh-time 21600;
+
+# Static definition (must be global)
+#host myclient {
+#	# The entry is looked up by this
+#	host-identifier option
+#		dhcp6.client-id 00:01:00:01:00:04:93:e0:00:00:00:00:a2:a2;
+#
+#	# A fixed address
+#	fixed-address6 3ffe:501:ffff:100::1234;
+#
+#	# A fixed prefix
+#	fixed-prefix6 3ffe:501:ffff:101::/64;
+#
+#	# Override of the global definitions,
+#	# works only when a resource (address or prefix) is assigned
+#	option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:4f4e;
+#
+#	# For debug (to see when the entry statements are executed)
+#	#  (log "sol" when a matching Solicitation is received)
+#	##if packet(0,1) = 1 { log(debug,"sol"); }
+#}
+#
+#host otherclient {
+#        # This host entry is hopefully matched if the client supplies a DUID-LL
+#        # or DUID-LLT containing this MAC address.
+#        hardware ethernet 01:00:80:a2:55:67;
+#
+#        fixed-address6 3ffe:501:ffff:100::4321;
+#}
+
+# The subnet where the server is attached
+#  (i.e., the server has an address in this subnet)
+#subnet6 3ffe:501:ffff:100::/64 {
+#	# Two addresses available to clients
+#	#  (the third client should get NoAddrsAvail)
+#	range6 3ffe:501:ffff:100::10 3ffe:501:ffff:100::11;
+#
+#	# Use the whole /64 prefix for temporary addresses
+#	#  (i.e., direct application of RFC 4941)
+#	range6 3ffe:501:ffff:100:: temporary;
+#
+#	# Some /64 prefixes available for Prefix Delegation (RFC 3633)
+#	prefix6 3ffe:501:ffff:100:: 3ffe:501:ffff:111:: /64;
+#}
+
+# A second subnet behind a relay agent
+#subnet6 3ffe:501:ffff:101::/64 {
+#	range6 3ffe:501:ffff:101::10 3ffe:501:ffff:101::11;
+#
+#	# Override of the global definitions,
+#	# works only when a resource (address or prefix) is assigned
+#	option dhcp6.name-servers 3ffe:501:ffff:101:200:ff:fe00:3f3e;
+#
+#}
+
+# A third subnet behind a relay agent chain
+#subnet6 3ffe:501:ffff:102::/64 {
+#	range6 3ffe:501:ffff:102::10 3ffe:501:ffff:102::11;
+#}

FLR-BRB/hostname.FLR-BRB

@@ -0,0 +1 @@
+gw-flr

FLR-BRB/hosts.FLR-BRB

@@ -0,0 +1,7 @@
+127.0.0.1	localhost
+#172.16.102.1	gw-flr.flr.netz	gw-flr
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

FLR-BRB/igmpproxy.conf.FLR-BRB

@@ -0,0 +1,46 @@
+########################################################
+#
+#   Example configuration file for the IgmpProxy
+#   --------------------------------------------
+#
+#   The configuration file must define one upstream
+#   interface, and one or more downstream interfaces.
+#
+#   If multicast traffic originates outside the
+#   upstream subnet, the "altnet" option can be
+#   used in order to define legal multicast sources.
+#   (Se example...)
+#
+#   The "quickleave" should be used to avoid saturation
+#   of the upstream link. The option should only
+#   be used if it's absolutely nessecary to
+#   accurately imitate just one Client.
+#
+########################################################
+
+##------------------------------------------------------
+## Enable Quickleave mode (Sends Leave instantly)
+##------------------------------------------------------
+quickleave
+
+
+##------------------------------------------------------
+## Configuration for eth0 (Upstream Interface)
+##------------------------------------------------------
+phyint eth0 upstream  ratelimit 0  threshold 1
+        altnet 10.0.0.0/8 
+        altnet 192.168.0.0/24
+
+
+##------------------------------------------------------
+## Configuration for eth1 (Downstream Interface)
+##------------------------------------------------------
+phyint eth1 downstream  ratelimit 0  threshold 1
+
+
+##------------------------------------------------------
+## Configuration for eth2 (Disabled Interface)
+##------------------------------------------------------
+phyint eth2 disabled
+
+

FLR-BRB/interfaces.FLR-BRB

@@ -0,0 +1,59 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+#-----------------------------
+# lo - loopback interface
+#-----------------------------
+
+auto lo
+iface lo inet loopback
+
+
+
+#-----------------------------
+# eth0 - (W)LAN
+#-----------------------------
+
+auto eth0
+iface eth0 inet static
+   address 192.168.103.254
+   network 192.168.103.0
+   netmask 255.255.255.0
+
+
+
+#-----------------------------
+# eth1 - LAN
+#-----------------------------
+
+auto eth1
+iface eth1 inet static
+   address 192.168.102.254
+   network 192.168.102.0
+   netmask 255.255.255.0
+   broadcast 192.168.102.255
+
+auto eth1:ns
+iface eth1:ns inet static
+   address 192.168.102.1
+   network 192.168.102.0
+   netmask 255.255.255.0
+   broadcast 192.168.102.255
+
+
+#-----------------------------
+# eth2 - WAN
+#-----------------------------
+
+allow-hotplug eth2
+iface eth2 inet static
+   address 172.16.102.1
+   netmask 255.255.255.0
+   network 172.16.102.0
+   broadcast 172.16.102.255
+   gateway 172.16.102.254
+   # dns-* options are implemented by the resolvconf package, if installed
+   dns-nameservers 127.0.0.1
+   dns-search flr.netz

FLR-BRB/ipt-firewall.service.FLR-BRB

@@ -0,0 +1,14 @@
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+SyslogIdentifier="ipt-gateway"
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-gateway start
+ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
+User=root
+
+[Install]
+WantedBy=multi-user.target

FLR-BRB/ipt-firewall/default_ports.conf

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Ports for Services out
+# =============
+
+standard_ident_port=113
+standard_silc_port=706
+standard_irc_port=6667
+standard_jabber_port=5222
+standard_smtp_port=25
+standard_ssh_port=22
+standard_http_port=80
+standard_https_port=443
+standard_ftp_port=21
+standard_tftp_udp_port=69
+standard_ntp_port=123
+standard_snmp_port=161
+standard_snmp_trap_port=162
+standard_timeserver_port=37
+standard_pgp_keyserver_port=11371
+standard_telnet_port=23
+standard_whois_port=43
+standard_cpan_wait_port=1404
+standard_xymon_port=1984
+standard_hbci_port=3000
+standard_mysql_port=3306
+standard_ipp_port=631
+standard_cups_port=$standard_ipp_port
+standard_print_raw_port=515
+standard_print_port=9100
+standard_remote_console_port=5900
+
+# - IPsec - Internet Security Association and
+# -  Key Management Protocol
+standard_isakmp_port=500
+standard_ipsec_nat_t=4500
+
+
+# - Comma separated lists
+# -
+standard_http_ports="80,443"
+standard_mailuser_ports="587,465,110,995,143,993"
+

FLR-BRB/ipt-firewall/include_functions.conf

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Some functions
+# =============
+
+# - Is this script running on terminal ?
+# -
+if [[ -t 1 ]] ; then
+      terminal=true
+else
+   terminal=false
+fi
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mdone\033[m ]"
+   else
+      echo " [ done ]"
+   fi
+}
+echo_ok() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mok\033[m ]"
+   else
+      echo " [ ok ]"
+   fi
+}
+echo_warning() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+   else
+      echo " [ warning ]"
+   fi
+}
+echo_failed(){
+   if $terminal ; then
+      echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+   else
+      echo ' [ failed! ]'
+   fi
+}
+echo_skipped() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[37mskipped\033[m ]"
+   else
+      echo " [ skipped ]"
+   fi
+}
+
+
+fatal (){
+   echo ""
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
+      echo ""
+      echo -e "\t\033[31m\033[1m           Firewall Script will be interrupted..\033[m\033[m"
+   else
+      echo "fatal: $*"
+      echo "Firewall Script will be interrupted.."
+   fi
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   else
+      echo "Error: $*"
+   fi
+   echo ""
+}
+
+warn (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   else
+      echo "Warning: $*"
+   fi
+   echo ""
+}
+
+info (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   else
+      echo "Info: $*"
+   fi
+   echo ""
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+

FLR-BRB/ipt-firewall/interfaces_ipv4.conf

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Network Interfaces / Ip-Adresses / Ports
+# =============
+
+# - Extern Interfaces DSL Lines
+# -    (blank separated list)
+ext_if_dsl_1=""
+ext_if_dsl_2=""
+ext_if_dsl_3=""
+ext_if_dsl_4=""
+
+ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
+
+# - Extern Interfaces Static Lines
+# -    (blank separated list)
+ext_if_static_1="eth2"
+ext_if_static_2=""
+ext_if_static_3=""
+
+ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
+
+# - VPN Interfaces
+# -    (blank separated list)
+vpn_ifs="tun+"
+
+# - Local Interfaces
+local_if_1="eth1"
+local_if_2="eth0"
+local_if_3=""
+local_if_4=""
+local_if_5=""
+local_if_6=""
+local_if_7=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
+# -
+# - Blank separated list
+# -
+nat_devices=""
+
+# - Are local alias interfaces like eth0:0 defined"
+# -
+local_alias_interfaces=true

FLR-BRB/ipt-firewall/load_modules_ipv4.conf

@@ -0,0 +1,36 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+# - Note:! 
+# -    Since Kernel 4.7 the automatic conntrack helper assignment
+# -    is disabled by default (net.netfilter.nf_conntrack_helper = 0).
+# -    Enable it by setting this variable in file /etc/sysctl.conf:
+# -
+# -       net.netfilter.nf_conntrack_helper = 1
+# -
+# -    Reboot or type "sysctl -p"
+
+
+ip_tables
+
+iptable_nat
+iptable_filter
+iptable_mangle
+iptable_raw
+
+# - Load base modules for tracking
+# -
+nf_conntrack
+nf_nat
+
+# - Load module for FTP Connection tracking and NAT
+# -
+nf_conntrack_ftp
+nf_nat_ftp
+
+# - Load modules for SIP VOIP
+# -
+nf_conntrack_sip
+nf_nat_sip
+

FLR-BRB/ipt-firewall/load_modules_ipv6.conf

@@ -0,0 +1,9 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+ip6_tables
+ip6table_filter
+ip6t_REJECT
+
+ip6table_mangle

FLR-BRB/ipt-firewall/logging_ipv4.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=false
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv4:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

FLR-BRB/ipt-firewall/logging_ipv6.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=false
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv6:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

FLR-BRB/ipt-firewall/post_decalrations.conf

@@ -0,0 +1,505 @@
+#!/usr/bin/env bash
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+# ---
+# - Masquerade TCP Connections
+# ---
+
+declare -a nat_network_arr
+for _net in $nat_networks ; do
+   nat_network_arr+=("$_net")
+done
+
+declare -a masquerade_tcp_con_arr
+for _str in $masquerade_tcp_cons ; do
+   masquerade_tcp_con_arr+=("$_str")
+done
+
+
+# ---
+# - Extern Network interfaces (DSL, Staic Lines, All together)
+# ---
+declare -a nat_device_arr
+declare -a dsl_device_arr
+declare -a ext_if_arr
+for _dev in $ext_ifs_dsl ; do
+   dsl_device_arr+=("$_dev")
+   ext_if_arr+=("$_dev")
+   nat_device_arr+=("$_dev")
+done
+for _dev in $ext_ifs_static ; do
+   ext_if_arr+=("$_dev")
+done
+for _dev in $nat_devices ; do
+   if ! containsElement $_dev "${nat_device_arr[@]}" ; then
+      nat_device_arr+=("$_dev")
+   fi
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Allow these local networks any access to the internet
+# ---
+declare -a any_access_to_inet_network_arr
+for _net in $any_access_to_inet_networks ; do
+   any_access_to_inet_network_arr+=("$_net")
+done
+
+declare -a any_access_from_inet_network_arr
+for _net in $any_access_from_inet_networks ; do
+   any_access_from_inet_network_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given extern networks
+# ---
+declare -a allow_ext_net_to_local_service_arr 
+for _val in $allow_ext_net_to_local_service ; do
+   allow_ext_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from extern address/network to local address/network
+# ---
+declare -a allow_ext_net_to_local_net_arr
+for _val in $allow_ext_net_to_local_net ; do
+   allow_ext_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Block all extern traffic to (given) local network
+# ---
+declare -a block_all_ext_to_local_net_arr
+for _net in $block_all_ext_to_local_net ; do
+   block_all_ext_to_local_net_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given local networks
+# ---
+declare -a allow_local_net_to_local_service_arr 
+for _val in $allow_local_net_to_local_service ; do
+   allow_local_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local network to local ip-address
+# ---
+declare -a allow_local_net_to_local_ip_arr
+for _val in $allow_local_net_to_local_ip ; do
+   allow_local_net_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local ip-address to local network
+# ---
+declare -a allow_local_ip_to_local_net_arr
+for _val in $allow_local_ip_to_local_net ; do
+   allow_local_ip_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from (one) local network to (another) local network
+# ---
+declare -a allow_local_net_to_local_net_arr
+for _val in $allow_local_net_to_local_net ; do
+   allow_local_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow local ip address from given local interface
+# ---
+declare -a allow_local_if_to_local_ip_arr
+for _val in $allow_local_if_to_local_ip ; do
+   allow_local_if_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Separate local Networks
+# ---
+declare -a separate_local_network_arr
+for _net in $separate_local_networks ; do
+   separate_local_network_arr+=("$_net")
+done
+
+# ---
+# - Separate local Interfaces
+# ---
+declare -a separate_local_if_arr
+for _net in $separate_local_ifs ; do
+   separate_local_if_arr+=("$_net")
+done
+
+# ---
+# - Generally block ports on extern interfaces
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Not wanted on intern interfaces
+# ---
+declare -a not_wanted_on_gw_tcp_port_arr
+for _port in $not_wanted_on_gw_tcp_ports ; do
+   not_wanted_on_gw_tcp_port_arr+=("$_port")
+done
+
+declare -a not_wanted_on_gw_udp_port_arr
+for _port in $not_wanted_on_gw_udp_ports ; do
+   not_wanted_on_gw_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses to log
+# ---
+declare -a log_ip_arr
+for _ip in $log_ips ; do
+   log_ip_arr+=("$_ip")
+done
+
+# ---
+# - Network Devices local DHCP Client
+# ---
+declare -a dhcp_client_interfaces_arr
+for _dev in $dhcp_client_interfaces ; do
+   dhcp_client_interfaces_arr+=("$_dev")
+done
+
+# ---
+# - IP Addresses DHCP Failover Server
+# ---
+declare -a dhcp_failover_server_ip_arr
+for _ip in $dhcp_failover_server_ips ; do
+   dhcp_failover_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses DNS Server
+# ---
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SSH Server only at ocal Networks
+# ---
+declare -a ssh_server_only_local_ip_arr
+for _ip in $ssh_server_only_local_ips ; do
+   ssh_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses HTTP Server only local Networks
+# ---
+declare -a http_server_only_local_ip_arr
+for _ip in $http_server_only_local_ips ; do
+   http_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mail Server only local Networks
+# ---
+declare -a mail_server_only_local_ip_arr
+for _ip in $mail_server_only_local_ips ; do
+   mail_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+declare -a ftp_server_only_local_ip_arr
+for _ip in $ftp_server_only_local_ips ; do
+   ftp_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Samba Server
+# ---
+declare -a samba_server_local_ip_arr
+for _ip in $samba_server_local_ips ; do
+   samba_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses LDAP Server
+# ---
+declare -a ldap_server_local_ip_arr
+for _ip in $ldap_server_local_ips ; do
+   ldap_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Telephone Systems
+# ---
+declare -a tele_sys_ip_arr
+for _ip in $tele_sys_ips ; do
+   tele_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SNMP Server
+# ---
+declare -a snmp_server_ip_arr
+for _ip in $snmp_server_ips ; do
+   snmp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Munin Service 
+# ---
+declare -a munin_local_server_ip_arr
+for _ip in $munin_local_server_ips ; do
+   munin_local_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses IPMI interface
+# ---
+declare -a ipmi_server_ip_arr
+for _ip in $ipmi_server_ips ; do
+   ipmi_server_ip_arr+=("$_ip")
+done
+
+# ---
+# -IP Addresses Ubiquiti Unifi Accesspoints
+# ---
+declare -a unifi_ap_local_ip_arr
+for _ip in $unifi_ap_local_ips ; do
+   unifi_ap_local_ip_arr+=("$_ip")
+done
+declare -a unifi_controller_gateway_ip_arr
+for _ip in $unifi_controller_gateway_ips ; do
+   unifi_controller_gateway_ip_arr+=("$_ip")
+done
+declare -a unify_controller_local_net_ip_arr
+for _ip in $unify_controller_local_net_ips ; do
+   unify_controller_local_net_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Printer
+# -
+declare -a printer_ip_arr
+for _ip in $printer_ips ; do
+   printer_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Adresses Brother Scanner (brscan)
+# ---
+declare -a brother_scanner_ip_arr
+for _ip in $brother_scanner_ips ; do
+   brother_scanner_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses PCNS Server
+# ---
+declare -a pcns_server_ip_arr
+for _ip in $pcns_server_ips ; do
+   pcns_server_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Addresses VNC Service
+# ---
+declare -a rm_server_ip_arr
+for _ip in $rm_server_ips ; do
+   rm_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - Other local Services
+# ---
+declare -a other_service_arr
+for _val in $other_services ; do
+   other_service_arr+=("$_val")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - Cisco kompartible VPN Ports
+# ---
+declare -a cisco_vpn_out_port_arr
+for _port in $cisco_vpn_out_ports ; do
+   cisco_vpn_out_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+declare -a vpn_gw_port_arr
+for _port in $vpn_gw_ports ; do
+   vpn_gw_port_arr+=("$_port")
+done
+declare -a vpn_local_net_port_arr
+for _port in $vpn_local_net_ports ; do
+   vpn_local_net_port_arr+=("$_port")
+done
+declare -a vpn_out_port_arr
+for _port in $vpn_out_ports ; do
+   vpn_out_port_arr+=("$_port")
+done
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+# ---
+# - Samba Ports
+# ---
+
+declare -a samba_udp_port_arr
+for _port in $samba_udp_ports ; do
+   samba_udp_port_arr+=("$_port")
+done
+
+declare -a samba_tcp_port_arr
+for _port in $samba_tcp_ports ; do
+   samba_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - LDAP Ports
+# ---
+
+declare -a ldap_udp_port_arr
+for _port in $ldap_udp_ports ; do
+   ldap_udp_port_arr+=("$_port")
+done
+
+declare -a ldap_tcp_port_arr
+for _port in $ldap_tcp_ports ; do
+   ldap_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - IPMI
+# ---
+
+declare -a ipmi_udp_port_arr
+for _port in $ipmi_udp_ports ; do
+   ipmi_udp_port_arr+=("$_port")
+done
+
+declare -a ipmi_tcp_port_arr
+for _port in $ipmi_tcp_ports ; do
+   ipmi_tcp_port_arr+=("$_port")
+done
+
+
+# ---
+# - Portforwrds TCP
+# ---
+declare -a portforward_tcp_arr
+for _str in $portforward_tcp ; do
+   portforward_tcp_arr+=("$_str")
+done
+
+# ---
+# - Portforwrds UDP
+# ---
+declare -a portforward_udp_arr
+for _str in $portforward_udp ; do
+   portforward_udp_arr+=("$_str")
+done
+
+# ---
+# - MAC Address Filtering
+# ---
+declare -a allow_all_mac_src_address_arr
+for _mac in $allow_all_mac_src_addresses ; do
+   allow_all_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_local_mac_src_address_arr
+for _mac in $allow_local_mac_src_addresses ; do
+   allow_local_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_remote_mac_src_address_arr
+for _mac in $allow_remote_mac_src_addresses ; do
+   allow_remote_mac_src_address_arr+=("$_mac")
+done
+

FLR-BRB/mailname.FLR-BRB

@@ -0,0 +1 @@
+gw-flr.flr.netz

FLR-BRB/main.cf.FLR-BRB

@@ -0,0 +1,268 @@
+# ============ Basic settings ============
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = /usr/share/doc/postfix
+html_directory = /usr/share/doc/postfix/html
+
+## - The Internet protocols Postfix will attempt to use when making 
+## - or accepting connections.
+## - DEFAULT: ipv4
+inet_protocols = ipv4
+
+#inet_interfaces = all
+inet_interfaces =
+   127.0.0.1
+   #192.168.102.254
+
+myhostname = gw-flr.flr.netz
+
+mydestination = 
+   gw-flr.flr.netz
+   localhost
+
+## - The list of "trusted" SMTP clients that have more 
+## - privileges than "strangers"
+## -
+mynetworks = 
+   127.0.0.0/8
+   192.168.102.254/32
+
+smtp_bind_address = 192.168.102.254
+smtp_bind_address6 = 
+
+
+## - The method to generate the default value for the mynetworks parameter.
+## -
+## -   mynetworks_style = host" when Postfix should "trust" only the local machine
+## -   mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP 
+## -                       clients in the same IP subnetworks as the local machine.
+## -   mynetworks_style = class" when Postfix should "trust" SMTP clients in the same 
+## -                      IP class A/B/C networks as the local machine.
+## -
+#mynetworks_style = host
+
+
+## - The maximal size of any local(8) individual mailbox or maildir file, 
+## - or zero (no limit). In fact, this limits the size of any file that is 
+## - written to upon local delivery, including files written by external 
+## - commands that are executed by the local(8) delivery agent. 
+## -
+mailbox_size_limit = 0
+
+## - The maximal size in bytes of a message, including envelope information.
+## -
+## - we user 50MB
+## -
+message_size_limit = 52480000
+
+## - The system-wide recipient address extension delimiter
+## -
+recipient_delimiter = +
+
+## - The alias databases that are used for local(8) delivery.
+## -
+alias_maps =
+   hash:/etc/aliases
+
+## - The alias databases for local(8) delivery that are updated 
+## - with "newaliases" or with "sendmail -bi". 
+## -
+alias_database =
+   hash:/etc/aliases
+
+
+## - The maximal time a message is queued before it is sent back as 
+## - undeliverable. Defaults to 5d (5 days)
+## - Specify 0 when mail delivery should be tried only once.
+## - 
+maximal_queue_lifetime = 3d
+bounce_queue_lifetime = $maximal_queue_lifetime
+
+## - delay_warning_time (default: 0h)
+## -
+## - The time after which the sender receives a copy of the message 
+## - headers of mail that is still queued. To enable this feature, 
+## - specify a non-zero time value (an integral value plus an optional 
+## - one-letter suffix that specifies the time unit). 
+## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 
+## - The default time unit is h (hours). 
+delay_warning_time = 1d
+
+
+
+# ============ Relay parameters ============
+
+#relayhost =
+
+
+# ============ SASL authentication ============
+
+# Enable SASL authentication
+smtp_sasl_auth_enable = yes
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [b.mx.oopen.de]
+
+# File including login data
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+
+# Force using a (TLS) security connection
+# obsulete - use smtp_tls_security_level instead
+#smtp_use_tls = yes
+#smtp_tls_enforce_peername = no
+smtp_tls_security_level = encrypt
+
+# Disallow methods that allow anonymous authentication.
+smtp_sasl_security_options = noanonymous
+
+
+
+# ============ TLS parameters ============
+
+## - Aktiviert TLS für den Mailempfang
+## -
+## - may:
+## - Opportunistic TLS. Use TLS if this is supported by the remote 
+## - SMTP server, otherwise use plaintext
+## -
+## - This overrides the obsolete parameters smtpd_use_tls and 
+## - smtpd_enforce_tls. This parameter is ignored with 
+## - "smtpd_tls_wrappermode = yes".
+#smtpd_use_tls=yes
+smtp_tls_security_level=encrypt
+
+## - Aktiviert TLS für den Mailversand
+## -
+## - may:
+## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+## - but do not require that clients use TLS encryption.
+# smtp_use_tls=yes
+smtpd_tls_security_level=may
+
+## -    0 Disable logging of TLS activity. 
+## -    1 Log TLS handshake and certificate information. 
+## -    2 Log levels during TLS negotiation. 
+## -    3 Log hexadecimal and ASCII dump of TLS negotiation process. 
+## -    4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. 
+## -
+smtpd_tls_loglevel = 1
+smtp_tls_loglevel = 1
+
+smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
+smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024
+## -
+#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
+## - also possible to use 2048 key with that parameter
+## -
+smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. 
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512
+## -
+smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
+
+
+## - File containing CA certificates of root CAs trusted to sign either remote SMTP 
+## - server certificates or intermediate CA certificates. These are loaded into 
+## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
+## - 
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
+## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
+## - necessary "hash" links with, for example, "
+## - /bin/c_rehash /etc/postfix/certs". 
+## -
+## - !! Note !!
+## - To use this option in chroot mode, this directory (or a copy) must be inside 
+## - the chroot jail. 
+## -
+## - Note that a chrooted daemon resolves all filenames relative to the Postfix 
+## - queue directory (/var/spool/postfix)
+## -
+#smtpd_tls_CApath = /etc/postfix/certs
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# 
+# List of TLS protocols that the Postfix SMTP server will exclude or  
+# include with opportunistic TLS encryption.  
+smtpd_tls_protocols = !SSLv2, !SSLv3
+# 
+# The SSL/TLS protocols accepted by the Postfix SMTP server  
+# with mandatory TLS encryption. 
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP client 
+#  
+# List of TLS protocols that the Postfix SMTP client will exclude or  
+# include with opportunistic TLS encryption.  
+smtp_tls_protocols = !SSLv2, !SSLv3
+# 
+# List of SSL/TLS protocols that the Postfix SMTP client will use  
+# with mandatory TLS encryption 
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
+## -    openssl > 1.0
+## -
+smtpd_tls_eecdh_grade = strong
+
+# standard list cryptographic algorithm
+tls_preempt_cipherlist = yes
+
+# Disable ciphers which are less than 256-bit:
+#
+#smtpd_tls_mandatory_ciphers = high
+#
+# opportunistic
+smtpd_tls_ciphers = high
+
+
+# Exclude ciphers
+#smtpd_tls_exclude_ciphers =
+#   RC4
+#   aNULL
+#   SEED-SHA
+#   EXP
+#   MD5
+smtpd_tls_exclude_ciphers =
+   aNULL
+   eNULL
+   EXPORT
+   DES
+   RC4
+   MD5
+   PSK
+   aECDH
+   EDH-DSS-DES-CBC3-SHA
+   EDH-RSA-DES-CDC3-SHA
+   KRB5-DE5, CBC3-SHA
+
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+

FLR-BRB/openvpn/home-flr/ccd/server-gw-ckubu/VPN-FLR-BRB-gw-ckubu

@@ -0,0 +1,6 @@
+ifconfig-push 10.1.102.2 255.255.255.0
+push "route 192.168.102.0 255.255.255.0 10.1.102.1"
+push "route 192.168.103.0 255.255.255.0 10.1.102.1"
+push "route 172.16.102.0 255.255.255.0 10.1.102.1"
+iroute 192.168.63.0 255.255.255.0
+iroute 192.168.64.0 255.255.255.0

FLR-BRB/openvpn/home-flr/ccd/server-home/VPN-FLR-BRB-chris

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.102.3 255.255.255.0
+#push "route 192.168.102.0 255.255.255.0 10.0.102.1"

FLR-BRB/openvpn/home-flr/ccd/server-home/VPN-FLR-BRB-flr-pierre

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.102.5 255.255.255.0
+

FLR-BRB/openvpn/home-flr/ccd/server-home/VPN-FLR-BRB-ivana

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.102.4 255.255.255.0
+

FLR-BRB/openvpn/home-flr/ccd/server-home/VPN-FLR-BRB-sabrina

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.102.6 255.255.255.0
+

FLR-BRB/openvpn/home-flr/ccd/server-home/VPN-FLR-BRB-yilmaz

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.102.7 255.255.255.0
+

FLR-BRB/openvpn/home-flr/crl.pem

@@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICHzCCAYgwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
+EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
+VQQLExBuZXR3b3JrIHNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQ0ExFDASBgNVBCkT
+C1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZRcNMTcw
+OTI4MDEzNjEzWhcNMjcwOTI2MDEzNjEzWjCBtDASAgEFFw0xNzA5MjcxNDUwMjla
+MBICAQYXDTE3MDkyNzE0NTAzNVowEgIBBxcNMTcwOTI3MTQ1MDAzWjASAgEIFw0x
+NzA5MjcxNDQ4NTFaMBICAQkXDTE3MDkyNzE0NTAyMVowEgIBChcNMTcwOTI3MTQ1
+MDQ0WjASAgEMFw0xNjExMTgwMTQ0NDdaMBICAQ4XDTE2MTExODAxNTcyMVowEgIB
+EBcNMTcwOTI4MDEzNjEzWjANBgkqhkiG9w0BAQsFAAOBgQCIMVV2OOJx1+9IGDZ5
+CDctK7rmuKAs1S7/633UeY260hMdkcoB+4y/6eZb95kVvGg79JkVUoNOm24oywZg
+o/ehuXFdTCHXbjXdFCD2NHAYaO3HzV/mTGnJDy1yBAdqkYnKZGYxH8LRL7sa7kBy
+CL3D/j5RQpp/NW5Fr//CNzV7Pg==
+-----END X509 CRL-----

FLR-BRB/openvpn/home-flr/easy-rsa/build-ca

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-ca

FLR-BRB/openvpn/home-flr/easy-rsa/build-dh

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-dh

FLR-BRB/openvpn/home-flr/easy-rsa/build-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-inter

FLR-BRB/openvpn/home-flr/easy-rsa/build-key

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key

FLR-BRB/openvpn/home-flr/easy-rsa/build-key-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pass

FLR-BRB/openvpn/home-flr/easy-rsa/build-key-pkcs12

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pkcs12

FLR-BRB/openvpn/home-flr/easy-rsa/build-key-server

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-server

FLR-BRB/openvpn/home-flr/easy-rsa/build-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req

FLR-BRB/openvpn/home-flr/easy-rsa/build-req-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req-pass

FLR-BRB/openvpn/home-flr/easy-rsa/clean-all

@@ -0,0 +1 @@
+/usr/share/easy-rsa/clean-all

FLR-BRB/openvpn/home-flr/easy-rsa/inherit-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/inherit-inter

FLR-BRB/openvpn/home-flr/easy-rsa/list-crl

@@ -0,0 +1 @@
+/usr/share/easy-rsa/list-crl

FLR-BRB/openvpn/home-flr/easy-rsa/openssl-0.9.6.cnf

@@ -0,0 +1,268 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

FLR-BRB/openvpn/home-flr/easy-rsa/openssl-0.9.8.cnf

@@ -0,0 +1,293 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

FLR-BRB/openvpn/home-flr/easy-rsa/openssl-1.0.0.cnf

@@ -0,0 +1,289 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+#default_crl_days= 30			# how long before next CRL
+default_crl_days= 3650			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

FLR-BRB/openvpn/home-flr/easy-rsa/pkitool

@@ -0,0 +1 @@
+/usr/share/easy-rsa/pkitool

FLR-BRB/openvpn/home-flr/easy-rsa/revoke-full

@@ -0,0 +1 @@
+/usr/share/easy-rsa/revoke-full

FLR-BRB/openvpn/home-flr/easy-rsa/sign-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/sign-req

FLR-BRB/openvpn/home-flr/easy-rsa/vars

@@ -0,0 +1,94 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+BASE_DIR="/etc/openvpn/home-flr"
+export EASY_RSA="${BASE_DIR}/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="${BASE_DIR}/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+##export KEY_SIZE=2048
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+export KEY_COUNTRY="DE"
+##export KEY_PROVINCE="CA"
+export KEY_PROVINCE="Berlin"
+##export KEY_CITY="SanFrancisco"
+export KEY_CITY="Berlin"
+##export KEY_ORG="Fort-Funston"
+export KEY_ORG="o.open"
+##export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL="argus@oopen.de"
+##export KEY_OU="MyOrganizationalUnit"
+export KEY_OU="network services"
+
+# X509 Subject Field
+##export KEY_NAME="EasyRSA"
+export KEY_NAME="VPN FLR-BRB"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+## export KEY_CN="CommonName"
+export KEY_CN="VPN-FLR-BRB"
+
+export KEY_ALTNAMES="VPN FLR-BRB"

FLR-BRB/openvpn/home-flr/easy-rsa/whichopensslcnf

@@ -0,0 +1 @@
+/usr/share/easy-rsa/whichopensslcnf

FLR-BRB/openvpn/home-flr/juergen.conf

@@ -0,0 +1,205 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote gw-flr.oopen.de 1194
+
+topology subnet
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Server CA
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIDzjCCAzegAwIBAgIJAPf/MOnEeNJTMA0GCSqGSIb3DQEBBQUAMIGhMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMG
+VlBOLUNBMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJn
+dXNAb29wZW4uZGUwHhcNMTIxMTExMTgyMzU5WhcNMzIxMTA2MTgyMzU5WjCBoTEL
+MAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8w
+DQYDVQQKEwZvLm9wZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNV
+BAMTBlZQTi1DQTEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEW
+DmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIdp+t
+lUB/nx3JqiZiBEkyTK2m+uH/hes4wYTpmbRY2x1YJtwQegX/sfxuu0n1xA42gON0
+eOBc2v/MmKzrGP+VP2VxWBhR/VnJsPeFTJJvD6ioM+jc9xNeZFNgHibRw4vzipyK
+ALQJK6gJ3COvhb3YWOul3njUGgZZkaikPMuTQQIDAQABo4IBCjCCAQYwHQYDVR0O
+BBYEFFb+8DvjraReG34P1h/k6dWObxLWMIHWBgNVHSMEgc4wgcuAFFb+8DvjraRe
+G34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQ
+bmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQwEgYDVQQpEwtWUE4t
+RkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQD3/zDpxHjS
+UzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADPFDfqCtYtsS/NxGVYc
+hgxKsA9S/kBifNbde0e6nmPBgufW+O3uPrkvg7Wx2EayxMhX/dVrAYm8NSNCdWXV
+5ra0lu6cTI8rwWt404e0F/o0v6u+5eWHFxSF0lDJIVhwvvVoiAUJQw8h+BlI5PYO
+JcHZCQoQE1/RE6Xp+0xgTXvW
+-----END CERTIFICATE-----
+</ca>
+
+# Client Certificate
+<cert>
+-----BEGIN CERTIFICATE-----
+MIIEuTCCBCKgAwIBAgIBEjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE3MTAyNDAxMzQzM1oXDTI3MTAyMjAxMzQzM1owga4xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNWUE4t
+RkxSLUJSQi1qdWVyZ2VuMRQwEgYDVQQpEwtWUE4gRkxSLUJSQjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCbcT8YKpUSZXTqr+4DmcrBRImukIl/TuDzNiLCtXmQmXPQ7BxpfQAqpki2
+/xKdqMD9zz9UKemwej3J6GZu2GpeXmDFiOGWxNDyjzB2n32hg9jLztl7K5yImyS/
+WJyhDhkfVkvSlSDFY2aONywpbyOSkKTwoQMba7+lHzGcK1ogGeqLFtKPPymhp7Hw
+hrSlxDT81Sgdoyrck4Q3ERrWdV9MlFYjJ+mSVc0LF44YRP+HuZD/BjyMZM245dWS
+Me5AM7XsXNURgmBXMvvZYhlqOmodPJ300RAf3Bm+LHwKuJsx5CHyIP9+Q8mLJKny
+Ryww6VlKiB0HasdI2466pDl5cmjxAgMBAAGjggFsMIIBaDAJBgNVHRMEAjAAMC0G
+CWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFBD13+ToD3+TqfZlR+sVdmtWguBBMIHWBgNVHSMEgc4wgcuAFFb+8Dvj
+raReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
+QmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UE
+CxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQwEgYDVQQpEwtW
+UE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQD3/zDp
+xHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEgYDVR0RBAsw
+CYIHanVlcmdlbjANBgkqhkiG9w0BAQsFAAOBgQAyqNVmA6YQXmkLSqYklZ0ZHu5S
+07URoL3ouY0NGoOzG7zTsnaPYcqp7gYNfW6Bs6J0hc9kmh95aWEfj+EcL15OQ6wP
+8W4ei0pbNNPoKem851DYiDbFA5FTbh5khd1ba891HrHuBll4XmJTblwU48AL89j2
+KMUGFiL+tYBc2XRHnQ==
+-----END CERTIFICATE-----
+</cert>
+
+# Client Key
+<key>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5cJs+DRA7GwCAggA
+MBQGCCqGSIb3DQMHBAhKECB4U6HVGgSCBMiITLbqpSHVKSBnOcUgt8xKlUWYbYaJ
+tXzPgTRzWnMOT466ryIik9wrDKtMupE6oVWigc58zY6sA96M+wOy5jSXfa9ON5gQ
+uuFfQYrAAjMcVvC4sO0meAlyEPKraphvvq+MdJnae3DwzR/v1xRk87gBMaXA/vYL
+mIn/w2jPaeQmBjEmKEfggwgCx6x5Eb4GL+K8cEw/EAU3oJBo71KwRsQZ5T4bXxUJ
+8bmEZoUGS+Dugv7mRE2xXVv277wqKgpubadZUjw1K29lvhSeYT1EDGCXYz7thl3K
+98F1mw3DpGdctQ3uaA1uLWrgMys67ZDRciazHWD6YCQOhX6YpjIwU7dCGJe8vpDz
++My3VTIMQxUwLdaxB1ZHQAKBCrToNZKMxhfPVWDUgureq+05xcifBQ8aqr1v5HJN
+s2ciqtVKWd0uaJbwOhPMQJc6QTcvzHtKmjW2yeqHF/WmluIcUH3ddJ18d9SK8p28
+Uo7H5LAvfD45TWXzjQVnRrZNKCTGSGfosdW2Cd5xLfXLVxH6xRZZJLhg/umU+TLD
+lnQYLMh6kBJeatrk6+z9wTAVk4ctagqR6N4nTOv68ncfQ5XSpeHH8ZKi5/ZhvW8K
+eyjHQzxCAZyaMe2g5gymAtgSVlaJbILGVjJ3Pey++W4akvN30DpRmaXIwdSyrH3W
+w3zW93WzfDqN71a3vpaSojiwUGj0Fj6c1ptGUHIIGd3A59YhJQqAyEZc8dHwaXwp
+ojbiYtzX8yto7OMeenLNlLqJxSBLw2ztqibqtmI7C1/00O6ECUdyZEJqbwwFxbPb
+VmXv/luXvzmGkqBdoMvPe4hF4ii0srciezxsVlUMpde1gAG1mQTZBYvTRwALOInW
+GmjOHLwBShm9y2XRgiAzXnBvEP/dto6JbUDQMwmn3PwhSpiotqJY2CnR5GI7BDcu
+nCEf45tbYyNjPJVcki5vyHaTkfT2vpWG+4ixYEmrgimcJFN1yxFWTbZ0661qvW2z
+epXgiJCkliqniaXxqV7pcwNUYl4SIto9yqY0Iw9fEp7KE76rZrwzBYV5RXXohgWN
+0mHcyscJE3P8M9n0AMFFxN+YUKEk5xxkYD7vwIyvYVR+QbXrVecJtT4f5JPkaFSR
+s5+mUjUJ8EhTKLa1CS7i0vOX8lmnu9NgZdn+lzXPFbpIFHSKtaTtKvKVpQgoXhJB
+6nm+qQVMScDMR/6XDXr9IC1ujV4rlYmpJCBKZzTeRAoykkw6LPfLyyQwMJJ/9Z7T
+53xrJ+wNy2ZioBwZxjd6z2ZGbkmLMRMZXdA48W4OSN7rm7CozhJNq12G7svmjwDs
+zS8y7UIFc+qbAiZd/CiBsR1B4j9uIeCCj9tc9iNYc2j3d+AZRr94hxOuqmHQEYyF
+5vzsXZb6xd4YmMG/5PfQnd4wr3xCJHFAACpMioPSGmlr0Y+HnqCPdKshn9C0IBQ5
+ZEDUszNbdAKjPgHi+u2AaDzAZmKQ0DvA8CBijJmI7R8JCDzDcTYjLwhAJeJLtwxB
+BT/HwSiAy/tbazXyZBMEPk5MOsCok7tTe1fmI/igYUj2h+oyJYr9ymBU97IyyBes
+b+sm7SgLb+7dh58VhE8tlhihqrWVvHak5qkyvQI02ffAuOg809Pftsdki2LKMBsy
+svM=
+-----END ENCRYPTED PRIVATE KEY-----
+</key>
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-serve
+ns-cert-type server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+#
+# Don't forget to set the 'key-direction' Parameter if using
+# Inline Key. Usualy , sever has key direction '0', while client
+# has ke direction '1'.
+#
+key-direction 1
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+670c1735182a2aa7373f3913f4bb9922
+1011f52b6004f688f702ee2eebf789de
+8e9a7cbbe597de15dcd0944cc77c63bb
+247ef4ec6beb0ab1ad0e68fd3224d9c3
+50f3536eb45f0582ab3deb4a84144e08
+4ab82c010550262a803f617826443ed5
+34ace631dd1115372b4b6d91523ebf9d
+5212960ff14b16776359a2c4a8a78672
+c6dd16d8e3bead764da1f39a267a5d2c
+e798d3f52e0d8ceb7cafde530cbff390
+7a099224465c3bde210bdc7e713dae1c
+05e190846e0bc7cc8e4c79427516eed3
+b580385daaef259dd823e67970ffd9f3
+125c3b6217f6622652f76f1da0ea96e5
+b9724b6abd8384f45f11d9b41a9afa7b
+34d1a506ef314806f46e64d46f4b53a7
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+cipher AES-256-CBC
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 1
+
+# Setting 'pull' on the client takes care to get the 'push' durectives
+# from the server
+pull

FLR-BRB/openvpn/home-flr/keys-created.txt

@@ -0,0 +1,8 @@
+
+key...............: kirstin.key
+common name.......: VPN-FLR-BRB-kirstin
+password..........: gz3n7PhPvFrW
+
+key...............: juergen.key
+common name.......: VPN-FLR-BRB-juergen
+password..........: P7N4bxCFT9Nz

FLR-BRB/openvpn/home-flr/keys/01.pem

@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Nov 11 18:29:25 2012 GMT
+            Not After : Nov  6 18:29:25 2032 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA-server/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:b8:f5:73:7b:83:be:ce:17:23:57:29:d3:29:c9:
+                    44:4c:bd:83:39:1f:0f:12:35:87:9c:87:c6:a0:47:
+                    00:77:28:0a:84:23:36:98:fd:a9:ce:80:d6:3f:a6:
+                    59:9d:7a:a9:bf:11:08:c9:37:54:30:0e:5a:b9:1c:
+                    91:b6:d9:2c:c2:b1:34:9d:76:58:f7:bc:8b:44:eb:
+                    4c:d4:69:58:14:cd:02:ca:d5:34:bc:1a:78:c9:8e:
+                    2c:89:65:01:28:0b:39:39:f5:23:51:93:0b:ac:76:
+                    d2:ec:ed:16:45:7f:c8:b1:b6:bf:86:c8:40:20:e3:
+                    52:98:a5:43:ac:90:d3:e6:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                2A:A7:8E:B5:AA:B6:80:DC:14:3D:8A:E7:71:3D:50:BF:EC:84:10:52
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+        6e:26:e1:ae:74:b2:9b:f8:fc:61:9f:4e:b3:92:cc:4d:bf:5e:
+        50:70:90:cf:ce:e2:e4:aa:de:b7:3c:18:ce:2d:c3:ef:fd:94:
+        59:ed:cf:be:36:d6:d5:16:f2:86:fe:2d:ed:2a:d6:3f:19:8f:
+        83:9f:ea:84:75:06:c3:6f:7c:37:ef:5b:e4:be:9f:13:92:be:
+        43:e7:53:25:f5:c8:85:30:5e:e8:2d:f0:b6:ed:e1:e1:20:86:
+        06:1e:9d:29:94:fa:36:78:c4:9c:0c:12:56:31:93:8c:83:4d:
+        67:49:df:61:f4:4a:15:51:3d:d2:a1:e1:9e:18:37:8b:fe:19:
+        f6:21
+-----BEGIN CERTIFICATE-----
+MIIENTCCA56gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTEyMTExMTE4MjkyNVoXDTMyMTEwNjE4MjkyNVowgagxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1WUE4t
+Q0Etc2VydmVyMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYO
+YXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALj1c3uD
+vs4XI1cp0ynJREy9gzkfDxI1h5yHxqBHAHcoCoQjNpj9qc6A1j+mWZ16qb8RCMk3
+VDAOWrkckbbZLMKxNJ12WPe8i0TrTNRpWBTNAsrVNLwaeMmOLIllASgLOTn1I1GT
+C6x20uztFkV/yLG2v4bIQCDjUpilQ6yQ0+aJAgMBAAGjggFyMIIBbjAJBgNVHRME
+AjAAMBEGCWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0Eg
+R2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUKqeOtaq2gNwU
+PYrncT1Qv+yEEFIwgdYGA1UdIwSBzjCBy4AUVv7wO+OtpF4bfg/WH+Tp1Y5vEtah
+gaekgaQwgaExCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcT
+BkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZp
+Y2VzMQ8wDQYDVQQDEwZWUE4tQ0ExFDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJ
+KoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAPf/MOnEeNJTMBMGA1UdJQQMMAoG
+CCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBuJuGudLKb
++Pxhn06zksxNv15QcJDPzuLkqt63PBjOLcPv/ZRZ7c++NtbVFvKG/i3tKtY/GY+D
+n+qEdQbDb3w371vkvp8Tkr5D51Ml9ciFMF7oLfC27eHhIIYGHp0plPo2eMScDBJW
+MZOMg01nSd9h9EoVUT3SoeGeGDeL/hn2IQ==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/02.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Nov 11 18:31:17 2012 GMT
+            Not After : Nov  6 18:31:17 2032 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-chris/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:bb:b8:e0:59:a9:0b:ce:92:92:45:6f:0a:17:c0:
+                    a5:31:2e:86:eb:d7:a9:47:5d:80:b6:5b:94:6b:9f:
+                    58:5d:6b:df:73:99:f8:5d:3a:f6:58:a7:9b:da:20:
+                    48:e5:19:cb:e0:f7:ad:47:05:a2:b0:db:ed:54:ec:
+                    75:45:05:31:b7:68:62:47:35:3f:89:1b:f6:8b:7d:
+                    72:fe:ee:a6:21:60:5e:c1:59:f1:32:25:2e:79:14:
+                    1d:03:38:a1:a9:e2:28:52:52:c3:c0:51:91:fd:44:
+                    50:3b:be:c7:ba:df:5a:47:38:47:29:78:c7:a0:ec:
+                    b6:ea:46:28:ed:62:fd:3a:7f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                68:00:5D:CF:D6:87:2A:65:E2:31:F7:56:87:B1:3B:FF:78:1F:28:B0
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+        50:68:35:b1:f8:03:97:a3:ae:e8:2c:40:c1:0b:f8:a7:d7:f2:
+        e1:f0:de:62:a9:0b:ee:18:44:8d:c9:f9:9f:ac:4b:b7:95:6c:
+        fc:43:95:aa:b0:6f:b8:35:bb:a0:a8:c1:48:d9:2d:d9:7e:50:
+        fb:2b:ba:c5:31:e1:a7:af:b1:58:4a:44:28:69:84:bc:9c:e0:
+        90:b7:95:36:ee:00:3b:1e:0a:09:90:2f:be:d9:0c:07:78:8e:
+        79:21:4a:af:2b:7d:f3:30:4d:70:04:f2:95:55:4b:d8:24:46:
+        09:f9:08:3c:b0:c1:ad:49:5c:ec:47:55:bc:16:49:80:8e:01:
+        1c:e6
+-----BEGIN CERTIFICATE-----
+MIIEHzCCA4igAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTEyMTExMTE4MzExN1oXDTMyMTEwNjE4MzExN1owgawxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRowGAYDVQQDExFWUE4t
+RkxSLUJSQi1jaHJpczEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0B
+CQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7
+uOBZqQvOkpJFbwoXwKUxLobr16lHXYC2W5Rrn1hda99zmfhdOvZYp5vaIEjlGcvg
+961HBaKw2+1U7HVFBTG3aGJHNT+JG/aLfXL+7qYhYF7BWfEyJS55FB0DOKGp4ihS
+UsPAUZH9RFA7vse631pHOEcpeMeg7LbqRijtYv06fwIDAQABo4IBWDCCAVQwCQYD
+VR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBRoAF3P1ocqZeIx91aHsTv/eB8osDCB1gYDVR0jBIHO
+MIHLgBRW/vA7462kXht+D9Yf5OnVjm8S1qGBp6SBpDCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlggkA9/8w6cR40lMwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeA
+MA0GCSqGSIb3DQEBBQUAA4GBAFBoNbH4A5ejrugsQMEL+KfX8uHw3mKpC+4YRI3J
++Z+sS7eVbPxDlaqwb7g1u6CowUjZLdl+UPsrusUx4aevsVhKRChphLyc4JC3lTbu
+ADseCgmQL77ZDAd4jnkhSq8rffMwTXAE8pVVS9gkRgn5CDywwa1JXOxHVbwWSYCO
+ARzm
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/03.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Jan  8 18:20:29 2013 GMT
+            Not After : Jan  3 18:20:29 2033 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-ivana/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:cf:7f:bf:39:14:b4:f5:71:58:db:eb:0f:64:c5:
+                    93:7f:3c:25:51:b9:ce:85:fa:af:73:9a:d4:1e:6a:
+                    89:1a:bc:ed:ba:b6:cf:65:0f:77:ea:fd:cf:2d:6b:
+                    71:4a:05:b6:7e:86:b5:22:c3:cc:7e:9b:35:cb:bc:
+                    cd:5c:a7:37:8d:e7:a7:27:a5:80:e4:ca:08:46:95:
+                    61:ed:38:7d:49:fa:4c:e9:ef:bf:4a:79:aa:92:45:
+                    10:41:22:bb:60:60:4b:ec:a6:e5:ca:62:0c:bd:be:
+                    ea:95:e4:63:5d:32:ee:83:5c:ca:49:40:e9:be:f3:
+                    c4:7f:e6:10:34:27:f6:55:31
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                90:C9:26:75:C9:2A:14:6C:0B:6D:89:7B:C4:8A:27:F3:8D:25:96:5C
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+        76:3f:16:0a:89:d0:aa:0f:d9:7d:2e:45:f3:8f:ab:ac:0a:32:
+        b9:3e:1b:80:b1:60:fb:a5:81:2e:78:a4:e1:47:33:e2:97:e7:
+        9f:0f:88:06:af:cd:80:e8:21:0d:00:7d:83:56:9d:c6:ff:fb:
+        cb:74:92:d9:39:4a:b1:44:14:73:31:85:f0:87:66:10:d1:63:
+        db:97:d5:89:47:a1:55:91:82:0c:0c:d9:45:bb:60:20:bb:3b:
+        23:b4:23:e7:0c:3c:57:91:33:23:ab:9f:18:76:f5:ae:44:71:
+        ba:53:45:d7:a3:f5:42:cf:b1:d7:31:74:d1:30:ba:bc:12:d9:
+        22:79
+-----BEGIN CERTIFICATE-----
+MIIEHzCCA4igAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTEzMDEwODE4MjAyOVoXDTMzMDEwMzE4MjAyOVowgawxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRowGAYDVQQDExFWUE4t
+RkxSLUJSQi1pdmFuYTEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0B
+CQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
+f785FLT1cVjb6w9kxZN/PCVRuc6F+q9zmtQeaokavO26ts9lD3fq/c8ta3FKBbZ+
+hrUiw8x+mzXLvM1cpzeN56cnpYDkyghGlWHtOH1J+kzp779KeaqSRRBBIrtgYEvs
+puXKYgy9vuqV5GNdMu6DXMpJQOm+88R/5hA0J/ZVMQIDAQABo4IBWDCCAVQwCQYD
+VR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBSQySZ1ySoUbAttiXvEiifzjSWWXDCB1gYDVR0jBIHO
+MIHLgBRW/vA7462kXht+D9Yf5OnVjm8S1qGBp6SBpDCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlggkA9/8w6cR40lMwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeA
+MA0GCSqGSIb3DQEBBQUAA4GBAHY/FgqJ0KoP2X0uRfOPq6wKMrk+G4CxYPulgS54
+pOFHM+KX558PiAavzYDoIQ0AfYNWncb/+8t0ktk5SrFEFHMxhfCHZhDRY9uX1YlH
+oVWRggwM2UW7YCC7OyO0I+cMPFeRMyOrnxh29a5EcbpTRdej9ULPsdcxdNEwurwS
+2SJ5
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/04.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Sep 18 11:07:19 2013 GMT
+            Not After : Sep 16 11:07:19 2023 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-gw-ckubu/name=Christoph Kuchenbuch/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:c8:6b:44:7a:ce:51:74:af:7e:b0:db:ab:e5:cb:
+                    50:f7:01:9b:da:d4:38:7e:35:01:0c:60:4f:28:92:
+                    90:4c:dd:06:1a:a0:89:d6:65:c4:97:d4:22:35:3f:
+                    8c:0c:79:e2:ec:9a:26:4e:e7:ee:f7:73:02:65:12:
+                    9f:cf:5e:05:0c:1e:96:c7:f1:81:92:8f:ac:48:71:
+                    93:df:f8:f2:a3:66:65:ad:13:81:c1:f1:23:a2:c5:
+                    04:86:26:29:bf:2c:7d:28:43:fa:a1:3d:dd:aa:47:
+                    01:af:0f:c2:ba:e0:0b:1d:af:53:f1:f7:a8:b2:90:
+                    2f:4a:ab:c8:19:f6:9c:eb:23
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                DC:10:87:FA:DA:75:B6:5E:0D:5F:CD:4E:2C:9B:B0:E5:A1:E8:85:1D
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         9a:71:cd:8f:8a:8a:a0:96:68:01:5e:86:36:74:41:1d:1a:99:
+         66:56:83:09:c5:18:7f:a1:ec:bf:b8:17:52:e8:fb:09:9c:b3:
+         5b:b7:0f:ec:e5:4f:db:87:7d:0d:bf:4b:ce:b1:f6:fb:c8:e0:
+         99:f5:aa:39:ce:dd:8e:7d:6d:b0:70:7f:00:42:de:6e:55:be:
+         57:f4:01:8d:2e:00:b7:90:b1:92:73:65:89:20:52:8b:b9:f2:
+         28:eb:e6:32:0d:ed:a0:51:2a:73:fa:dd:6b:86:b5:71:b1:d5:
+         b7:30:59:6b:94:dd:fc:c9:47:00:35:a8:b7:18:53:c6:99:fb:
+         0a:70
+-----BEGIN CERTIFICATE-----
+MIIEKzCCA5SgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTEzMDkxODExMDcxOVoXDTIzMDkxNjExMDcxOVowgbgxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMR0wGwYDVQQDExRWUE4t
+RkxSLUJSQi1ndy1ja3VidTEdMBsGA1UEKRMUQ2hyaXN0b3BoIEt1Y2hlbmJ1Y2gx
+HTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDIa0R6zlF0r36w26vly1D3AZva1Dh+NQEMYE8okpBM3QYaoInW
+ZcSX1CI1P4wMeeLsmiZO5+73cwJlEp/PXgUMHpbH8YGSj6xIcZPf+PKjZmWtE4HB
+8SOixQSGJim/LH0oQ/qhPd2qRwGvD8K64Asdr1Px96iykC9Kq8gZ9pzrIwIDAQAB
+o4IBWDCCAVQwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2Vu
+ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTcEIf62nW2Xg1fzU4sm7DloeiF
+HTCB1gYDVR0jBIHOMIHLgBRW/vA7462kXht+D9Yf5OnVjm8S1qGBp6SBpDCBoTEL
+MAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8w
+DQYDVQQKEwZvLm9wZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNV
+BAMTBlZQTi1DQTEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEW
+DmFyZ3VzQG9vcGVuLmRlggkA9/8w6cR40lMwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
+CwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4GBAJpxzY+KiqCWaAFehjZ0QR0a
+mWZWgwnFGH+h7L+4F1Lo+wmcs1u3D+zlT9uHfQ2/S86x9vvI4Jn1qjnO3Y59bbBw
+fwBC3m5Vvlf0AY0uALeQsZJzZYkgUou58ijr5jIN7aBRKnP63WuGtXGx1bcwWWuU
+3fzJRwA1qLcYU8aZ+wpw
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/05.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Oct 29 15:02:57 2014 GMT
+            Not After : Oct 26 15:02:57 2024 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-mariusz/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:a8:7e:61:36:b1:2f:4f:24:75:68:ff:ac:85:a2:
+                    10:eb:1d:ad:d3:82:81:34:ce:ab:d8:94:e6:14:39:
+                    95:c6:84:ea:72:59:28:11:4b:80:a6:90:13:62:23:
+                    75:89:f5:2f:d1:19:21:7d:65:1d:18:f0:b1:61:2d:
+                    69:68:2a:e9:4d:85:72:4f:83:ca:ef:75:2a:d7:65:
+                    e1:3a:d5:82:fc:1d:95:19:0b:a0:a3:3e:9b:75:74:
+                    23:71:53:5c:06:de:d7:9c:bc:72:56:db:47:a5:dc:
+                    d8:6f:78:a8:5e:4d:6f:77:d4:a7:4a:0e:e7:67:f2:
+                    64:7b:ba:c1:51:b1:0e:17:e3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                1F:79:F0:09:41:57:66:6C:A7:D4:F5:7A:60:9D:BA:17:0C:04:7A:45
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         69:7f:24:d6:65:ae:ae:1d:d3:0a:31:df:42:3c:b8:75:5b:aa:
+         fc:3d:5d:b2:85:41:6a:a4:69:7f:e3:cd:22:f2:04:10:19:d0:
+         ca:67:91:7d:22:5d:d5:42:4f:0d:84:d0:99:1b:59:29:43:3e:
+         58:11:9a:0a:fd:70:de:08:82:91:dc:43:3f:4b:87:c1:fe:39:
+         50:cb:35:58:66:08:c2:c9:f9:b9:c7:3a:3e:f8:83:bf:1e:2c:
+         ad:a9:cc:42:ce:98:ad:df:0d:8c:bc:3c:c3:81:fa:44:f4:9b:
+         2a:3e:20:74:8f:3e:4a:fd:be:01:5b:5c:ac:a5:c1:ce:13:2b:
+         cb:78
+-----BEGIN CERTIFICATE-----
+MIIEITCCA4qgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE0MTAyOTE1MDI1N1oXDTI0MTAyNjE1MDI1N1owga4xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNWUE4t
+RkxSLUJSQi1tYXJpdXN6MRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+AKh+YTaxL08kdWj/rIWiEOsdrdOCgTTOq9iU5hQ5lcaE6nJZKBFLgKaQE2IjdYn1
+L9EZIX1lHRjwsWEtaWgq6U2Fck+Dyu91Ktdl4TrVgvwdlRkLoKM+m3V0I3FTXAbe
+15y8clbbR6Xc2G94qF5Nb3fUp0oO52fyZHu6wVGxDhfjAgMBAAGjggFYMIIBVDAJ
+BgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2Vy
+dGlmaWNhdGUwHQYDVR0OBBYEFB958AlBV2Zsp9T1emCduhcMBHpFMIHWBgNVHSME
+gc4wgcuAFFb+8DvjraReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJE
+RTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8u
+b3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNB
+MRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29w
+ZW4uZGWCCQD3/zDpxHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
+B4AwDQYJKoZIhvcNAQEFBQADgYEAaX8k1mWurh3TCjHfQjy4dVuq/D1dsoVBaqRp
+f+PNIvIEEBnQymeRfSJd1UJPDYTQmRtZKUM+WBGaCv1w3giCkdxDP0uHwf45UMs1
+WGYIwsn5ucc6PviDvx4sranMQs6Yrd8NjLw8w4H6RPSbKj4gdI8+Sv2+AVtcrKXB
+zhMry3g=
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/06.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Apr  9 13:50:54 2015 GMT
+            Not After : Apr  6 13:50:54 2025 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-tobias/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:a4:c4:1d:99:73:7a:4b:5e:09:c0:6f:58:86:e7:
+                    33:6f:21:b5:28:57:b7:6f:d0:96:69:a5:0a:06:3b:
+                    e5:c9:97:78:fc:57:3a:5e:2a:a6:2f:19:ed:52:28:
+                    b2:7b:0d:88:6d:da:84:8e:3d:57:9d:3f:9f:49:40:
+                    f1:5c:f1:ff:c8:bf:96:d7:21:3e:f5:bd:e6:4c:8c:
+                    fb:b3:3b:90:5d:9e:16:30:ad:e1:76:70:c2:53:38:
+                    da:1d:19:78:fc:62:6e:67:85:d9:11:7c:ed:15:f8:
+                    c2:cd:ad:d4:e1:73:c7:45:33:f5:1f:8c:21:13:da:
+                    87:29:c5:29:40:91:0e:8b:11
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                EB:34:0B:7C:F3:FE:0C:45:55:E3:8F:E2:0B:99:5C:7D:22:A0:09:0F
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         1a:1b:12:2e:fc:4a:ad:c1:4d:4b:0f:a0:c5:cd:db:a3:44:cb:
+         9c:3a:f2:5d:32:ae:42:c8:0b:b4:99:37:3b:6b:7f:bc:26:b2:
+         dd:13:a8:33:8a:0b:63:6e:99:cf:ee:a5:de:69:ab:d8:02:b7:
+         28:33:e4:c9:8b:86:3d:fc:06:e7:9f:8f:c9:42:e4:ec:46:23:
+         ad:a1:d7:cc:eb:3e:f6:60:90:40:09:d0:32:6d:6a:d2:cd:11:
+         3f:79:d0:60:57:35:1c:22:76:b1:8d:04:00:2f:82:ea:29:48:
+         8d:cb:74:e0:2d:d8:79:53:99:d8:2f:9c:fe:14:0b:83:9e:32:
+         8c:84
+-----BEGIN CERTIFICATE-----
+MIIEIDCCA4mgAwIBAgIBBjANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE1MDQwOTEzNTA1NFoXDTI1MDQwNjEzNTA1NFowga0xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRswGQYDVQQDExJWUE4t
+RkxSLUJSQi10b2JpYXMxFDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcN
+AQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+pMQdmXN6S14JwG9YhuczbyG1KFe3b9CWaaUKBjvlyZd4/Fc6XiqmLxntUiiyew2I
+bdqEjj1XnT+fSUDxXPH/yL+W1yE+9b3mTIz7szuQXZ4WMK3hdnDCUzjaHRl4/GJu
+Z4XZEXztFfjCza3U4XPHRTP1H4whE9qHKcUpQJEOixECAwEAAaOCAVgwggFUMAkG
+A1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0
+aWZpY2F0ZTAdBgNVHQ4EFgQU6zQLfPP+DEVV44/iC5lcfSKgCQ8wgdYGA1UdIwSB
+zjCBy4AUVv7wO+OtpF4bfg/WH+Tp1Y5vEtahgaekgaQwgaExCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQ0Ex
+FDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZYIJAPf/MOnEeNJTMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIH
+gDANBgkqhkiG9w0BAQUFAAOBgQAaGxIu/EqtwU1LD6DFzdujRMucOvJdMq5CyAu0
+mTc7a3+8JrLdE6gzigtjbpnP7qXeaavYArcoM+TJi4Y9/Abnn4/JQuTsRiOtodfM
+6z72YJBACdAybWrSzRE/edBgVzUcInaxjQQAL4LqKUiNy3TgLdh5U5nYL5z+FAuD
+njKMhA==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/07.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7 (0x7)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Jul  8 11:06:29 2015 GMT
+            Not After : Jul  5 11:06:29 2025 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-gabi/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:b4:25:18:ee:65:f4:03:b4:f1:a0:ca:e9:66:34:
+                    42:4f:73:5c:1a:84:fd:a4:55:72:fa:c8:6d:f6:5a:
+                    09:90:ea:dd:66:82:4f:a0:33:f6:11:27:26:83:cc:
+                    63:18:de:00:2d:f0:33:41:4f:c0:d4:1e:29:d0:41:
+                    8b:b9:89:cd:1c:cc:1e:ca:ef:f9:89:3f:4a:3b:71:
+                    df:45:83:bd:cd:c6:11:43:dd:d5:20:c9:86:63:c0:
+                    4f:d7:33:50:82:14:db:52:4d:f5:26:b8:1f:75:52:
+                    c7:68:bf:3b:a5:0d:52:6e:e3:8a:86:fe:f6:5f:84:
+                    aa:f5:2c:1d:00:48:d9:4a:e3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                15:48:AB:D9:07:76:C9:5B:84:5D:4B:AB:61:47:DC:2C:01:2C:4E:CF
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         a8:8d:06:47:92:b9:0b:ed:28:62:b4:47:a1:8a:30:e1:50:d6:
+         5a:b5:62:69:4c:81:61:d1:46:be:f3:a7:07:41:61:5e:22:5e:
+         ed:21:c4:93:c8:5f:64:ac:72:10:b3:c4:c7:b6:43:f8:be:fd:
+         e1:a9:23:75:31:46:0e:a7:02:48:66:81:52:6b:97:a1:8f:46:
+         fe:91:97:5e:7a:43:3e:d8:d9:f3:28:5a:b2:34:76:06:e2:b8:
+         ba:79:f9:0f:0b:f3:5c:04:b1:d9:c7:c8:bf:ae:09:cb:50:da:
+         f1:37:13:94:f7:20:b6:2e:9a:a9:e3:f2:d8:4d:93:a9:de:c9:
+         4e:57
+-----BEGIN CERTIFICATE-----
+MIIEHjCCA4egAwIBAgIBBzANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE1MDcwODExMDYyOVoXDTI1MDcwNTExMDYyOVowgasxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRkwFwYDVQQDExBWUE4t
+RkxSLUJSQi1nYWJpMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJ
+ARYOYXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQl
+GO5l9AO08aDK6WY0Qk9zXBqE/aRVcvrIbfZaCZDq3WaCT6Az9hEnJoPMYxjeAC3w
+M0FPwNQeKdBBi7mJzRzMHsrv+Yk/Sjtx30WDvc3GEUPd1SDJhmPAT9czUIIU21JN
+9Sa4H3VSx2i/O6UNUm7jiob+9l+EqvUsHQBI2UrjAgMBAAGjggFYMIIBVDAJBgNV
+HRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFBVIq9kHdslbhF1Lq2FH3CwBLE7PMIHWBgNVHSMEgc4w
+gcuAFFb+8DvjraReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQw
+EgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4u
+ZGWCCQD3/zDpxHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4Aw
+DQYJKoZIhvcNAQEFBQADgYEAqI0GR5K5C+0oYrRHoYow4VDWWrViaUyBYdFGvvOn
+B0FhXiJe7SHEk8hfZKxyELPEx7ZD+L794akjdTFGDqcCSGaBUmuXoY9G/pGXXnpD
+PtjZ8yhasjR2BuK4unn5DwvzXASx2cfIv64Jy1Da8TcTlPcgti6aqePy2E2Tqd7J
+Tlc=
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/08.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8 (0x8)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Jul  8 11:07:55 2015 GMT
+            Not After : Jul  5 11:07:55 2025 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-almut/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:e6:b1:b6:df:9d:e7:65:dd:d6:6b:5e:4b:16:62:
+                    7d:30:59:35:63:fe:4e:03:16:5a:e1:5d:d8:05:2b:
+                    fe:83:46:14:75:2d:cc:b5:2b:b9:c0:5e:bf:1f:6f:
+                    f2:79:e3:74:c5:cf:13:d8:82:87:19:06:05:35:cf:
+                    d3:6a:f9:be:ad:66:e1:8c:29:65:6d:e3:e6:44:2b:
+                    0b:21:25:d6:24:91:27:bc:7d:82:58:b9:22:e5:d5:
+                    b4:22:72:7e:03:38:93:18:71:f1:a2:18:6c:87:6e:
+                    2e:1d:cb:4c:a1:5e:c1:13:d9:2a:1a:8e:47:67:6e:
+                    b2:63:e3:7f:f0:3a:bc:6c:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                1C:17:CE:68:3A:6B:CA:ED:98:E4:63:13:C7:A2:60:E1:D2:51:DF:9A
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         c3:24:0b:75:30:4a:dc:79:f6:55:e3:95:4b:5d:d3:6d:4d:42:
+         41:54:a9:5f:0d:d1:3b:cd:9f:bb:7e:19:fc:ca:dd:a6:92:6e:
+         2a:28:57:b2:a9:99:9a:9b:11:60:34:ec:09:3c:bb:91:d5:37:
+         89:14:9a:c2:c6:52:af:b9:f0:a6:c9:aa:b3:e5:b5:80:07:40:
+         ac:a2:fd:98:c2:5b:16:20:c4:39:31:b7:73:ee:65:79:75:86:
+         41:70:26:a5:c4:fc:a8:f4:50:cf:34:2d:85:22:21:e9:84:2c:
+         8e:08:09:d1:75:a7:76:f7:f3:be:09:b0:79:7f:0d:c6:7d:6b:
+         57:b9
+-----BEGIN CERTIFICATE-----
+MIIEHzCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE1MDcwODExMDc1NVoXDTI1MDcwNTExMDc1NVowgawxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRowGAYDVQQDExFWUE4t
+RkxSLUJSQi1hbG11dDEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0B
+CQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDm
+sbbfnedl3dZrXksWYn0wWTVj/k4DFlrhXdgFK/6DRhR1Lcy1K7nAXr8fb/J543TF
+zxPYgocZBgU1z9Nq+b6tZuGMKWVt4+ZEKwshJdYkkSe8fYJYuSLl1bQicn4DOJMY
+cfGiGGyHbi4dy0yhXsET2SoajkdnbrJj43/wOrxsNwIDAQABo4IBWDCCAVQwCQYD
+VR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBQcF85oOmvK7ZjkYxPHomDh0lHfmjCB1gYDVR0jBIHO
+MIHLgBRW/vA7462kXht+D9Yf5OnVjm8S1qGBp6SBpDCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlggkA9/8w6cR40lMwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeA
+MA0GCSqGSIb3DQEBBQUAA4GBAMMkC3UwStx59lXjlUtd021NQkFUqV8N0TvNn7t+
+GfzK3aaSbiooV7KpmZqbEWA07Ak8u5HVN4kUmsLGUq+58KbJqrPltYAHQKyi/ZjC
+WxYgxDkxt3PuZXl1hkFwJqXE/Kj0UM80LYUiIemELI4ICdF1p3b3874JsHl/DcZ9
+a1e5
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/09.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9 (0x9)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Oct 13 13:35:55 2015 GMT
+            Not After : Oct 10 13:35:55 2025 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-lisa/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:af:f3:dd:c0:7e:0b:a2:0d:c2:ba:de:67:bb:5d:
+                    80:43:b0:f9:a4:5b:58:c2:58:53:ce:6f:58:74:18:
+                    67:cf:b2:ee:6d:d0:fc:75:29:8f:cf:b7:b9:5a:2e:
+                    8e:fb:0c:52:55:b7:47:ef:2d:9f:8e:ae:14:e3:84:
+                    ab:d3:b1:d0:24:c8:c3:5c:f7:41:e7:38:0c:95:b2:
+                    bb:93:58:99:17:58:41:20:fe:1e:26:70:60:2c:dc:
+                    2f:c1:a8:f6:20:70:3f:2a:6d:9e:8a:0d:b0:08:13:
+                    09:d7:05:9c:e9:d7:2b:70:62:21:5a:3a:a7:d1:89:
+                    ab:c3:41:d7:a1:f5:0f:2b:f1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                57:37:68:B3:B8:03:AA:98:FC:DA:7D:D3:5D:80:10:FD:08:72:1A:D4
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         78:13:a3:3a:0a:85:d6:ae:98:71:63:d1:4f:7b:99:38:74:a6:
+         89:f6:32:dc:74:e2:da:85:eb:71:1b:39:e7:3f:76:3f:5e:ef:
+         c7:52:85:18:6e:bd:a7:2e:b9:1f:65:54:a1:22:3d:25:86:2c:
+         e3:95:1a:48:5b:b0:e8:00:02:d4:9c:a9:71:2e:5d:54:29:03:
+         bc:38:76:b2:fc:76:13:30:8a:e8:f6:5c:be:98:48:a5:f4:28:
+         ac:0c:13:c9:9b:10:29:18:6a:28:58:bf:f0:6a:7c:00:d8:d5:
+         c1:36:db:aa:12:63:d9:84:f0:1f:36:7a:48:06:11:59:df:71:
+         3d:41
+-----BEGIN CERTIFICATE-----
+MIIEHjCCA4egAwIBAgIBCTANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE1MTAxMzEzMzU1NVoXDTI1MTAxMDEzMzU1NVowgasxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRkwFwYDVQQDExBWUE4t
+RkxSLUJSQi1saXNhMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJ
+ARYOYXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK/z
+3cB+C6INwrreZ7tdgEOw+aRbWMJYU85vWHQYZ8+y7m3Q/HUpj8+3uVoujvsMUlW3
+R+8tn46uFOOEq9Ox0CTIw1z3Qec4DJWyu5NYmRdYQSD+HiZwYCzcL8Go9iBwPypt
+nooNsAgTCdcFnOnXK3BiIVo6p9GJq8NB16H1DyvxAgMBAAGjggFYMIIBVDAJBgNV
+HRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFFc3aLO4A6qY/Np9012AEP0IchrUMIHWBgNVHSMEgc4w
+gcuAFFb+8DvjraReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
+bjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQw
+EgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4u
+ZGWCCQD3/zDpxHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4Aw
+DQYJKoZIhvcNAQEFBQADgYEAeBOjOgqF1q6YcWPRT3uZOHSmifYy3HTi2oXrcRs5
+5z92P17vx1KFGG69py65H2VUoSI9JYYs45UaSFuw6AAC1JypcS5dVCkDvDh2svx2
+EzCK6PZcvphIpfQorAwTyZsQKRhqKFi/8Gp8ANjVwTbbqhJj2YTwHzZ6SAYRWd9x
+PUE=
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/0A.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 10 (0xa)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Apr 22 11:38:47 2016 GMT
+            Not After : Apr 20 11:38:47 2026 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-yilmaz/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:df:95:6e:ce:0c:d4:d9:1f:3d:83:d8:88:1f:49:
+                    b9:21:96:1f:7b:b9:c9:e2:c9:e0:cb:c3:7b:34:6b:
+                    21:b9:32:8c:43:3c:a8:53:bb:9e:ba:0e:e1:30:9d:
+                    e7:b0:f6:ad:cc:ce:34:09:07:9d:3e:05:38:58:ff:
+                    6b:eb:34:81:bb:8f:a7:59:ca:41:45:1b:db:6d:5e:
+                    8b:71:f6:ad:e0:b3:77:28:c2:7f:ff:7c:5d:dd:4b:
+                    b0:fb:b2:8d:99:e9:e7:bc:be:16:22:d3:1d:72:fd:
+                    b8:ab:a9:64:11:cc:95:27:b9:23:7f:45:36:ef:72:
+                    c6:0e:97:84:7c:05:a8:d2:bf
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                11:AB:C8:D6:9A:1E:E1:E4:FD:6E:B0:F4:D4:86:1F:B5:30:93:5F:78
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         50:0d:74:88:36:8c:28:80:81:e9:18:3b:ec:61:29:29:e9:b5:
+         b3:7b:ca:2d:96:c8:8d:f6:c2:36:35:0f:5a:5d:07:d1:e2:38:
+         5f:9c:8d:63:ff:fc:d4:26:89:a9:2c:f3:0e:61:b1:ce:a3:81:
+         cc:e1:0a:98:fb:f8:42:dc:f2:04:e3:5e:f5:41:87:e0:23:02:
+         f2:58:1b:24:21:87:7d:5b:c6:6a:f0:15:18:40:f4:20:56:91:
+         4d:24:06:1e:e6:58:3f:50:00:ab:ad:37:d0:09:53:e2:92:4c:
+         51:3a:68:d8:46:b3:c3:46:d0:8e:36:95:3e:da:01:f7:a2:d0:
+         61:21
+-----BEGIN CERTIFICATE-----
+MIIEIDCCA4mgAwIBAgIBCjANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE2MDQyMjExMzg0N1oXDTI2MDQyMDExMzg0N1owga0xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRswGQYDVQQDExJWUE4t
+RkxSLUJSQi15aWxtYXoxFDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcN
+AQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+35VuzgzU2R89g9iIH0m5IZYfe7nJ4sngy8N7NGshuTKMQzyoU7ueug7hMJ3nsPat
+zM40CQedPgU4WP9r6zSBu4+nWcpBRRvbbV6Lcfat4LN3KMJ//3xd3Uuw+7KNmenn
+vL4WItMdcv24q6lkEcyVJ7kjf0U273LGDpeEfAWo0r8CAwEAAaOCAVgwggFUMAkG
+A1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0
+aWZpY2F0ZTAdBgNVHQ4EFgQUEavI1poe4eT9brD01IYftTCTX3gwgdYGA1UdIwSB
+zjCBy4AUVv7wO+OtpF4bfg/WH+Tp1Y5vEtahgaekgaQwgaExCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQ0Ex
+FDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZYIJAPf/MOnEeNJTMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIH
+gDANBgkqhkiG9w0BAQUFAAOBgQBQDXSINowogIHpGDvsYSkp6bWze8otlsiN9sI2
+NQ9aXQfR4jhfnI1j//zUJompLPMOYbHOo4HM4QqY+/hC3PIE4171QYfgIwLyWBsk
+IYd9W8Zq8BUYQPQgVpFNJAYe5lg/UACrrTfQCVPikkxROmjYRrPDRtCONpU+2gH3
+otBhIQ==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/0B.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 11 (0xb)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Apr 22 11:39:45 2016 GMT
+            Not After : Apr 20 11:39:45 2026 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-sabrina/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:a2:73:e9:c5:a4:41:5c:75:bb:c2:bc:ad:71:a0:
+                    ca:9e:74:68:5e:dd:92:bb:b4:2e:bd:7e:ea:fd:b2:
+                    fe:b9:f7:3d:da:02:2e:05:db:e9:f0:23:97:93:b3:
+                    74:c7:4d:2f:01:8a:1d:0e:a1:63:14:b8:b4:f1:a1:
+                    4e:0d:ff:61:1b:76:75:49:2f:93:ef:8a:57:6d:bb:
+                    44:c0:b3:d0:3e:94:b6:33:21:ec:c6:26:75:db:dd:
+                    84:2c:2e:16:68:4e:39:70:19:3c:56:a8:94:8e:a1:
+                    ea:b1:a7:62:a9:e0:03:47:ea:28:e6:9b:9f:50:dd:
+                    f8:5c:0e:38:55:d1:19:c4:a5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                45:86:60:2C:D6:88:E4:17:AB:C6:80:90:AA:90:A6:00:8A:D2:11:F1
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         a3:a8:fb:c0:30:a6:4c:92:c7:26:68:84:5a:38:22:f1:c1:ef:
+         af:37:47:6f:31:55:95:aa:3b:91:04:a4:7e:cd:95:63:58:84:
+         64:8b:fd:8c:0c:82:97:1b:be:e9:fb:0d:6e:98:37:1c:52:23:
+         f6:f3:16:8b:89:ed:c9:bc:bc:be:6b:dd:ab:e4:69:9a:67:77:
+         e3:15:b5:c8:05:f3:d3:d5:11:7e:02:5d:5d:14:29:ab:16:5d:
+         f1:bf:01:ee:6b:da:13:a3:47:e2:51:b4:8d:c1:f1:91:fb:f4:
+         a2:fd:88:00:2a:d1:84:eb:22:b5:d5:0a:2d:c0:2e:b3:c7:0b:
+         20:db
+-----BEGIN CERTIFICATE-----
+MIIEITCCA4qgAwIBAgIBCzANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE2MDQyMjExMzk0NVoXDTI2MDQyMDExMzk0NVowga4xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNWUE4t
+RkxSLUJSQi1zYWJyaW5hMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+AKJz6cWkQVx1u8K8rXGgyp50aF7dkru0Lr1+6v2y/rn3PdoCLgXb6fAjl5OzdMdN
+LwGKHQ6hYxS4tPGhTg3/YRt2dUkvk++KV227RMCz0D6UtjMh7MYmddvdhCwuFmhO
+OXAZPFaolI6h6rGnYqngA0fqKOabn1Dd+FwOOFXRGcSlAgMBAAGjggFYMIIBVDAJ
+BgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2Vy
+dGlmaWNhdGUwHQYDVR0OBBYEFEWGYCzWiOQXq8aAkKqQpgCK0hHxMIHWBgNVHSME
+gc4wgcuAFFb+8DvjraReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJE
+RTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8u
+b3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNB
+MRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29w
+ZW4uZGWCCQD3/zDpxHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
+B4AwDQYJKoZIhvcNAQEFBQADgYEAo6j7wDCmTJLHJmiEWjgi8cHvrzdHbzFVlao7
+kQSkfs2VY1iEZIv9jAyClxu+6fsNbpg3HFIj9vMWi4ntyby8vmvdq+Rpmmd34xW1
+yAXz09URfgJdXRQpqxZd8b8B7mvaE6NH4lG0jcHxkfv0ov2IACrRhOsitdUKLcAu
+s8cLINs=
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/0C.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 12 (0xc)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Apr 22 11:40:34 2016 GMT
+            Not After : Apr 20 11:40:34 2026 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-pierre/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:97:d8:d9:51:1f:da:2d:25:4b:38:10:96:41:f9:
+                    bf:7b:2e:70:3f:5b:ea:28:3e:c4:9c:6d:b8:2f:c2:
+                    f9:34:27:ce:a3:a9:63:71:07:a3:79:b9:8f:10:6b:
+                    23:60:7b:24:37:4a:9b:54:51:9c:4a:c1:61:a3:bf:
+                    e9:68:32:73:5e:1b:c1:e9:74:f7:68:6e:dc:11:2a:
+                    14:91:b3:e0:33:e8:06:e5:22:cd:52:cf:c5:7d:df:
+                    28:a7:a8:ae:54:b3:85:de:12:0f:aa:12:39:19:be:
+                    7d:87:43:df:2a:73:aa:0c:40:b0:22:1e:7a:6d:01:
+                    19:f7:14:94:05:2e:58:87:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                06:90:87:29:A3:95:B7:FF:11:87:22:6B:50:72:B5:7C:D5:24:8F:DC
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         5e:e9:53:73:1e:d8:4d:c5:c1:e3:f5:00:fa:aa:52:12:95:bc:
+         a6:e6:67:a1:bf:be:93:b1:f6:3b:d3:7a:93:d0:72:35:d8:16:
+         2e:26:6f:2c:ac:5d:4c:21:0c:bf:1f:8a:ec:fe:e1:d2:5f:df:
+         b8:ce:4c:70:99:c8:19:54:64:e1:00:a9:60:fd:16:2a:69:d8:
+         6e:8b:55:a0:99:72:e4:e7:a7:1c:34:e7:d8:08:ce:d3:0e:33:
+         1f:bd:55:73:f2:63:87:d6:2e:86:ec:df:4c:11:1d:56:5c:92:
+         cf:10:93:5c:63:a6:f4:05:f1:ff:48:43:47:81:a7:4d:3e:4c:
+         a2:4a
+-----BEGIN CERTIFICATE-----
+MIIEIDCCA4mgAwIBAgIBDDANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE2MDQyMjExNDAzNFoXDTI2MDQyMDExNDAzNFowga0xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRswGQYDVQQDExJWUE4t
+RkxSLUJSQi1waWVycmUxFDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcN
+AQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+l9jZUR/aLSVLOBCWQfm/ey5wP1vqKD7EnG24L8L5NCfOo6ljcQejebmPEGsjYHsk
+N0qbVFGcSsFho7/paDJzXhvB6XT3aG7cESoUkbPgM+gG5SLNUs/Ffd8op6iuVLOF
+3hIPqhI5Gb59h0PfKnOqDECwIh56bQEZ9xSUBS5Yhw0CAwEAAaOCAVgwggFUMAkG
+A1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0
+aWZpY2F0ZTAdBgNVHQ4EFgQUBpCHKaOVt/8RhyJrUHK1fNUkj9wwgdYGA1UdIwSB
+zjCBy4AUVv7wO+OtpF4bfg/WH+Tp1Y5vEtahgaekgaQwgaExCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQ0Ex
+FDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZYIJAPf/MOnEeNJTMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIH
+gDANBgkqhkiG9w0BAQUFAAOBgQBe6VNzHthNxcHj9QD6qlISlbym5mehv76TsfY7
+03qT0HI12BYuJm8srF1MIQy/H4rs/uHSX9+4zkxwmcgZVGThAKlg/RYqadhui1Wg
+mXLk56ccNOfYCM7TDjMfvVVz8mOH1i6G7N9MER1WXJLPEJNcY6b0BfH/SENHgadN
+PkyiSg==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/0D.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 13 (0xd)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Jun 10 17:30:36 2016 GMT
+            Not After : Jun  8 17:30:36 2026 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-lotta/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:b6:3a:d8:30:3f:d9:64:c6:75:1f:c5:41:37:25:
+                    53:90:8f:8d:bd:d0:d6:55:a0:13:ca:50:ce:ef:84:
+                    8c:c6:1a:a5:51:64:46:95:be:a8:da:0e:b9:22:a6:
+                    c7:1b:b9:c8:25:e7:77:fb:27:0e:6b:a5:1d:a6:02:
+                    16:bc:af:23:4c:e8:70:ef:f3:73:ad:ce:51:7f:ec:
+                    0e:3a:e0:1e:44:0b:72:53:8e:49:32:3f:30:14:34:
+                    ca:2c:65:5b:b7:9f:88:00:ec:e5:3c:02:0a:0d:bd:
+                    ce:01:30:4e:69:f3:a0:16:0b:89:d1:33:99:b8:8c:
+                    5d:6a:0b:ea:c8:74:70:8c:d5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                EB:01:5B:84:3B:15:BD:99:87:33:8E:3B:6B:9E:4D:DC:89:34:03:0E
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         5f:df:0d:5c:f2:02:37:c2:1c:0d:4b:37:6a:8e:ff:16:47:c4:
+         f8:2b:17:95:e0:a0:7d:44:aa:03:e5:bf:06:12:32:10:27:7b:
+         39:ac:ab:e9:94:e1:91:7a:2a:ea:0b:07:ea:bb:c8:31:a0:4e:
+         64:1e:0e:04:29:90:8b:fc:65:a5:8e:57:24:7e:9b:ed:49:58:
+         b3:c7:cb:e2:11:c7:a2:32:95:b8:56:dd:e0:38:a9:4b:75:65:
+         da:a1:48:e3:72:0a:be:56:af:4b:41:98:ef:8d:e7:c3:74:20:
+         b8:fa:50:95:a8:ce:81:e7:07:d3:5c:41:55:0c:26:4e:c9:0d:
+         e3:97
+-----BEGIN CERTIFICATE-----
+MIIEHzCCA4igAwIBAgIBDTANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE2MDYxMDE3MzAzNloXDTI2MDYwODE3MzAzNlowgawxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRowGAYDVQQDExFWUE4t
+RkxSLUJSQi1sb3R0YTEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0B
+CQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
+OtgwP9lkxnUfxUE3JVOQj4290NZVoBPKUM7vhIzGGqVRZEaVvqjaDrkipscbucgl
+53f7Jw5rpR2mAha8ryNM6HDv83OtzlF/7A464B5EC3JTjkkyPzAUNMosZVu3n4gA
+7OU8AgoNvc4BME5p86AWC4nRM5m4jF1qC+rIdHCM1QIDAQABo4IBWDCCAVQwCQYD
+VR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBTrAVuEOxW9mYczjjtrnk3ciTQDDjCB1gYDVR0jBIHO
+MIHLgBRW/vA7462kXht+D9Yf5OnVjm8S1qGBp6SBpDCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlggkA9/8w6cR40lMwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeA
+MA0GCSqGSIb3DQEBBQUAA4GBAF/fDVzyAjfCHA1LN2qO/xZHxPgrF5XgoH1EqgPl
+vwYSMhAnezmsq+mU4ZF6KuoLB+q7yDGgTmQeDgQpkIv8ZaWOVyR+m+1JWLPHy+IR
+x6IylbhW3eA4qUt1ZdqhSONyCr5Wr0tBmO+N58N0ILj6UJWozoHnB9NcQVUMJk7J
+DeOX
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/0E.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 14 (0xe)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Nov 18 01:47:17 2016 GMT
+            Not After : Nov 16 01:47:17 2026 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-pierre/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:ec:42:58:9e:f1:d6:65:e4:05:e4:d3:4f:d9:70:
+                    16:df:19:e1:85:81:5a:ee:69:05:f3:00:83:b3:49:
+                    fd:b7:1c:3a:d3:5f:82:cf:28:84:06:5b:88:11:64:
+                    97:56:4e:4f:19:0c:c8:73:87:9d:03:ee:27:3e:c9:
+                    53:f8:d2:ad:bc:19:5b:d3:3f:02:aa:10:e8:29:4c:
+                    2e:af:bc:a0:7a:e5:c6:8b:c3:fa:71:98:b5:c5:2b:
+                    46:d8:aa:37:ae:98:2f:99:0d:19:0d:63:5c:cf:13:
+                    c8:cd:0b:50:24:3a:55:75:0c:6b:73:7b:8f:2a:b7:
+                    5b:70:60:62:51:9b:28:62:bd
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                AD:91:04:D1:8A:AA:1A:8A:4B:9F:D0:A8:9C:21:56:45:0D:D9:0D:E2
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         6f:cb:7c:a9:7c:3d:18:59:ec:06:81:0d:56:2b:95:a4:b7:59:
+         e6:ee:4c:a4:d8:03:44:74:50:e3:06:05:38:1f:47:a0:fb:16:
+         4e:1d:44:4e:77:ff:75:09:d8:b4:cd:86:10:35:5b:f2:07:81:
+         47:65:22:97:c5:22:09:7e:d6:e5:df:94:44:c8:08:5c:da:5d:
+         14:f1:7a:ab:83:e7:c5:bf:71:49:19:0a:fc:24:3b:88:f4:ab:
+         1e:14:0c:b8:c1:c4:06:ae:83:96:8b:6c:a7:cc:c4:23:ff:63:
+         ca:7b:a1:7f:ea:a1:27:2b:02:8c:f6:72:6a:f1:fa:c5:ba:4f:
+         2c:44
+-----BEGIN CERTIFICATE-----
+MIIEIDCCA4mgAwIBAgIBDjANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE2MTExODAxNDcxN1oXDTI2MTExNjAxNDcxN1owga0xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRswGQYDVQQDExJWUE4t
+RkxSLUJSQi1waWVycmUxFDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcN
+AQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+7EJYnvHWZeQF5NNP2XAW3xnhhYFa7mkF8wCDs0n9txw601+CzyiEBluIEWSXVk5P
+GQzIc4edA+4nPslT+NKtvBlb0z8CqhDoKUwur7ygeuXGi8P6cZi1xStG2Ko3rpgv
+mQ0ZDWNczxPIzQtQJDpVdQxrc3uPKrdbcGBiUZsoYr0CAwEAAaOCAVgwggFUMAkG
+A1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0
+aWZpY2F0ZTAdBgNVHQ4EFgQUrZEE0YqqGopLn9ConCFWRQ3ZDeIwgdYGA1UdIwSB
+zjCBy4AUVv7wO+OtpF4bfg/WH+Tp1Y5vEtahgaekgaQwgaExCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tQ0Ex
+FDASBgNVBCkTC1ZQTi1GTFItQlJCMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
+bi5kZYIJAPf/MOnEeNJTMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIH
+gDANBgkqhkiG9w0BAQUFAAOBgQBvy3ypfD0YWewGgQ1WK5Wkt1nm7kyk2ANEdFDj
+BgU4H0eg+xZOHUROd/91Cdi0zYYQNVvyB4FHZSKXxSIJftbl35REyAhc2l0U8Xqr
+g+fFv3FJGQr8JDuI9KseFAy4wcQGroOWi2ynzMQj/2PKe6F/6qEnKwKM9nJq8frF
+uk8sRA==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/0F.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15 (0xf)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Nov 18 01:59:40 2016 GMT
+            Not After : Nov 16 01:59:40 2026 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-flr-pierre/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:a2:13:0c:ff:8b:0a:7f:29:6a:fa:01:32:4a:f1:
+                    60:72:44:0c:f8:41:82:59:44:93:db:30:6c:6a:92:
+                    1e:9e:fd:d6:a1:99:90:2e:02:7b:9c:59:8d:5e:a8:
+                    a5:de:77:56:33:39:0b:0a:1a:ad:08:79:97:94:59:
+                    33:bb:fd:b2:17:54:88:fe:54:90:35:ef:79:a9:98:
+                    7f:e6:f9:d1:db:2a:bd:06:c5:4a:c9:11:c4:43:a8:
+                    6f:66:82:10:b7:a9:8c:66:8a:41:c1:75:b4:41:19:
+                    e2:09:d7:fb:e7:8f:35:f2:8e:cb:7e:ec:9a:89:e0:
+                    d0:9c:d6:ff:37:13:22:02:1f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                B2:F2:A2:88:A9:FA:9E:66:8C:ED:BB:35:D8:4E:04:D3:81:38:5B:B8
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         91:84:59:e0:e5:1a:04:62:1a:17:a4:41:ce:fb:d8:d6:3f:86:
+         5b:36:6e:51:b7:7e:15:38:69:56:77:8b:dc:20:7e:19:dc:f6:
+         ac:eb:ed:cc:a9:aa:5b:68:8c:a9:36:04:4a:4c:0c:21:47:d1:
+         7d:77:cb:f9:7f:46:52:5a:42:61:0d:8a:01:b5:5a:90:25:4e:
+         bd:5f:5f:2a:d6:af:49:fb:9f:92:72:bc:6a:95:72:86:29:6a:
+         e2:14:f2:c7:dd:4f:79:78:24:1e:49:b0:f5:cb:69:73:2c:bd:
+         6c:26:4b:c2:03:37:d9:ed:8d:b7:4a:bf:19:c1:54:8b:4b:5d:
+         df:8a
+-----BEGIN CERTIFICATE-----
+MIIEJDCCA42gAwIBAgIBDzANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE2MTExODAxNTk0MFoXDTI2MTExNjAxNTk0MFowgbExCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMR8wHQYDVQQDExZWUE4t
+RkxSLUJSQi1mbHItcGllcnJlMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqG
+SIb3DQEJARYOYXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKITDP+LCn8pavoBMkrxYHJEDPhBgllEk9swbGqSHp791qGZkC4Ce5xZjV6o
+pd53VjM5CwoarQh5l5RZM7v9shdUiP5UkDXveamYf+b50dsqvQbFSskRxEOob2aC
+ELepjGaKQcF1tEEZ4gnX++ePNfKOy37smong0JzW/zcTIgIfAgMBAAGjggFYMIIB
+VDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFLLyooip+p5mjO27NdhOBNOBOFu4MIHWBgNV
+HSMEgc4wgcuAFFb+8DvjraReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQG
+EwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoT
+Bm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBO
+LUNBMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGWCCQD3/zDpxHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
+BAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAkYRZ4OUaBGIaF6RBzvvY1j+GWzZuUbd+
+FThpVneL3CB+Gdz2rOvtzKmqW2iMqTYESkwMIUfRfXfL+X9GUlpCYQ2KAbVakCVO
+vV9fKtavSfufknK8apVyhilq4hTyx91PeXgkHkmw9ctpcyy9bCZLwgM32e2Nt0q/
+GcFUi0td34o=
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/10.pem

@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 16 (0x10)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Apr 20 13:38:03 2017 GMT
+            Not After : Apr 18 13:38:03 2027 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-test/name=VPN FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cc:ff:52:dc:42:3e:ec:5d:ed:35:cc:b1:a8:bd:
+                    0b:a9:79:52:0d:40:d4:37:90:cf:f5:34:f8:7b:3b:
+                    8b:ce:a8:58:53:f5:ce:20:67:00:d3:97:ae:ff:1f:
+                    4f:be:05:8f:68:4d:40:a9:2f:01:86:72:dc:8a:73:
+                    67:d0:f1:e1:00:5f:58:0c:62:d6:5b:62:11:65:62:
+                    7e:a6:46:99:ef:3c:66:7d:c7:dc:e0:68:1d:f2:58:
+                    cf:d7:0e:9a:9f:d2:e9:f6:9d:11:0a:35:ae:47:27:
+                    f9:63:de:8b:cc:7f:64:ff:67:dc:51:b6:11:ca:18:
+                    94:ac:b9:b1:81:cc:22:89:fe:ea:77:46:38:34:b3:
+                    de:b0:be:cf:15:7c:c2:ee:22:d7:da:27:93:c7:42:
+                    45:37:64:48:4a:7c:4b:d1:02:c4:70:a0:91:30:cc:
+                    3b:88:29:69:34:7c:67:a8:b2:3c:fc:37:bf:34:a2:
+                    2e:db:7c:94:f2:05:b9:45:46:49:26:b8:5a:57:ea:
+                    00:5a:db:f0:35:62:9c:3c:38:af:d8:5f:c8:1b:f7:
+                    08:a6:7b:15:63:d8:3d:7a:5b:18:69:ba:a1:0b:01:
+                    a8:17:7a:e3:48:0b:5e:da:9d:0e:c7:04:49:55:9a:
+                    15:2b:ce:c8:47:8e:c8:81:eb:f3:39:64:5d:10:32:
+                    8b:c7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                A0:88:26:03:2B:48:AB:B4:04:E2:70:30:D5:A4:10:4E:46:64:D4:68
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:test
+    Signature Algorithm: sha256WithRSAEncryption
+         4a:a3:e6:d7:e9:ef:5f:73:5c:58:bb:64:4e:a2:76:27:30:4c:
+         6e:84:1f:a0:2b:1a:0b:eb:b9:4d:31:e4:2e:3b:d5:92:a0:13:
+         ac:fc:33:c7:1c:86:ef:d9:77:8f:88:f7:26:89:f5:ab:78:a5:
+         84:b4:c5:db:45:5f:61:17:ed:0c:d6:7a:99:73:fb:05:dc:8d:
+         77:70:c3:0b:4c:eb:cc:30:9c:85:45:9f:e8:15:5d:45:d2:67:
+         85:da:d0:5f:c2:23:41:e4:25:65:a1:a1:68:42:ad:50:3d:ff:
+         34:f1:73:93:d8:2d:0c:48:4d:85:b8:fc:7b:c3:76:ff:71:43:
+         8b:03
+-----BEGIN CERTIFICATE-----
+MIIEszCCBBygAwIBAgIBEDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE3MDQyMDEzMzgwM1oXDTI3MDQxODEzMzgwM1owgasxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRkwFwYDVQQDExBWUE4t
+RkxSLUJSQi10ZXN0MRQwEgYDVQQpEwtWUE4gRkxSLUJSQjEdMBsGCSqGSIb3DQEJ
+ARYOYXJndXNAb29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDM/1LcQj7sXe01zLGovQupeVINQNQ3kM/1NPh7O4vOqFhT9c4gZwDTl67/H0++
+BY9oTUCpLwGGctyKc2fQ8eEAX1gMYtZbYhFlYn6mRpnvPGZ9x9zgaB3yWM/XDpqf
+0un2nREKNa5HJ/lj3ovMf2T/Z9xRthHKGJSsubGBzCKJ/up3Rjg0s96wvs8VfMLu
+ItfaJ5PHQkU3ZEhKfEvRAsRwoJEwzDuIKWk0fGeosjz8N780oi7bfJTyBblFRkkm
+uFpX6gBa2/A1Ypw8OK/YX8gb9wimexVj2D16WxhpuqELAagXeuNIC17anQ7HBElV
+mhUrzshHjsiB6/M5ZF0QMovHAgMBAAGjggFpMIIBZTAJBgNVHRMEAjAAMC0GCWCG
+SAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFKCIJgMrSKu0BOJwMNWkEE5GZNRoMIHWBgNVHSMEgc4wgcuAFFb+8DvjraRe
+G34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQ
+bmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQwEgYDVQQpEwtWUE4t
+RkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQD3/zDpxHjS
+UzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIE
+dGVzdDANBgkqhkiG9w0BAQsFAAOBgQBKo+bX6e9fc1xYu2ROonYnMExuhB+gKxoL
+67lNMeQuO9WSoBOs/DPHHIbv2XePiPcmifWreKWEtMXbRV9hF+0M1nqZc/sF3I13
+cMMLTOvMMJyFRZ/oFV1F0meF2tBfwiNB5CVloaFoQq1QPf808XOT2C0MSE2FuPx7
+w3b/cUOLAw==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/11.pem

@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 17 (0x11)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Sep 28 01:51:57 2017 GMT
+            Not After : Sep 26 01:51:57 2027 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-kirstin/name=VPN FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b4:de:6c:e3:57:67:78:af:40:8d:cb:12:9c:e2:
+                    9c:47:0b:21:92:38:c7:bd:1b:f0:80:88:34:0d:a3:
+                    0e:90:13:b3:08:ba:0e:89:4b:e9:48:55:07:1b:dc:
+                    b0:f3:b7:2d:0b:fb:49:f7:26:a8:78:bd:2d:7b:d0:
+                    7e:03:c2:65:41:91:00:7c:c2:30:ed:36:6b:1e:27:
+                    f5:37:7c:de:3d:22:5e:45:0d:b0:33:75:55:bb:69:
+                    14:32:6e:3a:80:69:db:2e:06:5f:67:73:d9:13:9f:
+                    7e:0e:3a:db:59:9a:84:90:28:04:ff:ba:36:aa:c7:
+                    c7:8d:a0:0e:ad:f7:93:20:37:8a:59:7f:16:91:20:
+                    00:2f:e3:26:9d:41:40:e1:62:37:16:02:8d:9a:ba:
+                    05:59:ff:c5:c5:05:e5:00:4a:0a:53:6f:2f:87:47:
+                    ed:ce:12:44:bb:01:82:16:e0:0a:06:5c:49:f2:3b:
+                    a1:d9:14:4a:40:c1:7e:30:b8:2c:99:ac:23:44:45:
+                    ca:a3:4a:ad:7a:c5:d3:b5:48:35:e8:d4:5e:ef:2c:
+                    bf:62:c1:87:ad:85:79:11:0e:97:a9:ee:d8:bb:aa:
+                    79:ed:9f:15:0b:23:79:c8:c8:91:27:77:55:90:19:
+                    8e:21:e9:77:60:fc:5c:94:39:34:7f:1c:9d:ee:c6:
+                    c5:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                59:AE:3C:E4:DC:A9:72:F8:07:17:B5:BC:AD:CE:2F:1D:86:14:D7:1C
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:kirstin
+    Signature Algorithm: sha256WithRSAEncryption
+         5e:0c:c0:a6:b2:3d:cc:09:f3:5a:7c:72:05:0b:02:2b:a1:06:
+         46:68:ef:9e:67:d2:d0:6b:07:bb:dc:4a:ca:e2:7b:34:1e:fb:
+         3f:16:56:c8:48:07:21:aa:ab:a7:01:eb:3c:19:14:a6:8d:70:
+         1b:0d:2b:8a:b2:7f:09:f4:77:9f:4f:0c:6c:aa:08:b6:ca:1f:
+         cd:4f:2f:75:c6:26:41:11:72:17:c3:a6:b1:26:2b:43:8e:60:
+         15:93:5c:ab:83:0b:17:7f:e5:5f:74:d9:c5:9a:d5:27:bf:bc:
+         8d:35:2f:b4:97:64:9a:4b:c2:02:d8:ed:b3:9a:9b:4f:78:b9:
+         24:0e
+-----BEGIN CERTIFICATE-----
+MIIEuTCCBCKgAwIBAgIBETANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE3MDkyODAxNTE1N1oXDTI3MDkyNjAxNTE1N1owga4xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNWUE4t
+RkxSLUJSQi1raXJzdGluMRQwEgYDVQQpEwtWUE4gRkxSLUJSQjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC03mzjV2d4r0CNyxKc4pxHCyGSOMe9G/CAiDQNow6QE7MIug6JS+lIVQcb
+3LDzty0L+0n3Jqh4vS170H4DwmVBkQB8wjDtNmseJ/U3fN49Il5FDbAzdVW7aRQy
+bjqAadsuBl9nc9kTn34OOttZmoSQKAT/ujaqx8eNoA6t95MgN4pZfxaRIAAv4yad
+QUDhYjcWAo2augVZ/8XFBeUASgpTby+HR+3OEkS7AYIW4AoGXEnyO6HZFEpAwX4w
+uCyZrCNERcqjSq16xdO1SDXo1F7vLL9iwYethXkRDpep7ti7qnntnxULI3nIyJEn
+d1WQGY4h6Xdg/FyUOTR/HJ3uxsUNAgMBAAGjggFsMIIBaDAJBgNVHRMEAjAAMC0G
+CWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFFmuPOTcqXL4Bxe1vK3OLx2GFNccMIHWBgNVHSMEgc4wgcuAFFb+8Dvj
+raReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
+QmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UE
+CxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQwEgYDVQQpEwtW
+UE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQD3/zDp
+xHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEgYDVR0RBAsw
+CYIHa2lyc3RpbjANBgkqhkiG9w0BAQsFAAOBgQBeDMCmsj3MCfNafHIFCwIroQZG
+aO+eZ9LQawe73ErK4ns0Hvs/FlbISAchqqunAes8GRSmjXAbDSuKsn8J9HefTwxs
+qgi2yh/NTy91xiZBEXIXw6axJitDjmAVk1yrgwsXf+VfdNnFmtUnv7yNNS+0l2Sa
+S8IC2O2zmptPeLkkDg==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/12.pem

@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 18 (0x12)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Oct 24 01:34:33 2017 GMT
+            Not After : Oct 22 01:34:33 2027 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-juergen/name=VPN FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9b:71:3f:18:2a:95:12:65:74:ea:af:ee:03:99:
+                    ca:c1:44:89:ae:90:89:7f:4e:e0:f3:36:22:c2:b5:
+                    79:90:99:73:d0:ec:1c:69:7d:00:2a:a6:48:b6:ff:
+                    12:9d:a8:c0:fd:cf:3f:54:29:e9:b0:7a:3d:c9:e8:
+                    66:6e:d8:6a:5e:5e:60:c5:88:e1:96:c4:d0:f2:8f:
+                    30:76:9f:7d:a1:83:d8:cb:ce:d9:7b:2b:9c:88:9b:
+                    24:bf:58:9c:a1:0e:19:1f:56:4b:d2:95:20:c5:63:
+                    66:8e:37:2c:29:6f:23:92:90:a4:f0:a1:03:1b:6b:
+                    bf:a5:1f:31:9c:2b:5a:20:19:ea:8b:16:d2:8f:3f:
+                    29:a1:a7:b1:f0:86:b4:a5:c4:34:fc:d5:28:1d:a3:
+                    2a:dc:93:84:37:11:1a:d6:75:5f:4c:94:56:23:27:
+                    e9:92:55:cd:0b:17:8e:18:44:ff:87:b9:90:ff:06:
+                    3c:8c:64:cd:b8:e5:d5:92:31:ee:40:33:b5:ec:5c:
+                    d5:11:82:60:57:32:fb:d9:62:19:6a:3a:6a:1d:3c:
+                    9d:f4:d1:10:1f:dc:19:be:2c:7c:0a:b8:9b:31:e4:
+                    21:f2:20:ff:7e:43:c9:8b:24:a9:f2:47:2c:30:e9:
+                    59:4a:88:1d:07:6a:c7:48:db:8e:ba:a4:39:79:72:
+                    68:f1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                10:F5:DF:E4:E8:0F:7F:93:A9:F6:65:47:EB:15:76:6B:56:82:E0:41
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:juergen
+    Signature Algorithm: sha256WithRSAEncryption
+         32:a8:d5:66:03:a6:10:5e:69:0b:4a:a6:24:95:9d:19:1e:ee:
+         52:d3:b5:11:a0:bd:e8:b9:8d:0d:1a:83:b3:1b:bc:d3:b2:76:
+         8f:61:ca:a9:ee:06:0d:7d:6e:81:b3:a2:74:85:cf:64:9a:1f:
+         79:69:61:1f:8f:e1:1c:2f:5e:4e:43:ac:0f:f1:6e:1e:8b:4a:
+         5b:34:d3:e8:29:e9:bc:e7:50:d8:88:36:c5:03:91:53:6e:1e:
+         64:85:dd:5b:6b:cf:75:1e:b1:ee:06:59:78:5e:62:53:6e:5c:
+         14:e3:c0:0b:f3:d8:f6:28:c5:06:16:22:fe:b5:80:5c:d9:74:
+         47:9d
+-----BEGIN CERTIFICATE-----
+MIIEuTCCBCKgAwIBAgIBEjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE3MTAyNDAxMzQzM1oXDTI3MTAyMjAxMzQzM1owga4xCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNWUE4t
+RkxSLUJSQi1qdWVyZ2VuMRQwEgYDVQQpEwtWUE4gRkxSLUJSQjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCbcT8YKpUSZXTqr+4DmcrBRImukIl/TuDzNiLCtXmQmXPQ7BxpfQAqpki2
+/xKdqMD9zz9UKemwej3J6GZu2GpeXmDFiOGWxNDyjzB2n32hg9jLztl7K5yImyS/
+WJyhDhkfVkvSlSDFY2aONywpbyOSkKTwoQMba7+lHzGcK1ogGeqLFtKPPymhp7Hw
+hrSlxDT81Sgdoyrck4Q3ERrWdV9MlFYjJ+mSVc0LF44YRP+HuZD/BjyMZM245dWS
+Me5AM7XsXNURgmBXMvvZYhlqOmodPJ300RAf3Bm+LHwKuJsx5CHyIP9+Q8mLJKny
+Ryww6VlKiB0HasdI2466pDl5cmjxAgMBAAGjggFsMIIBaDAJBgNVHRMEAjAAMC0G
+CWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFBD13+ToD3+TqfZlR+sVdmtWguBBMIHWBgNVHSMEgc4wgcuAFFb+8Dvj
+raReG34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
+QmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UE
+CxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQwEgYDVQQpEwtW
+UE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQD3/zDp
+xHjSUzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEgYDVR0RBAsw
+CYIHanVlcmdlbjANBgkqhkiG9w0BAQsFAAOBgQAyqNVmA6YQXmkLSqYklZ0ZHu5S
+07URoL3ouY0NGoOzG7zTsnaPYcqp7gYNfW6Bs6J0hc9kmh95aWEfj+EcL15OQ6wP
+8W4ei0pbNNPoKem851DYiDbFA5FTbh5khd1ba891HrHuBll4XmJTblwU48AL89j2
+KMUGFiL+tYBc2XRHnQ==
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/almut.crt

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8 (0x8)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Jul  8 11:07:55 2015 GMT
+            Not After : Jul  5 11:07:55 2025 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-almut/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:e6:b1:b6:df:9d:e7:65:dd:d6:6b:5e:4b:16:62:
+                    7d:30:59:35:63:fe:4e:03:16:5a:e1:5d:d8:05:2b:
+                    fe:83:46:14:75:2d:cc:b5:2b:b9:c0:5e:bf:1f:6f:
+                    f2:79:e3:74:c5:cf:13:d8:82:87:19:06:05:35:cf:
+                    d3:6a:f9:be:ad:66:e1:8c:29:65:6d:e3:e6:44:2b:
+                    0b:21:25:d6:24:91:27:bc:7d:82:58:b9:22:e5:d5:
+                    b4:22:72:7e:03:38:93:18:71:f1:a2:18:6c:87:6e:
+                    2e:1d:cb:4c:a1:5e:c1:13:d9:2a:1a:8e:47:67:6e:
+                    b2:63:e3:7f:f0:3a:bc:6c:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                1C:17:CE:68:3A:6B:CA:ED:98:E4:63:13:C7:A2:60:E1:D2:51:DF:9A
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         c3:24:0b:75:30:4a:dc:79:f6:55:e3:95:4b:5d:d3:6d:4d:42:
+         41:54:a9:5f:0d:d1:3b:cd:9f:bb:7e:19:fc:ca:dd:a6:92:6e:
+         2a:28:57:b2:a9:99:9a:9b:11:60:34:ec:09:3c:bb:91:d5:37:
+         89:14:9a:c2:c6:52:af:b9:f0:a6:c9:aa:b3:e5:b5:80:07:40:
+         ac:a2:fd:98:c2:5b:16:20:c4:39:31:b7:73:ee:65:79:75:86:
+         41:70:26:a5:c4:fc:a8:f4:50:cf:34:2d:85:22:21:e9:84:2c:
+         8e:08:09:d1:75:a7:76:f7:f3:be:09:b0:79:7f:0d:c6:7d:6b:
+         57:b9
+-----BEGIN CERTIFICATE-----
+MIIEHzCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTE1MDcwODExMDc1NVoXDTI1MDcwNTExMDc1NVowgawxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRowGAYDVQQDExFWUE4t
+RkxSLUJSQi1hbG11dDEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0B
+CQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDm
+sbbfnedl3dZrXksWYn0wWTVj/k4DFlrhXdgFK/6DRhR1Lcy1K7nAXr8fb/J543TF
+zxPYgocZBgU1z9Nq+b6tZuGMKWVt4+ZEKwshJdYkkSe8fYJYuSLl1bQicn4DOJMY
+cfGiGGyHbi4dy0yhXsET2SoajkdnbrJj43/wOrxsNwIDAQABo4IBWDCCAVQwCQYD
+VR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBQcF85oOmvK7ZjkYxPHomDh0lHfmjCB1gYDVR0jBIHO
+MIHLgBRW/vA7462kXht+D9Yf5OnVjm8S1qGBp6SBpDCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlggkA9/8w6cR40lMwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeA
+MA0GCSqGSIb3DQEBBQUAA4GBAMMkC3UwStx59lXjlUtd021NQkFUqV8N0TvNn7t+
+GfzK3aaSbiooV7KpmZqbEWA07Ak8u5HVN4kUmsLGUq+58KbJqrPltYAHQKyi/ZjC
+WxYgxDkxt3PuZXl1hkFwJqXE/Kj0UM80LYUiIemELI4ICdF1p3b3874JsHl/DcZ9
+a1e5
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/almut.csr

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB7TCCAVYCAQAwgawxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
+IHNlcnZpY2VzMRowGAYDVQQDExFWUE4tRkxSLUJSQi1hbG11dDEUMBIGA1UEKRML
+VlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmsbbfnedl3dZrXksWYn0wWTVj/k4DFlrh
+XdgFK/6DRhR1Lcy1K7nAXr8fb/J543TFzxPYgocZBgU1z9Nq+b6tZuGMKWVt4+ZE
+KwshJdYkkSe8fYJYuSLl1bQicn4DOJMYcfGiGGyHbi4dy0yhXsET2SoajkdnbrJj
+43/wOrxsNwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAsRoYDX/mMD6vDxsz/RH9
+7GCblltxzQl3McntUp9K44xRC5vhP4E0EZ2cWsnrDtMlI3cn93I6H7NuVbk3CKy0
+J/uJjRmQ8ZrmTjmxJY1MRoz7MQll6IfGyHVMyeKqL+0KjI5PlJMK43nb8Vm3wmPW
+5R9r5Yf5urpsCJPFfAp1kgc=
+-----END CERTIFICATE REQUEST-----

FLR-BRB/openvpn/home-flr/keys/almut.key

@@ -0,0 +1,17 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIQ9cKL0FNsPUCAggA
+MBQGCCqGSIb3DQMHBAg62rRyltv9pASCAoB8imFD1xrg+dgYwmoxHIOYYB1ZNVWc
+BA0T0UsuJEys4+tVuDhn0M5K7Gq1wo7tvrkeGHI2egNbSDq9atWwx8HI8r8stsIH
+eFejTJChv/vfAaE4K89R0q0pnPyjRoIiYqzRH0SCbHNEssfBFoytGhG4eqd49yQY
+XA2/Z67xXqwvIgYP1+n403yD2Kni7snCoO9CDBovJowAbcaafhgu76E36U/A6fja
+uwCUfcDTFyuMbYg25yGffzD3TIH4GDBucgGlZf41msUcSxu7iC4MkK04oHAE2dnp
+lMeJww/ByaTuew08VI6ccBZ7tSegh1ZKvzzzf01dd+xU5RSUf8MIzKZD4kcoLAOc
+uEDvtkqENADYB8eZmOpSX17h0p4HB6Rk+mgPwRMzfPfDa99eBYHC4g+pkgUcUvCC
+DvOISXwSxZeEcg81RSd5yXgJGOag8fYheWmd/MT2LML5eHXrpndITBkQ9uaKcvd7
+Kx9nPvQdF3Tz9VVUbKJ4rk1uAyadr265B4odL95ztdNtr4wiXdGNPtRxOHdMLQVO
+YhZ+JTflR4BK+igwUA1ze70GzPIU1emlESPo47h8kCK9mPjHEavITDpdsZZU67Aa
+P3fWEA3127PoxyK4Arr1ZOv+LOCEcqhPHcwkKLP8HLM288eJ2z9SW0HxrLsgtt3H
+oUxHlYH3+5zmRc7D/bNJyuPmRGmwW2nDs+c7yBUE+hUeDWGUJufQ+mRl5PpZo33q
+Hm1lxpFvWbOWsZqQsUWdGIHouKcv/Q5XoxlbCyVx54a8b23PTqHTRuGD0+v0CFz2
+DPSCaHZxdi/FvAbslomywjgiYW7h3bZA9/+N5LcxjDz53YI+cho7kf2M
+-----END ENCRYPTED PRIVATE KEY-----

FLR-BRB/openvpn/home-flr/keys/ca.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzjCCAzegAwIBAgIJAPf/MOnEeNJTMA0GCSqGSIb3DQEBBQUAMIGhMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMG
+VlBOLUNBMRQwEgYDVQQpEwtWUE4tRkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJn
+dXNAb29wZW4uZGUwHhcNMTIxMTExMTgyMzU5WhcNMzIxMTA2MTgyMzU5WjCBoTEL
+MAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8w
+DQYDVQQKEwZvLm9wZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNV
+BAMTBlZQTi1DQTEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEW
+DmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIdp+t
+lUB/nx3JqiZiBEkyTK2m+uH/hes4wYTpmbRY2x1YJtwQegX/sfxuu0n1xA42gON0
+eOBc2v/MmKzrGP+VP2VxWBhR/VnJsPeFTJJvD6ioM+jc9xNeZFNgHibRw4vzipyK
+ALQJK6gJ3COvhb3YWOul3njUGgZZkaikPMuTQQIDAQABo4IBCjCCAQYwHQYDVR0O
+BBYEFFb+8DvjraReG34P1h/k6dWObxLWMIHWBgNVHSMEgc4wgcuAFFb+8DvjraRe
+G34P1h/k6dWObxLWoYGnpIGkMIGhMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQ
+bmV0d29yayBzZXJ2aWNlczEPMA0GA1UEAxMGVlBOLUNBMRQwEgYDVQQpEwtWUE4t
+RkxSLUJSQjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQD3/zDpxHjS
+UzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADPFDfqCtYtsS/NxGVYc
+hgxKsA9S/kBifNbde0e6nmPBgufW+O3uPrkvg7Wx2EayxMhX/dVrAYm8NSNCdWXV
+5ra0lu6cTI8rwWt404e0F/o0v6u+5eWHFxSF0lDJIVhwvvVoiAUJQw8h+BlI5PYO
+JcHZCQoQE1/RE6Xp+0xgTXvW
+-----END CERTIFICATE-----

FLR-BRB/openvpn/home-flr/keys/ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDIdp+tlUB/nx3JqiZiBEkyTK2m+uH/hes4wYTpmbRY2x1YJtwQ
+egX/sfxuu0n1xA42gON0eOBc2v/MmKzrGP+VP2VxWBhR/VnJsPeFTJJvD6ioM+jc
+9xNeZFNgHibRw4vzipyKALQJK6gJ3COvhb3YWOul3njUGgZZkaikPMuTQQIDAQAB
+AoGAOvhiar7gNWrKaXurROQ74BcccmWVPATaOFz9S3bSzdzPWhI8ZIBw6VIjjzN7
+Q1gEUlZCEw5H+ijWXQqAu7wj2u9z+sv0CSuMivGWkfvfWqB/hkR/48gNXrcBoRUI
+Vuvu+9s+9PnAGOy53hAoTBKiD75TpGGhPIjAP0bRyYw9UkECQQDoH9k2ps4Xo0eG
+RRy+sOFMWJ+c3796STIoPmVNaxITV7rngWGggcq2L63n9HbBMTzEiJ7MFFYiCBee
+eFGUSOHpAkEA3RUY3lXJpH3lE/vHZehfVEz7iWVzlllmYIpqVZgs/rIUW0+GpSbN
+U6OH8iJ/aU8963oHu294q7JbMR6oR2e3mQJAZM8gGJoMuztQHsH5H9/VmMCMYSbT
+E5qiS9P9TsgHS5s4Mr5/1aNIlCLU1f3XbUOi7n+e52aVmaYGC+6ZD1svsQJACNhV
+PF/2R0x6I8iI+7zGQ5so3SBf9X3yKJ6hDneeJTp+sgCGhIj+4f/C6p8SteXjtk4V
+jRwymbvzBg4R8Xlm0QJBAJ6FO/1rJr+C9jEqkjDspfpyUH9OFQvytYTNGTwp41Iw
+VkrEXqL3yUhtmj0F7UTzfjp9dVzGVLqHjkO3AXaXUr4=
+-----END RSA PRIVATE KEY-----

FLR-BRB/openvpn/home-flr/keys/chris.crt

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Nov 11 18:31:17 2012 GMT
+            Not After : Nov  6 18:31:17 2032 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=VPN-FLR-BRB-chris/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:bb:b8:e0:59:a9:0b:ce:92:92:45:6f:0a:17:c0:
+                    a5:31:2e:86:eb:d7:a9:47:5d:80:b6:5b:94:6b:9f:
+                    58:5d:6b:df:73:99:f8:5d:3a:f6:58:a7:9b:da:20:
+                    48:e5:19:cb:e0:f7:ad:47:05:a2:b0:db:ed:54:ec:
+                    75:45:05:31:b7:68:62:47:35:3f:89:1b:f6:8b:7d:
+                    72:fe:ee:a6:21:60:5e:c1:59:f1:32:25:2e:79:14:
+                    1d:03:38:a1:a9:e2:28:52:52:c3:c0:51:91:fd:44:
+                    50:3b:be:c7:ba:df:5a:47:38:47:29:78:c7:a0:ec:
+                    b6:ea:46:28:ed:62:fd:3a:7f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                68:00:5D:CF:D6:87:2A:65:E2:31:F7:56:87:B1:3B:FF:78:1F:28:B0
+            X509v3 Authority Key Identifier: 
+                keyid:56:FE:F0:3B:E3:AD:A4:5E:1B:7E:0F:D6:1F:E4:E9:D5:8E:6F:12:D6
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=VPN-CA/name=VPN-FLR-BRB/emailAddress=argus@oopen.de
+                serial:F7:FF:30:E9:C4:78:D2:53
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+        50:68:35:b1:f8:03:97:a3:ae:e8:2c:40:c1:0b:f8:a7:d7:f2:
+        e1:f0:de:62:a9:0b:ee:18:44:8d:c9:f9:9f:ac:4b:b7:95:6c:
+        fc:43:95:aa:b0:6f:b8:35:bb:a0:a8:c1:48:d9:2d:d9:7e:50:
+        fb:2b:ba:c5:31:e1:a7:af:b1:58:4a:44:28:69:84:bc:9c:e0:
+        90:b7:95:36:ee:00:3b:1e:0a:09:90:2f:be:d9:0c:07:78:8e:
+        79:21:4a:af:2b:7d:f3:30:4d:70:04:f2:95:55:4b:d8:24:46:
+        09:f9:08:3c:b0:c1:ad:49:5c:ec:47:55:bc:16:49:80:8e:01:
+        1c:e6
+-----BEGIN CERTIFICATE-----
+MIIEHzCCA4igAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlMB4XDTEyMTExMTE4MzExN1oXDTMyMTEwNjE4MzExN1owgawxCzAJBgNVBAYT
+AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
+by5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRowGAYDVQQDExFWUE4t
+RkxSLUJSQi1jaHJpczEUMBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0B
+CQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7
+uOBZqQvOkpJFbwoXwKUxLobr16lHXYC2W5Rrn1hda99zmfhdOvZYp5vaIEjlGcvg
+961HBaKw2+1U7HVFBTG3aGJHNT+JG/aLfXL+7qYhYF7BWfEyJS55FB0DOKGp4ihS
+UsPAUZH9RFA7vse631pHOEcpeMeg7LbqRijtYv06fwIDAQABo4IBWDCCAVQwCQYD
+VR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBRoAF3P1ocqZeIx91aHsTv/eB8osDCB1gYDVR0jBIHO
+MIHLgBRW/vA7462kXht+D9Yf5OnVjm8S1qGBp6SBpDCBoTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxDzANBgNVBAMTBlZQTi1DQTEU
+MBIGA1UEKRMLVlBOLUZMUi1CUkIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVu
+LmRlggkA9/8w6cR40lMwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeA
+MA0GCSqGSIb3DQEBBQUAA4GBAFBoNbH4A5ejrugsQMEL+KfX8uHw3mKpC+4YRI3J
++Z+sS7eVbPxDlaqwb7g1u6CowUjZLdl+UPsrusUx4aevsVhKRChphLyc4JC3lTbu
+ADseCgmQL77ZDAd4jnkhSq8rffMwTXAE8pVVS9gkRgn5CDywwa1JXOxHVbwWSYCO
+ARzm
+-----END CERTIFICATE-----