o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Kanzlei-Kiel/README.txt Normal file
View File

@ -0,0 +1,25 @@
Notice:
You have to change some configuration files becaus the because
the configuration of network interfaces must not be equal.
!! Take care, to use the right device names !!
Maybe they are called i.e. 'enp0sXX', but you can rename it.
See also : README.rename.netdevices
For the backup gateway host:
eth1 --> LAN
eth2 --> WAN or ppp0 (DSL device)
eth0 --> WLAN or second LAN or what ever
or
br0 --> WLAN or second LAN or what ever
So you have to change the following files
dsl-provider.Kanzlei-Kiel: ppp0 comes over eth2
interfaces.Kanzlei-Kiel: see above
default_isc-dhcp-server.Kanzlei-Kiel
ipt-firewall.Kanzlei-Kiel: LAN device (mostly ) = eth1
second LAN WLAN or what ever (if present) = eth0

79
Kanzlei-Kiel/aiccu.conf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,79 @@
# Under control from debconf, please use 'dpkg-reconfigure aiccu' to reconfigure
# AICCU Configuration
# Login information (defaults: none)
username CKM11-SIXXS
password zLkJIZF0
# Protocol and server to use for setting up the tunnel (defaults: none)
protocol tic
server tic.sixxs.net
# Interface names to use (default: aiccu)
# ipv6_interface is the name of the interface that will be used as a tunnel interface.
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
# or tunX (eg tun0) for AYIYA tunnels.
ipv6_interface sixxs
# The tunnel_id to use (default: none)
# (only required when there are multiple tunnels in the list)
tunnel_id T129038
# Be verbose? (default: false)
verbose false
# Daemonize? (default: true)
# Set to false if you want to see any output
# When true output goes to syslog
#
# WARNING: never run AICCU from DaemonTools or a similar automated
# 'restart' tool/script. When AICCU does not start, it has a reason
# not to start which it gives on either the stdout or in the (sys)log
# file. The TIC server *will* automatically disable accounts which
# are detected to run in this mode.
#
daemonize true
# Automatic Login and Tunnel activation?
automatic true
# Require TLS?
# When set to true, if TLS is not supported on the server
# the TIC transaction will fail.
# When set to false, it will try a starttls, when that is
# not supported it will continue.
# In any case if AICCU is build with TLS support it will
# try to do a 'starttls' to the TIC server to see if that
# is supported.
requiretls false
# PID File
#pidfile /var/run/aiccu.pid
# Add a default route (default: true)
#defaultroute true
# Script to run after setting up the interfaces (default: none)
#setupscript /usr/local/etc/aiccu-subnets.sh
# Make heartbeats (default true)
# In general you don't want to turn this off
# Of course only applies to AYIYA and heartbeat tunnels not to static ones
#makebeats true
# Don't configure anything (default: false)
#noconfigure true
# Behind NAT (default: false)
# Notify the user that a NAT-kind network is detected
#behindnat true
# Local IPv4 Override (default: none)
# Overrides the IPv4 parameter received from TIC
# This allows one to configure a NAT into "DMZ" mode and then
# forwarding the proto-41 packets to an internal host.
#
# This is only needed for static proto-41 tunnels!
# AYIYA and heartbeat tunnels don't require this.
#local_ipv4_override

1
Kanzlei-Kiel/bin/admin-stuff Submodule

Submodule Kanzlei-Kiel/bin/admin-stuff added at 6c91fc0987

1
Kanzlei-Kiel/bin/clean_log_files.sh Symbolic link
View File

@ -0,0 +1 @@
admin-stuff/clean_log_files.sh

1
Kanzlei-Kiel/bin/manage-gw-config Submodule

Submodule Kanzlei-Kiel/bin/manage-gw-config added at 2a96dfdc8f

1
Kanzlei-Kiel/bin/monitoring Submodule

Submodule Kanzlei-Kiel/bin/monitoring added at 0611d0a2ad

1
Kanzlei-Kiel/bin/os-upgrade.sh Symbolic link
View File

@ -0,0 +1 @@
admin-stuff/os-upgrade.sh

1
Kanzlei-Kiel/bin/test_email.sh Symbolic link
View File

@ -0,0 +1 @@
admin-stuff/test_email.sh

69
Kanzlei-Kiel/bind/bind.keys Normal file
View File

@ -0,0 +1,69 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;
# the key will remain in place but the zone will be otherwise empty.
# Configuring "dnssec-lookaside auto;" to activate this key is
# harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
# the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

49
Kanzlei-Kiel/bind/bind.keys.dpkg-old Normal file
View File

@ -0,0 +1,49 @@
/* $Id: bind.keys,v 1.5.42.2 2011-01-04 19:14:48 each Exp $ */
# The bind.keys file is used to override built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release (BIND
# 9.7), the only trust anchor it sets is the one for the ISC DNSSEC
# Lookaside Validation zone ("dlv.isc.org"). Trust anchors for any other
# zones MUST be configured elsewhere; if they are configured here, they
# will not be recognized or used by named.
#
# This file also contains a copy of the trust anchor for the DNS root zone
# ("."). However, named does not use it; it is provided here for
# informational purposes only. To switch on DNSSEC validation at the
# root, the root key below can be copied into named.conf.
#
# The built-in DLV trust anchor in this file is used directly by named.
# However, it is not activated unless specifically switched on. To use
# the DLV key, set "dnssec-lookaside auto;" in the named.conf options.
# Without this option being set, the key in this file is ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting "dnssec-lookaside auto;"
# in named.conf.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};

12
Kanzlei-Kiel/bind/db.0 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

13
Kanzlei-Kiel/bind/db.127 Normal file
View File

@ -0,0 +1,13 @@
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.

80
Kanzlei-Kiel/bind/db.192.168.100.0 Normal file
View File

@ -0,0 +1,80 @@
;
; BIND reverse data file for local kanzlei-kiel.netz zone
;
$TTL 43600
@ IN SOA kanzlei-kiel.netz. ckubu.oopen.de. (
2012020701 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.kanzlei-kiel.netz.
; ==========
; - Server
; ==========
; Gateway/Firewall
254 IN PTR gw-kanzlei-kiel.kanzlei-kiel.netz.
; (Caching ) Nameserver
1 IN PTR ns.kanzlei-kiel.netz.
; File Server
10 IN PTR file-ah.kanzlei-kiel.netz.
; IPMI - File Server
11 IN PTR file-ipmi.kanzlei-kiel.netz.
; USV
;15 IN PTR usv-kanzlei-kiel.kanzlei-kiel.netz.
; Windows 7 Server
20 IN PTR file-win7.kanzlei-kiel.netz.
25 IN PTR win7-ah.kanzlei-kiel.netz.
; ==========
; - Accesspoints
; ==========
; UniFi AP-AC-LR
50 IN PTR unify-ap.kanzlei-kiel.netz.
; ==========
; - Drucker
; ==========
; Laserdrucker Kyocera FS-2020D
19 IN PTR kyocera-fs-2020d.kanzlei-kiel.netz.
; Multifunktions Drucker Kyocera TASKalfa 3051ci
100 IN PTR kyocera-taskalfa-3051ci.kanzlei-kiel.netz.
; Laserdrucker Kyocera FS-2100DN
189 IN PTR kyocera-fs-2100dn.kanzlei-kiel.netz.
; ==========
; - Buero PC's
; ==========
22 IN PTR buerozwei.kanzlei-kiel.netz.
77 IN PTR dokumentenscannerrechner.kanzlei-kiel.netz.
81 IN PTR buero-doro.kanzlei-kiel.netz.
88 IN PTR axel.kanzlei-kiel.netz.
99 IN PTR zk.kanzlei-kiel.netz.
101 IN PTR shuttle.kanzlei-kiel.netz.
121 IN PTR buerooben.kanzlei-kiel.netz.
184 IN PTR laptop-doro.kanzlei-kiel.netz.
; ---
; - ckubu
; ---
; Laptop (devil) LAN (eth0)
90 IN PTR devil.kanzlei-kiel.netz.
91 IN PTR devil-wlan.kanzlei-kiel.netz.

14
Kanzlei-Kiel/bind/db.192.168.101.0 Normal file
View File

@ -0,0 +1,14 @@
;
; BIND reverse data file for local kanzlei-kiel.netz zone
;
$TTL 43600
@ IN SOA ns.kanzlei-kiel.netz. ckubu.oopen.de. (
2012020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.kanzlei-kiel.netz.

12
Kanzlei-Kiel/bind/db.255 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
Kanzlei-Kiel/bind/db.empty Normal file
View File

@ -0,0 +1,14 @@
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.

94
Kanzlei-Kiel/bind/db.kanzlei-kiel.netz Normal file
View File

@ -0,0 +1,94 @@
;
; BIND data file for local kanzlei-kiel.netz zone
;
$TTL 43600
@ IN SOA ns.kanzlei-kiel.netz. ckubu.oopen.de. (
2017013001 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.kanzlei-kiel.netz.
; ==========
; - Server
; ==========
; Gateway/Firewall
gw-ah IN A 192.168.100.254
gate IN CNAME gw-ah
gw IN CNAME gw-ah
; (Caching ) Nameserver
ns IN A 192.168.100.1
nscache IN CNAME ns
; File Server
file-ah IN A 192.168.100.10
file IN CNAME file-ah
; IPMI - File Server
file-ipmi IN A 192.168.100.11
; USV - APC Management Card
;usv-ah IN A 192.168.100.15
;usv IN CNAME usv-ah
; Windows 7 Server
file-win7 IN A 192.168.100.20
win7-ah IN A 192.168.100.25
; ==========
; - Accesspoints
; ==========
; Controller for Unifi AP's
unifi-ctl IN A 192.168.100.254
; UniFi AP-AC-LR
unify-ap IN A 192.168.100.50
accesspoint IN CNAME unify-ap
; ==========
; - Drucker
; ==========
; Laserdrucker Kyocera FS-2020D
kyocera-fs-2020d IN A 192.168.100.29
; Multifunktions Drucker Kyocera TASKalfa 3051ci
kyocera-taskalfa-3051ci IN A 192.168.100.100
kyocera-scanner IN CNAME kyocera-taskalfa-3051ci
; Laserdrucker Kyocera FS-2100DN
kyocera-fs-2100dn IN A 192.168.100.189
; ==========
; - Buero PC's
; ==========
buerozwei IN A 192.168.100.22
dokumentenscannerrechner IN A 192.168.100.77
buero-doro IN A 192.168.100.81
axel IN A 192.168.100.88
zk IN A 192.168.100.99
shuttle IN A 192.168.100.101
buerooben IN A 192.168.100.121
laptop-doro IN A 192.168.100.184
; ---
; - ckubu
; ---
; Laptop (devil) LAN (eth0)
devil IN A 192.168.100.90
; Laptop (devil) WLAN (wlan0)
devil-wlan IN A 192.168.101.91

14
Kanzlei-Kiel/bind/db.local Normal file
View File

@ -0,0 +1,14 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

90
Kanzlei-Kiel/bind/db.root Normal file
View File

@ -0,0 +1,90 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: February 17, 2016
; related version of root zone: 2016021701
;
; formerly NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

11
Kanzlei-Kiel/bind/named.conf Normal file
View File

@ -0,0 +1,11 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

30
Kanzlei-Kiel/bind/named.conf.default-zones Normal file
View File

@ -0,0 +1,30 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

23
Kanzlei-Kiel/bind/named.conf.local Normal file
View File

@ -0,0 +1,23 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "kanzlei-kiel.netz" {
type master;
file "/etc/bind/db.kanzlei-kiel.netz";
};
zone "100.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.100.0";
};
zone "101.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.101.0";
};

111
Kanzlei-Kiel/bind/named.conf.options Normal file
View File

@ -0,0 +1,111 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
#forwarders {
# // OpenDNS servers
# 208.67.222.222;
# 208.67.220.220;
# // DNS-Cache des CCC
# 213.73.91.35;
# // ISP DNS Servers (ARCOR)
# // dns1.arcor-ip.de
# 145.253.2.11;
# // dns2.arcor-ip.de
# 145.253.2.75;
# // dns3.arcor-ip.de
# 145.253.2.171;
# // dns4.arcor-ip.de
# 145.253.2.203;
#};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
// Security options
listen-on port 53 {
127.0.0.1;
192.168.100.1;
192.168.0.1;
172.16.101.254;
};
allow-query {
127.0.0.1;
192.168.0.0/16;
172.16.0.0/12;
10.0.0.0/8;
};
// caching name services
recursion yes;
allow-recursion {
127.0.0.1;
192.168.0.0/16;
172.16.0.0/12;
10.0.0.0/8;
};
allow-transfer { none; };
listen-on-v6 {
::1;
};
};
logging {
channel simple_log {
file "/var/log/named/bind.log" versions 3 size 5m;
//severity warning;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel queries_log {
file "/var/log/named/query.log" versions 10 size 5m;
severity debug;
//severity notice;
print-time yes;
print-severity yes;
print-category no;
};
channel log_zone_transfers {
file "/var/log/named/axfr.log" versions 5 size 2m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category resolver {
queries_log;
};
category queries {
queries_log;
};
category xfer-in {
log_zone_transfers;
};
category xfer-out {
log_zone_transfers;
};
category notify {
log_zone_transfers;
};
category default{
simple_log;
};
};

20
Kanzlei-Kiel/bind/named.conf.options.ORIG Normal file
View File

@ -0,0 +1,20 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
Kanzlei-Kiel/bind/rndc.key Normal file
View File

@ -0,0 +1,4 @@
key "rndc-key" {
algorithm hmac-md5;
secret "Crr3gVbUdjx7tI6XWVqDAQ==";
};

20
Kanzlei-Kiel/bind/zones.rfc1918 Normal file
View File

@ -0,0 +1,20 @@
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

10
Kanzlei-Kiel/chap-secrets.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,10 @@
# Secrets for authentication using CHAP
# client server secret IP addresses
## - Zugang Arcor/Vodafone Kanzlei Axel
## - DSL
"ar0284280107" * "39457541"
## - VDSL
"vodafone-vdsl.komplett/ab3391185321" * "jhecfmvk"

10
Kanzlei-Kiel/check_net-logrotate.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,10 @@
/var/log/check_net.log
{
rotate 7
daily
missingok
notifempty
copytruncate
delaycompress
compress
}

16
Kanzlei-Kiel/check_net.service.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Configure Routing for Internet Connections;
After=network.target
After=rc-local.service
[Service]
ExecStart=/usr/local/sbin/check_net.sh
ExecStartPre=rm -rf /tmp/check_net.sh.LOCK
ExecStopPost=rm -rf /tmp/check_net.sh.LOCK
KillMode=control-group
SendSIGKILL=yes
TimeoutStopSec=2
Restart=on-failure
[Install]
WantedBy=multi-user.target

133
Kanzlei-Kiel/check_net/check_net.conf Normal file
View File

@ -0,0 +1,133 @@
# - Configuration file for scrupts check_net.sh and netconfig.sh
# -
LOGGING_CONSOLE=false
DEBUG=false
# - Where are your scripts located?
# -
check_script=/usr/local/sbin/check_net.sh
netconfig_script=/usr/local/sbin/netconfig.sh
log_file=/var/log/check_net.log
# - Put in your DSL devices (refers to your network configuration)
# - youe wish be congigured by that script
# -
# - Notice:
# - If not using multiple default gatways, declare the list in the order of your
# - preferred default gatway devices
# -
# - Example:
# - _INITIAL_DEVICE_LIST="eth0:192.168.63.254 ppp-light"
# -
_INITIAL_DEVICE_LIST="ppp-ah"
# - Set to "false" uses "0.0.0.0" as remote gateway instead of the real address
# -
USE_REMOTE_GATEWAY_ADDRESS=true
#USE_REMOTE_GATEWAY_ADDRESS=false
# - Set default gw (roundrobin)
# -
# - !! SET_MULTIPLE_DEFAULT_GW=true does not work for now..
# -
SET_MULTIPLE_DEFAULT_GW=false
#SET_MULTIPLE_DEFAULT_GW=true
# - Set to false uses "0.0.0.0" as default gateway adress instaed of real remote address
# -
USE_DEFAULT_GW_ADDRESS=true
#USE_DEFAULT_GW_ADDRESS=false
# - Hostnames for ping test
# -
# - Note: The first two reachable hosts will be used for ping test.
# -
# - Space separated list
# -
PING_TEST_HOSTS="oopen.de google.com heise.de debian.org ubuntu.com"
admin_email=root
from_address="check-inet-devices@`hostname -f`"
company="Kanzlei Kiel"
content_type='Content-Type: text/plain;\n charset="utf-8"'
# - rule_local_ips
# -
# - Add rule(s) for routing local ip-address(es) through a given extern interface
# -
# - Space separated list of entries '<ext-interface>:<local-ip>'
# - rule_local_ips="<ext-interface>:<local-ip> [<ext-interface>:<local-ip>] [.."
# -
# - Example:
# - ========
# - local ip 192.168.10.1 through extern interface ppp-st and
# - local ip 192.168.10.13 through extern interface ppp-surf1
# - rule_local_ips="ppp-st:192.168.10.1 ppp-surf1:192.168.10.13"
# -
rule_local_ips=""
# - rule_remote_ips
# -
# - Add rule(s) for routing remote ip-address(es) through a given extern interface
# -
# - Space separated list of entries '<ext-interface>:<remote-ip>'
# - rule_remote_ips="<ext-interface>:<remote-ip> [<ext-interface>:<remote-ip>] [.."
# -
# - Example:
# - ========
# - route remote ip-address 141.1.1.1 through extern interface ppp-ckubu and
# - also route ip-address 8.8.8.8 through through extern interface ppp-ckubu
# - rule_remote_ips="ppp-ckubu:141.1.1.1 ppp-ckubu:8.8.8.8"
# -
rule_remote_ips=""
# - rule_local_nets
# -
# - Add rule(s) for routing local networks through a given extern interface out
# -
# - Space separated list of entries '<extern-interface>:<local-net>'
# - rule_local_nets="<extern-interface>:<local-net> [<extern-interface>:<local-net>] [.."
# -
# -
# - Example:
# - ========
# - rule_local_nets="ppp-st:192.168.11.0/25 ppp-surf1:192.168.11.128/25"
# -
rule_local_nets=""
## ====================================
## - Don't make changes after this Line
## ====================================
# ---
# - Add rule(s) for routing local ip-address(es)
# ---
declare -a rule_local_ip_arr
for _str in $rule_local_ips ; do
rule_local_ip_arr+=("$_str")
done
# ---
# - Add rule(s) for routing remote ip-address(es)
# ---
declare -a rule_remote_ip_arr
for _str in $rule_remote_ips ; do
rule_remote_ip_arr+=("$_str")
done
# ---
# - Add rule(s) for routing local networks
# ---
declare -a rule_local_net_arr
for _str in $rule_local_nets ; do
rule_local_net_arr+=("$_str")
done

57
Kanzlei-Kiel/cron_root.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,57 @@
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.7DKfVy/crontab installed on Fri Mar 16 11:09:15 2018)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
## check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
## if not set this entry to "1"
##
0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
# - Check if ssh service is running. restart service if needed
# -
*/10 * * * * /root/bin/monitoring/check_ssh.sh
## check if pppd is running and internet access works. if
## not restart it
##
#*/10 * * * * /root/bin/check_inet.sh
## check if openvpn is running if not restart the service
##
0-59/20 * * * * /root/bin/monitoring/check_vpn.sh
## check if DynDNS ip is correct, adjust if needed
## -
15 * * * * /root/bin/monitoring/check_dyndns.sh anw-kiel.homelinux.org
## - reconnect to internet
## -
13 6 * * * /root/bin/admin-stuff/reconnect_inet.sh ppp-ah dsl-ah
## - Copy gateway configuration
## -
09 3 * * * /root/bin/manage-gw-config/copy_gateway-config.sh Kanzlei-Kiel

14
Kanzlei-Kiel/ddclient.conf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,14 @@
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
protocol=dyndns2
use=web, web=checkip.dyndns.com, web-skip='IP Address'
server=members.dyndns.org
login=ckubu
password=7213b4e6178a11e6ab1362f831f6741e
anw-kiel.homelinux.org
ssl=yes
mail=argus@oopen.de
mail-failure=root

22
Kanzlei-Kiel/default_isc-dhcp-server.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,22 @@
# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
#INTERFACES=""
INTERFACESv4="eth0 eth1"

226
Kanzlei-Kiel/dhcpd.conf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,226 @@
#
# Configuration file for ISC dhcpd for Debian
#
#
# ==========
# - Global statements
# ==========
# option definitions common to all supported networks...
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
option domain-name "kanzlei-kiel.netz";
option domain-name-servers nscache.kanzlei-kiel.netz;
default-lease-time 86400;
max-lease-time 259200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# - DHCP failover primary
# -
failover peer "dhcp-failover" {
primary; # declare this to be the primary server
address 192.168.100.254;
port 647;
peer address 192.168.100.10;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
mclt 360;
split 128;
load balance max seconds 3;
}
## - DHCP failover secondary
## -
#failover peer "dhcp-failover" {
# secondary; # declare this to be the secondary server
# address 192.168.100.10;
# port 647;
# peer address 192.168.100.254;
# peer port 647;
# max-response-delay 30;
# max-unacked-updates 10;
# load balance max seconds 3;
#}
shared-network lan {
subnet 192.168.100.0 netmask 255.255.255.0 {
# --- 192.168.100.128/26 ---
# network address....: 192.168.100.128
# Broadcast address..: 192.168.100.191
# netmask............: 255.255.255.192
# network range......: 192.168.100.129 - 192.168.100.191
# Usable range.......: 192.168.100.128 - 192.168.100.190
option domain-name "kanzlei-kiel.netz";
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
option domain-name-servers 192.168.100.1;
option routers 192.168.100.254;
default-lease-time 86400;
max-lease-time 259200;
pool {
failover peer "dhcp-failover";
range 192.168.100.129 192.168.100.190;
}
}
# - No dynamic range for network 172.16.101.0
subnet 172.16.101.0 netmask 255.255.255.0 {
option domain-name "kanzlei-kiel.netz";
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.101.255;
option domain-name-servers 172.16.101.254;
option routers 172.16.101.254;
default-lease-time 86400;
max-lease-time 259200;
}
}
subnet 192.168.101.0 netmask 255.255.255.0 {
# --- 192.168.100.128/26 ---
# network address....: 192.168.101.128
# Broadcast address..: 192.168.101.191
# netmask............: 255.255.255.192
# network range......: 192.168.101.129 - 192.168.101.191
# Usable range.......: 192.168.101.128 - 192.168.101.190
range 192.168.101.129 192.168.101.190;
option domain-name "kanzlei-kiel.netz";
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.101.255;
option domain-name-servers 192.168.100.1;
option routers 192.168.101.254;
default-lease-time 86400;
max-lease-time 259200;
}
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
# - No DHCP service on network 172.16.101.0
subnet 172.16.100.0 netmask 255.255.255.0 {
}
# ==========
# - Hosts statements
# ==========
# ---
# - LAN
# ---
include "/etc/dhcp/hosts.lan.conf";
# ---
# - W-LAN
# ---
include "/etc/dhcp/hosts.w-lan.conf";
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

65
Kanzlei-Kiel/dhcpd6.conf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,65 @@
ddns-update-style none;
default-lease-time 86400;
max-lease-time 259200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
subnet6 2001:6f8:107e:63::/64 {
# Range for clients
range6 2001:6f8:107e:63::a000 2001:6f8:107e:63::afff;
option dhcp6.name-servers 2001:6f8:107e:63::1;
option dhcp6.domain-search "local.netz";
}
subnet6 2001:6f8:107e:64::/64 {
# Range for clients
range6 2001:6f8:107e:64::a000 2001:6f8:107e:64::afff;
option dhcp6.name-servers 2001:6f8:107e:63::1;
option dhcp6.domain-search "local.netz";
}
## - LAN
host devil {
host-identifier option dhcp6.client-id 0:1:0:1:19:9d:89:4e:5c:33:37:37:35:1:e9:3;
fixed-address6 2001:6f8:107e:63::90;
}
#host devil {
# hardware ethernet 5c:ff:35:01:e9:03;
# fixed-address6 2001:6f8:107e:63::90;
#}
host sol {
host-identifier option dhcp6.client-id 00:01:00:01:19:9d:60:28:1c:6f:65:97:4a:9d;
fixed-address6 2001:6f8:107e:63::40;
}
host luna {
host-identifier option dhcp6.client-id 0:4:6:d5:8d:ca:ef:18:64:e0:52:e:9c:99:d8:3a:e7:a6;
fixed-address6 2001:6f8:107e:63::20;
}
host so36-back {
host-identifier option dhcp6.client-id 00:01:00:01:19:c1:cc:58:00:25:90:d1:c4:e2;
fixed-address6 2001:6f8:107e:63::70;
}
## - WLAN
## devil wireless device
host devil1 {
host-identifier option dhcp6.client-id 0:1:0:1:19:9d:89:4e:0:24:37:37:d7:24:dc:6c;
fixed-address6 2001:6f8:107e:64::90;
}

42
Kanzlei-Kiel/email_notice.Kanzlei-Kiel Executable file
View File

@ -0,0 +1,42 @@
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
file=/tmp/mail_ip-up$$
admin_email=argus@oopen.de
from_address=ip-up_gw-ah@oopen.de
from_name="ip-up - Kanzlei Kiel"
host=`hostname -f`
echo "" > $file
echo " *************************************************************" >> $file
echo " *** This is an autogenerated mail from $host ***" >> $file
echo "" >> $file
echo " I brought up the ppp-daemon with the following" >> $file
echo -e " parameters:\n" >> $file
echo -e "\tInterface name...............: $PPP_IFACE" >> $file
echo -e "\tThe tty......................: $PPP_TTY" >> $file
echo -e "\tThe link speed...............: $PPP_SPEED" >> $file
echo -e "\tLocal IP number..............: $PPP_LOCAL" >> $file
echo -e "\tPeer IP number..............: $PPP_REMOTE" >> $file
if [ "$USEPEERDNS" ] && [ "$DNS1" ] ; then
echo -e "\tNameserver 1.................: $DNS1" >> $file
if [ "$DNS2" ] ; then
echo -e "\tNameserver 2.................: $DNS2" >> $file
fi
fi
echo -e "\tOptional \"ipparam\" value.....: $PPP_IPPARAM" >> $file
echo "" >> $file
echo -e "\tDate.........................: `date +\"%d.%m.%Y\"`" >> $file
echo -e "\tTime.........................: `date +\"%H:%M:%S\"`" >> $file
echo "" >> $file
echo " **************************************************************" >> $file
echo -e "To:${admin_email}\nSubject:$PPP_LOCAL\n`cat $file`" | /usr/sbin/sendmail -F "$from_name" -f $from_address $admin_email
rm -f $file

3
Kanzlei-Kiel/generic.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,3 @@
root@gw-ah.kanzlei-kiel.netz root_gw-ah@oopen.de
cron@gw-ah.kanzlei-kiel.netz cron_gw-ah@oopen.de
@gw-ah.kanzlei-kiel.netz other_gw-ah@oopen.de

BIN
Kanzlei-Kiel/generic.db.Kanzlei-Kiel Normal file
View File

Binary file not shown.

1
Kanzlei-Kiel/hostname.Kanzlei-Kiel Normal file
View File

@ -0,0 +1 @@
gw-ah

10
Kanzlei-Kiel/hosts.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,10 @@
127.0.0.1 localhost
#127.0.1.1 gw-ah.local.netz gw-ah
192.168.100.254 gw-ah.kanzlei-kiel.netz gw-ah
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

109
Kanzlei-Kiel/hosts.lan.conf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,109 @@
# ==========
# - LAN
# ==========
# ---
# - Server
# ---
# - Fileserver
host file-ah {
hardware ethernet 00:25:90:52:C6:FE;
fixed-address file-ah.kanzlei-kiel.netz;
}
# - IPMI Fileserver
host file-ipmi {
hardware ethernet 00:25:90:52:c6:37;
fixed-address file-ipmi.kanzlei-kiel.netz;
}
# - Windoes 7 Professional (KVM on Fileserver)
host file-win7 {
#hardware ethernet 52:54:00:5C:79:DC;
hardware ethernet 52:54:00:b2:aa:2f;
fixed-address file-win7.kanzlei-kiel.netz;
}
host file-win7-clone {
#hardware ethernet 52:54:00:5C:79:DC;
hardware ethernet 52:54:00:89:88:ef;
fixed-address file-win7.kanzlei-kiel.netz;
}
# ---
# - Drucker
# ---
# Laserdrucker Kyocera FS-2020D
host kyocera-fs-2020d {
hardware ethernet 00:C0:EE:6B:46:C4 ;
fixed-address kyocera-fs-2020d.kanzlei-kiel.netz;
}
# Multifunktions Drucker Kyocera TASKalfa 3051ci
host kyocera-taskalfa-3051ci {
hardware ethernet 00:C0:EE:19:79:FA ;
fixed-address kyocera-taskalfa-3051ci.kanzlei-kiel.netz;
}
# Laserdrucker Kyocera FS-2100DN
host kyocera-fs-2100dn {
hardware ethernet 00:C0:EE:98:1D:DA ;
fixed-address kyocera-fs-2100dn.kanzlei-kiel.netz;
}
# ---
# - Accesspoints
# ---
# - Accesspoint (UniFi AP-AC-LR)
host unify-ap {
hardware ethernet 44:d9:e7:f6:58:e5 ;
fixed-address unify-ap.kanzlei-kiel.netz;
}
# ---
# - Buero PC's
# ---
host axel {
#hardware ethernet 00:1b:21:91:e9:2e;
hardware ethernet 94:de:80:04:8c:a8;
fixed-address axel.kanzlei-kiel.netz;
}
host zk {
hardware ethernet 00:15:f2:5e:58:af;
fixed-address zk.kanzlei-kiel.netz;
}
host shuttle {
hardware ethernet 80:ee:73:c5:e7:b7;
#hardware ethernet 80:ee:73:c5:e7:b8;
fixed-address shuttle.kanzlei-kiel.netz;
}
host dokumentenscannerrechner {
hardware ethernet 90:e6:ba:81:1c:dd;
fixed-address dokumentenscannerrechner.kanzlei-kiel.netz;
}
host buerozwei {
hardware ethernet 00:0b:6a:8f:ac:de;
fixed-address buerozwei.kanzlei-kiel.netz;
}
host buero-doro {
hardware ethernet 74:d4:35:54:c3:33 ;
fixed-address buero-doro.kanzlei-kiel.netz;
}
host buerooben {
hardware ethernet 00:24:21:a9:36:88;
fixed-address buerooben.kanzlei-kiel.netz;
}
host laptop-doro {
hardware ethernet c8:0a:a9:05:7f:c6 ;
fixed-address laptop-doro.kanzlei-kiel.netz;
}
# - ckubu laptop (devil) LAN (eth0)
host devil {
hardware ethernet 5c:ff:35:01:e9:03;
fixed-address devil.kanzlei-kiel.netz;
}

11
Kanzlei-Kiel/hosts.w-lan.conf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,11 @@
# ==========
# - W-LAN
# ==========
# - ckubu laptop (devil) WLAN (wlan0)
host devil-wlan {
hardware ethernet 00:24:d7:24:dc:6c;
fixed-address devil-wlan.kanzlei-kiel.netz;
}

75
Kanzlei-Kiel/igmpproxy.conf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,75 @@
########################################################
#
# Example configuration file for the IgmpProxy
# --------------------------------------------
#
# The configuration file must define one upstream
# interface, and one or more downstream interfaces.
#
# If multicast traffic originates outside the
# upstream subnet, the "altnet" option can be
# used in order to define legal multicast sources.
# (Se example...)
#
# The "quickleave" should be used to avoid saturation
# of the upstream link. The option should only
# be used if it's absolutely nessecary to
# accurately imitate just one Client.
#
########################################################
##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
##------------------------------------------------------
## Configuration for eth0 (Upstream Interface)
##------------------------------------------------------
#phyint eth0 upstream ratelimit 0 threshold 1
# altnet 10.0.0.0/8
# altnet 192.168.0.0/24
##------------------------------------------------------
## Configuration for ppp0 (Upstream Interface)
##------------------------------------------------------
#phyint ppp0 upstream ratelimit 0 threshold 1
phyint eth2.8 upstream ratelimit 0 threshold 1
altnet 217.0.119.194/24
altnet 193.158.35.0/24;
altnet 239.35.100.6/24;
altnet 93.230.64.0/19;
altnet 192.168.63.0/24;
#
#altnet 192.168.63.5/32;
#altnet 192.168.63.40/32;
##------------------------------------------------------
## Configuration for eth1 (Downstream Interface)
##------------------------------------------------------
#phyint br0 downstream ratelimit 0 threshold 1
phyint eth1 downstream ratelimit 0 threshold 1
# IP der TV-Box
altnet 192.168.63.0/24;
#altnet 192.168.63.5/32;
#altnet 192.168.63.40/32;
##------------------------------------------------------
## Configuration for eth2 (Disabled Interface)
##------------------------------------------------------
#phyint eth2 disabled
##------------------------------------------------------
## Configuration for eth2 (Disabled Interface)
##------------------------------------------------------
phyint eth0 disabled
phyint eth2 disabled
phyint eth2.7 disabled
phyint eth1:0 disabled
phyint eth1:wf disabled
phyint ppp0 disabled
phyint tun0 disabled
phyint lo disabled

71
Kanzlei-Kiel/interfaces.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,71 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
#-----------------------------
# lo - loopback interface
#-----------------------------
auto lo
iface lo inet loopback
#-----------------------------
# eth0 - WLAN
#-----------------------------
auto eth0
iface eth0 inet static
address 192.168.101.254
network 192.168.101.0
netmask 255.255.255.0
broadcast 192.168.101.255
#-----------------------------
# eth1 - LAN
#-----------------------------
auto eth1 eth1:0
iface eth1 inet static
address 192.168.100.254
network 192.168.100.0
netmask 255.255.255.0
broadcast 192.168.100.255
iface eth1:0 inet static
address 192.168.100.1
network 192.168.100.1
netmask 255.255.255.255
broadcast 192.168.100.1
auto eth1:ap
iface eth1:ap inet static
address 172.16.101.254
network 172.16.101.0
netmask 255.255.255.0
broadcast 172.16.101.255
# - Subnetworks accesspoints
# -
# - 172.16.101.1 - TP-Link WA801ND (Accesspoint)
# -
post-up /sbin/route add -net 172.16.102.0/24 gw 172.16.101.1
#-----------------------------
# eth2 - WAN
#-----------------------------
auto eth2
iface eth2 inet static
address 172.16.100.1
network 172.16.100.0
netmask 255.255.255.0
broadcast 172.16.100.255
post-up vconfig add eth2 7
post-down vconfig rem eth2.7
auto dsl-ah
iface dsl-ah inet ppp
pre-up /sbin/ifconfig eth2 up # line maintained by pppoeconf
pre-up /sbin/ifconfig eth2.7 up # line maintained by pppoeconf
provider dsl-ah

14
Kanzlei-Kiel/ipt-firewall.service.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
SyslogIdentifier="ipt-gateway"
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-gateway start
ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
User=root
[Install]
WantedBy=multi-user.target

44
Kanzlei-Kiel/ipt-firewall/default_ports.conf Normal file
View File

@ -0,0 +1,44 @@
#!/usr/bin/env bash
# =============
# --- Define Ports for Services out
# =============
standard_ident_port=113
standard_silc_port=706
standard_irc_port=6667
standard_jabber_port=5222
standard_smtp_port=25
standard_ssh_port=22
standard_http_port=80
standard_https_port=443
standard_ftp_port=21
standard_tftp_udp_port=69
standard_ntp_port=123
standard_snmp_port=161
standard_snmp_trap_port=162
standard_timeserver_port=37
standard_pgp_keyserver_port=11371
standard_telnet_port=23
standard_whois_port=43
standard_cpan_wait_port=1404
standard_xymon_port=1984
standard_hbci_port=3000
standard_mysql_port=3306
standard_ipp_port=631
standard_cups_port=$standard_ipp_port
standard_print_raw_port=515
standard_print_port=9100
standard_remote_console_port=5900
# - IPsec - Internet Security Association and
# - Key Management Protocol
standard_isakmp_port=500
standard_ipsec_nat_t=4500
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"

113
Kanzlei-Kiel/ipt-firewall/include_functions.conf Normal file
View File

@ -0,0 +1,113 @@
#!/usr/bin/env bash
# =============
# --- Some functions
# =============
# - Is this script running on terminal ?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
echo_done() {
if $terminal ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
else
echo " [ done ]"
fi
}
echo_ok() {
if $terminal ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
else
echo " [ ok ]"
fi
}
echo_warning() {
if $terminal ; then
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
else
echo " [ warning ]"
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
else
echo ' [ failed! ]'
fi
}
echo_skipped() {
if $terminal ; then
echo -e "\033[75G[ \033[37mskipped\033[m ]"
else
echo " [ skipped ]"
fi
}
fatal (){
echo ""
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
echo ""
echo -e "\t\033[31m\033[1m Firewall Script will be interrupted..\033[m\033[m"
else
echo "fatal: $*"
echo "Firewall Script will be interrupted.."
fi
echo ""
exit 1
}
error(){
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
else
echo "Error: $*"
fi
echo ""
}
warn (){
echo ""
if $terminal ; then
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
else
echo "Warning: $*"
fi
echo ""
}
info (){
echo ""
if $terminal ; then
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
else
echo "Info: $*"
fi
echo ""
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}

49
Kanzlei-Kiel/ipt-firewall/interfaces_ipv4.conf Normal file
View File

@ -0,0 +1,49 @@
#!/usr/bin/env bash
# =============
# --- Define Network Interfaces / Ip-Adresses / Ports
# =============
# - Extern Interfaces DSL Lines
# - (blank separated list)
ext_if_dsl_1="ppp-ah"
ext_if_dsl_2=""
ext_if_dsl_3=""
ext_if_dsl_4=""
ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
# - Extern Interfaces Static Lines
# - (blank separated list)
ext_if_static_1="eth2"
ext_if_static_2=""
ext_if_static_3=""
ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
# - VPN Interfaces
# - (blank separated list)
vpn_ifs="tun+"
# - Local Interfaces
local_if_1="eth0"
local_if_2="eth1"
local_if_3=""
local_if_4=""
local_if_5=""
local_if_6=""
local_if_7=""
local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
# - Devices given in list "nat_devices" will be natted
# -
# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
# -
# - Blank separated list
# -
nat_devices=""
# - Are local alias interfaces like eth0:0 defined"
# -
local_alias_interfaces=true

1627
Kanzlei-Kiel/ipt-firewall/ipt-firewall-gateway.conf Normal file
View File

File diff suppressed because it is too large Load Diff

36
Kanzlei-Kiel/ipt-firewall/load_modules_ipv4.conf Normal file
View File

@ -0,0 +1,36 @@
# =============
# - Load Kernel Modules
# =============
# - Note:!
# - Since Kernel 4.7 the automatic conntrack helper assignment
# - is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# - Enable it by setting this variable in file /etc/sysctl.conf:
# -
# - net.netfilter.nf_conntrack_helper = 1
# -
# - Reboot or type "sysctl -p"
ip_tables
iptable_nat
iptable_filter
iptable_mangle
iptable_raw
# - Load base modules for tracking
# -
nf_conntrack
nf_nat
# - Load module for FTP Connection tracking and NAT
# -
nf_conntrack_ftp
nf_nat_ftp
# - Load modules for SIP VOIP
# -
nf_conntrack_sip
nf_nat_sip

9
Kanzlei-Kiel/ipt-firewall/load_modules_ipv6.conf Normal file
View File

@ -0,0 +1,9 @@
# =============
# - Load Kernel Modules
# =============
ip6_tables
ip6table_filter
ip6t_REJECT
ip6table_mangle

40
Kanzlei-Kiel/ipt-firewall/logging_ipv4.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=false
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv4:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

40
Kanzlei-Kiel/ipt-firewall/logging_ipv6.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=false
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv6:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

1348
Kanzlei-Kiel/ipt-firewall/main_ipv4.conf Normal file
View File

File diff suppressed because it is too large Load Diff

505
Kanzlei-Kiel/ipt-firewall/post_decalrations.conf Normal file
View File

@ -0,0 +1,505 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# - Masquerade TCP Connections
# ---
declare -a nat_network_arr
for _net in $nat_networks ; do
nat_network_arr+=("$_net")
done
declare -a masquerade_tcp_con_arr
for _str in $masquerade_tcp_cons ; do
masquerade_tcp_con_arr+=("$_str")
done
# ---
# - Extern Network interfaces (DSL, Staic Lines, All together)
# ---
declare -a nat_device_arr
declare -a dsl_device_arr
declare -a ext_if_arr
for _dev in $ext_ifs_dsl ; do
dsl_device_arr+=("$_dev")
ext_if_arr+=("$_dev")
nat_device_arr+=("$_dev")
done
for _dev in $ext_ifs_static ; do
ext_if_arr+=("$_dev")
done
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Allow these local networks any access to the internet
# ---
declare -a any_access_to_inet_network_arr
for _net in $any_access_to_inet_networks ; do
any_access_to_inet_network_arr+=("$_net")
done
declare -a any_access_from_inet_network_arr
for _net in $any_access_from_inet_networks ; do
any_access_from_inet_network_arr+=("$_net")
done
# ---
# - Allow local services from given extern networks
# ---
declare -a allow_ext_net_to_local_service_arr
for _val in $allow_ext_net_to_local_service ; do
allow_ext_net_to_local_service_arr+=("$_val")
done
# ---
# - Allow all traffic from extern address/network to local address/network
# ---
declare -a allow_ext_net_to_local_net_arr
for _val in $allow_ext_net_to_local_net ; do
allow_ext_net_to_local_net_arr+=("$_val")
done
# ---
# - Block all extern traffic to (given) local network
# ---
declare -a block_all_ext_to_local_net_arr
for _net in $block_all_ext_to_local_net ; do
block_all_ext_to_local_net_arr+=("$_net")
done
# ---
# - Allow local services from given local networks
# ---
declare -a allow_local_net_to_local_service_arr
for _val in $allow_local_net_to_local_service ; do
allow_local_net_to_local_service_arr+=("$_val")
done
# ---
# - Allow all traffic from local network to local ip-address
# ---
declare -a allow_local_net_to_local_ip_arr
for _val in $allow_local_net_to_local_ip ; do
allow_local_net_to_local_ip_arr+=("$_val")
done
# ---
# - Allow all traffic from local ip-address to local network
# ---
declare -a allow_local_ip_to_local_net_arr
for _val in $allow_local_ip_to_local_net ; do
allow_local_ip_to_local_net_arr+=("$_val")
done
# ---
# - Allow all traffic from (one) local network to (another) local network
# ---
declare -a allow_local_net_to_local_net_arr
for _val in $allow_local_net_to_local_net ; do
allow_local_net_to_local_net_arr+=("$_val")
done
# ---
# - Allow local ip address from given local interface
# ---
declare -a allow_local_if_to_local_ip_arr
for _val in $allow_local_if_to_local_ip ; do
allow_local_if_to_local_ip_arr+=("$_val")
done
# ---
# - Separate local Networks
# ---
declare -a separate_local_network_arr
for _net in $separate_local_networks ; do
separate_local_network_arr+=("$_net")
done
# ---
# - Separate local Interfaces
# ---
declare -a separate_local_if_arr
for _net in $separate_local_ifs ; do
separate_local_if_arr+=("$_net")
done
# ---
# - Generally block ports on extern interfaces
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Not wanted on intern interfaces
# ---
declare -a not_wanted_on_gw_tcp_port_arr
for _port in $not_wanted_on_gw_tcp_ports ; do
not_wanted_on_gw_tcp_port_arr+=("$_port")
done
declare -a not_wanted_on_gw_udp_port_arr
for _port in $not_wanted_on_gw_udp_ports ; do
not_wanted_on_gw_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - Network Devices local DHCP Client
# ---
declare -a dhcp_client_interfaces_arr
for _dev in $dhcp_client_interfaces ; do
dhcp_client_interfaces_arr+=("$_dev")
done
# ---
# - IP Addresses DHCP Failover Server
# ---
declare -a dhcp_failover_server_ip_arr
for _ip in $dhcp_failover_server_ips ; do
dhcp_failover_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses DNS Server
# ---
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SSH Server only at ocal Networks
# ---
declare -a ssh_server_only_local_ip_arr
for _ip in $ssh_server_only_local_ips ; do
ssh_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses HTTP Server only local Networks
# ---
declare -a http_server_only_local_ip_arr
for _ip in $http_server_only_local_ips ; do
http_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Mail Server only local Networks
# ---
declare -a mail_server_only_local_ip_arr
for _ip in $mail_server_only_local_ips ; do
mail_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
declare -a ftp_server_only_local_ip_arr
for _ip in $ftp_server_only_local_ips ; do
ftp_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Samba Server
# ---
declare -a samba_server_local_ip_arr
for _ip in $samba_server_local_ips ; do
samba_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses LDAP Server
# ---
declare -a ldap_server_local_ip_arr
for _ip in $ldap_server_local_ips ; do
ldap_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Telephone Systems
# ---
declare -a tele_sys_ip_arr
for _ip in $tele_sys_ips ; do
tele_sys_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SNMP Server
# ---
declare -a snmp_server_ip_arr
for _ip in $snmp_server_ips ; do
snmp_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Munin Service
# ---
declare -a munin_local_server_ip_arr
for _ip in $munin_local_server_ips ; do
munin_local_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses IPMI interface
# ---
declare -a ipmi_server_ip_arr
for _ip in $ipmi_server_ips ; do
ipmi_server_ip_arr+=("$_ip")
done
# ---
# -IP Addresses Ubiquiti Unifi Accesspoints
# ---
declare -a unifi_ap_local_ip_arr
for _ip in $unifi_ap_local_ips ; do
unifi_ap_local_ip_arr+=("$_ip")
done
declare -a unifi_controller_gateway_ip_arr
for _ip in $unifi_controller_gateway_ips ; do
unifi_controller_gateway_ip_arr+=("$_ip")
done
declare -a unify_controller_local_net_ip_arr
for _ip in $unify_controller_local_net_ips ; do
unify_controller_local_net_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Printer
# -
declare -a printer_ip_arr
for _ip in $printer_ips ; do
printer_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Brother Scanner (brscan)
# ---
declare -a brother_scanner_ip_arr
for _ip in $brother_scanner_ips ; do
brother_scanner_ip_arr+=("$_ip")
done
# ---
# - IP Addresses PCNS Server
# ---
declare -a pcns_server_ip_arr
for _ip in $pcns_server_ips ; do
pcns_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses VNC Service
# ---
declare -a rm_server_ip_arr
for _ip in $rm_server_ips ; do
rm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# ---
# - Other local Services
# ---
declare -a other_service_arr
for _val in $other_services ; do
other_service_arr+=("$_val")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - Cisco kompartible VPN Ports
# ---
declare -a cisco_vpn_out_port_arr
for _port in $cisco_vpn_out_ports ; do
cisco_vpn_out_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
declare -a vpn_gw_port_arr
for _port in $vpn_gw_ports ; do
vpn_gw_port_arr+=("$_port")
done
declare -a vpn_local_net_port_arr
for _port in $vpn_local_net_ports ; do
vpn_local_net_port_arr+=("$_port")
done
declare -a vpn_out_port_arr
for _port in $vpn_out_ports ; do
vpn_out_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Samba Ports
# ---
declare -a samba_udp_port_arr
for _port in $samba_udp_ports ; do
samba_udp_port_arr+=("$_port")
done
declare -a samba_tcp_port_arr
for _port in $samba_tcp_ports ; do
samba_tcp_port_arr+=("$_port")
done
# ---
# - LDAP Ports
# ---
declare -a ldap_udp_port_arr
for _port in $ldap_udp_ports ; do
ldap_udp_port_arr+=("$_port")
done
declare -a ldap_tcp_port_arr
for _port in $ldap_tcp_ports ; do
ldap_tcp_port_arr+=("$_port")
done
# ---
# - IPMI
# ---
declare -a ipmi_udp_port_arr
for _port in $ipmi_udp_ports ; do
ipmi_udp_port_arr+=("$_port")
done
declare -a ipmi_tcp_port_arr
for _port in $ipmi_tcp_ports ; do
ipmi_tcp_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done
# ---
# - MAC Address Filtering
# ---
declare -a allow_all_mac_src_address_arr
for _mac in $allow_all_mac_src_addresses ; do
allow_all_mac_src_address_arr+=("$_mac")
done
declare -a allow_local_mac_src_address_arr
for _mac in $allow_local_mac_src_addresses ; do
allow_local_mac_src_address_arr+=("$_mac")
done
declare -a allow_remote_mac_src_address_arr
for _mac in $allow_remote_mac_src_addresses ; do
allow_remote_mac_src_address_arr+=("$_mac")
done

1
Kanzlei-Kiel/mailname.Kanzlei-Kiel Normal file
View File

@ -0,0 +1 @@
gw-ah.kanzlei-kiel.netz

269
Kanzlei-Kiel/main.cf.Kanzlei-Kiel Normal file
View File

@ -0,0 +1,269 @@
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
192.168.100.254
myhostname = gw-ah.kanzlei-kiel.netz
mydestination =
gw-ah.kanzlei-kiel.netz
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
192.168.100.0/24
#192.168.100.254/32
#smtp_bind_address = 192.168.100.254
#smtp_bind_address6 =
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = $maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
# ============ Relay parameters ============
#relayhost =
# ============ SASL authentication ============
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [b.mx.oopen.de]
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Force using a (TLS) security connection
# obsulete - use smtp_tls_security_level instead
#smtp_use_tls = yes
#smtp_tls_enforce_peername = no
smtp_tls_security_level = encrypt
# Disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - /bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

0
Kanzlei-Kiel/openvpn/ccd/.wh..wh..opq Normal file
View File

7
Kanzlei-Kiel/openvpn/ccd/server-gw-ckubu/VPN-Kanzlei-Kiel-gw-ckubu Normal file
View File

@ -0,0 +1,7 @@
ifconfig-push 10.1.100.2 255.255.255.0
push "route 192.168.100.0 255.255.255.0 10.1.100.1"
push "route 192.168.101.0 255.255.255.0 10.1.100.1"
push "route 172.16.101.0 255.255.255.0 10.1.100.1"
push "route 172.16.102.0 255.255.255.0 10.1.100.1"
iroute 192.168.63.0 255.255.255.0
iroute 192.168.64.0 255.255.255.0

1
Kanzlei-Kiel/openvpn/ccd/server-home/VPN-Kanzlei-Kiel-axel Normal file
View File

@ -0,0 +1 @@
ifconfig-push 10.0.100.3 255.255.255.0

1
Kanzlei-Kiel/openvpn/ccd/server-home/VPN-Kanzlei-Kiel-chris Normal file
View File

@ -0,0 +1 @@
ifconfig-push 10.0.100.2 255.255.255.0

13
Kanzlei-Kiel/openvpn/crl.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN X509 CRL-----
MIIB+zCB5DANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUxDzANBgNVBAgT
BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNV
BAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56bGVpLUtpZWwx
GTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0BCQEWEmNrdWJ1
LWFkbUBvb3Blbi5kZRcNMTgwMzE2MDkyMzQ4WhcNMjgwMzEzMDkyMzQ4WjANBgkq
hkiG9w0BAQsFAAOCAQEAT3CEPPV+CZV4EIx8OjZG4sJIRVZDgf8x/eY43ZYgfrV1
8sXKR9WX9LN9EFIUEu0PMhVGyW0yb2/PhsCUHQlVX08Wm9IQ3/DYNW6yw3WPsv9S
FBFxeNhUCLAqPyEs+LsTjUpaeHRB9BbHztBE6HH5pDKrAg5+qOOEJdAEN8jonC+T
kVV2J6itavpMjfoPYdFB+ykb9GN3V4NcQdj1EFGc6Gzl/fgDbCQOrem13ZA+3loW
iOZvrZiKz4PDuHWP/kf8eMl7FoImamLNvBa7w5W8HoERNKqCWIeEF1q8tCfRod63
sBWXrkKj3iN+NifH8SHTtRLg4X1GOiEgNNNqfnx9Yw==
-----END X509 CRL-----

0
Kanzlei-Kiel/openvpn/easy-rsa/.wh..wh..opq Normal file
View File

1
Kanzlei-Kiel/openvpn/easy-rsa/build-ca Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-ca

1
Kanzlei-Kiel/openvpn/easy-rsa/build-dh Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-dh

1
Kanzlei-Kiel/openvpn/easy-rsa/build-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-inter

1
Kanzlei-Kiel/openvpn/easy-rsa/build-key Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key

1
Kanzlei-Kiel/openvpn/easy-rsa/build-key-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pass

1
Kanzlei-Kiel/openvpn/easy-rsa/build-key-pkcs12 Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pkcs12

1
Kanzlei-Kiel/openvpn/easy-rsa/build-key-server Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-server

1
Kanzlei-Kiel/openvpn/easy-rsa/build-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req

1
Kanzlei-Kiel/openvpn/easy-rsa/build-req-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req-pass

1
Kanzlei-Kiel/openvpn/easy-rsa/clean-all Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/clean-all

1
Kanzlei-Kiel/openvpn/easy-rsa/inherit-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/inherit-inter

1
Kanzlei-Kiel/openvpn/easy-rsa/list-crl Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/list-crl

268
Kanzlei-Kiel/openvpn/easy-rsa/openssl-0.9.6.cnf Normal file
View File

@ -0,0 +1,268 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

293
Kanzlei-Kiel/openvpn/easy-rsa/openssl-0.9.8.cnf Normal file
View File

@ -0,0 +1,293 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

288
Kanzlei-Kiel/openvpn/easy-rsa/openssl-1.0.0.cnf Normal file
View File

@ -0,0 +1,288 @@
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 3650 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

1
Kanzlei-Kiel/openvpn/easy-rsa/openssl.cnf Symbolic link
View File

@ -0,0 +1 @@
openssl-1.0.0.cnf

1
Kanzlei-Kiel/openvpn/easy-rsa/pkitool Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/pkitool

1
Kanzlei-Kiel/openvpn/easy-rsa/revoke-full Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/revoke-full

1
Kanzlei-Kiel/openvpn/easy-rsa/sign-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/sign-req

95
Kanzlei-Kiel/openvpn/easy-rsa/vars Normal file
View File

@ -0,0 +1,95 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
##export EASY_RSA="`pwd`"
export BASE_DIR="/etc/openvpn"
export EASY_RSA="$BASE_DIR/easy-rsa"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
##export KEY_DIR="$EASY_RSA/keys"
export KEY_DIR="$BASE_DIR/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
##export CA_EXPIRE=3650
export CA_EXPIRE=11688
# In how many days should certificates expire?
##export KEY_EXPIRE=3650
export KEY_EXPIRE=7305
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
##export KEY_COUNTRY="US"
export KEY_COUNTRY="DE"
##export KEY_PROVINCE="CA"
export KEY_PROVINCE="Berlin"
##export KEY_CITY="SanFrancisco"
export KEY_CITY="Berlin"
##export KEY_ORG="Fort-Funston"
export KEY_ORG="O.OPEN"
##export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL="ckubu-adm@oopen.de"
##export KEY_OU="MyOrganizationalUnit"
export KEY_OU="Network Services"
# X509 Subject Field
##export KEY_NAME="EasyRSA"
export KEY_NAME="VPN Kanzlei Kiel"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
## export KEY_CN="CommonName"
export KEY_CN="VPN-Kanzlei-Kiel"
export KEY_ALTNAMES="VPN Kanzlei Kiel"

80
Kanzlei-Kiel/openvpn/easy-rsa/vars.2017-06-28-0107 Normal file
View File

@ -0,0 +1,80 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

1
Kanzlei-Kiel/openvpn/easy-rsa/whichopensslcnf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/whichopensslcnf

0
Kanzlei-Kiel/openvpn/ipp.txt Normal file
View File

20
Kanzlei-Kiel/openvpn/keys-created.txt Normal file
View File

@ -0,0 +1,20 @@
key...............: chris.key
common name.......: VPN-Kanzlei-Kiel-chris
password..........: dbddhkpuka.&EadGl15E.
key...............: gw-ckubu.key
common name.......: VPN-Kanzlei-Kiel-gw-ckubu
password..........: uoziengeeyiephu5voh7eothu1Aex8ar
key...............: axel.key
common name.......: VPN-Kanzlei-Kiel-axel
password..........: vP26M8Wj2S
key...............: pc-hh.key
common name.......: VPN-Kanzlei-Kiel-pc-hh
password..........: CHtq9MsL93LW
key...............: doro.key
common name.......: VPN-Kanzlei-Kiel-doro
password..........: 20_Doro_16-45

0
Kanzlei-Kiel/openvpn/keys/.wh..wh..opq Normal file
View File

101
Kanzlei-Kiel/openvpn/keys/01.pem Normal file
View File

@ -0,0 +1,101 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:17:01 2017 GMT
Not After : Jun 27 23:17:01 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-server/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:09:04:84:23:f6:19:a5:df:53:2e:a4:02:8f:
2b:b6:de:bb:82:19:e3:b9:f6:f4:0b:62:d4:51:a1:
c9:be:85:67:82:de:9f:97:af:92:ad:b8:d7:4b:69:
50:f6:61:d7:ce:03:0c:ee:46:2d:ab:b5:f6:44:a5:
a2:7e:86:db:ad:8d:12:35:e8:49:c6:98:45:c1:10:
3f:50:8e:2a:93:fd:e7:7a:4d:4f:e3:5c:2e:67:3f:
8b:9d:d6:11:26:1f:00:ff:13:47:dd:86:8b:ed:6a:
29:07:cf:c2:f0:a4:4d:c4:dc:68:db:a1:c1:43:55:
13:45:5f:41:f3:f0:9c:0a:ea:26:29:c6:e3:fc:ee:
9f:7c:86:f4:f0:c8:0c:5f:61:e1:b9:f1:bc:f6:02:
71:6c:07:fe:18:30:b2:8c:dc:18:50:de:5e:96:24:
04:94:14:ec:9a:50:a6:90:02:79:b2:1a:c8:79:da:
fb:06:7e:ad:a8:79:ef:92:68:3c:46:4e:5e:b6:bf:
f1:fa:bf:da:73:8b:c4:95:89:1a:e1:52:70:20:46:
48:8c:47:01:c2:13:56:c9:44:e1:a7:55:14:e5:41:
4d:ab:8f:d0:50:13:76:19:d9:f2:fd:8b:16:27:58:
dd:4f:18:83:05:70:c1:97:d4:68:41:d4:2b:63:89:
b5:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
9B:58:FA:12:97:7F:35:4F:5B:72:6D:C5:68:AD:B2:76:AD:B9:F0:95
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
c2:b9:b2:70:fe:e4:4f:9b:21:85:14:f4:4a:b2:b0:32:ef:0f:
a3:15:95:a4:f6:78:84:5b:d6:75:e2:a1:b4:57:8a:23:66:2f:
72:5a:21:a9:4c:38:b6:cd:41:a5:b4:3e:11:d8:62:1f:8a:a1:
ba:13:55:1e:3b:7c:4d:22:2e:cf:54:81:e5:0d:3d:05:fd:3f:
9c:fb:24:cb:be:61:96:ec:e3:e9:c9:7c:da:97:e8:ba:a0:fd:
a8:47:97:43:88:8c:b6:03:81:d7:71:49:f9:9b:9d:33:5d:6f:
26:79:b6:7a:d2:27:ba:b5:7e:c8:62:8d:76:75:96:7a:25:86:
21:e5:8f:82:8a:06:47:4b:59:32:1d:dd:81:4d:b9:ac:ef:93:
a3:f1:f4:65:09:10:d8:af:04:14:c5:1e:58:b7:6e:95:ab:ba:
f5:e8:39:65:dc:87:d2:14:b4:e5:e5:af:2a:da:b2:c0:49:e2:
07:1d:ad:b5:c7:48:c4:81:36:f1:45:09:b9:1c:ed:87:9d:da:
70:c8:16:65:26:44:5e:f3:dd:a7:eb:39:2a:80:23:0d:e4:d9:
62:3a:19:e0:60:9c:21:cd:8e:ad:b6:59:36:f8:86:4e:7b:32:
e9:8d:de:e5:4b:fe:c4:c7:fb:35:c6:6d:78:f3:26:65:be:60:
be:34:fa:f0
-----BEGIN CERTIFICATE-----
MIIFhjCCBG6gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzE3MDFaFw0zNzA2Mjcy
MzE3MDFaMIG7MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEgMB4GA1UEAxMXVlBOLUthbnpsZWktS2llbC1zZXJ2ZXIxGTAXBgNVBCkT
EFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4JBIQj9hml31Mu
pAKPK7beu4IZ47n29Ati1FGhyb6FZ4Len5evkq2410tpUPZh184DDO5GLau19kSl
on6G262NEjXoScaYRcEQP1COKpP953pNT+NcLmc/i53WESYfAP8TR92Gi+1qKQfP
wvCkTcTcaNuhwUNVE0VfQfPwnArqJinG4/zun3yG9PDIDF9h4bnxvPYCcWwH/hgw
sozcGFDeXpYkBJQU7JpQppACebIayHna+wZ+rah575JoPEZOXra/8fq/2nOLxJWJ
GuFScCBGSIxHAcITVslE4adVFOVBTauP0FATdhnZ8v2LFidY3U8YgwVwwZfUaEHU
K2OJtQsCAwEAAaOCAZgwggGUMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZA
MDQGCWCGSAGG+EIBDQQnFiVFYXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBSbWPoSl381T1tybcVorbJ2rbnwlTCB6QYDVR0jBIHh
MIHegBROgh4UgeubyHEssSJokL/u2dT/1KGBuqSBtzCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAP5ZrV6+kAU+MBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAsGA1UdDwQEAwIFoDARBgNVHREECjAIggZzZXJ2ZXIwDQYJKoZIhvcN
AQELBQADggEBAMK5snD+5E+bIYUU9EqysDLvD6MVlaT2eIRb1nXiobRXiiNmL3Ja
IalMOLbNQaW0PhHYYh+KoboTVR47fE0iLs9UgeUNPQX9P5z7JMu+YZbs4+nJfNqX
6Lqg/ahHl0OIjLYDgddxSfmbnTNdbyZ5tnrSJ7q1fshijXZ1lnolhiHlj4KKBkdL
WTId3YFNuazvk6Px9GUJENivBBTFHli3bpWruvXoOWXch9IUtOXlryrassBJ4gcd
rbXHSMSBNvFFCbkc7Yed2nDIFmUmRF7z3afrOSqAIw3k2WI6GeBgnCHNjq22WTb4
hk57MumN3uVL/sTH+zXGbXjzJmW+YL40+vA=
-----END CERTIFICATE-----

98
Kanzlei-Kiel/openvpn/keys/02.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:20:59 2017 GMT
Not After : Jun 27 23:20:59 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-chris/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:fb:89:96:31:df:91:67:0f:62:5d:89:76:b7:
c1:e6:bd:5e:70:40:b7:6b:66:43:eb:51:0b:a8:8c:
d2:40:dd:ed:99:20:6e:23:4d:dc:7e:aa:8e:36:24:
3c:4e:fc:cf:8b:5f:ad:63:91:10:33:4c:f4:eb:91:
b6:25:a6:8a:d7:c3:40:55:b2:aa:67:a1:37:cb:3b:
53:07:af:cf:42:9a:c5:a0:91:ed:98:42:57:0f:44:
ac:a5:92:e2:c6:56:cc:c1:4c:65:ab:f7:79:b5:9b:
67:5c:e9:d7:19:7f:81:3e:c6:a7:d8:a6:42:e6:34:
fd:ef:8b:e2:d7:3f:8c:71:0a:6a:c9:59:f6:c3:88:
40:86:a7:f1:54:4f:6d:d1:95:41:50:36:df:b4:6a:
58:ff:93:1e:c1:66:2d:37:33:ef:6c:f0:9a:2d:ba:
29:46:fe:4b:73:8e:22:33:89:33:4d:45:ab:b8:dd:
d4:d5:ae:a0:cc:f7:c4:d3:7c:24:02:46:92:7d:9d:
a2:9c:27:be:12:11:45:33:30:f1:a3:ad:17:2e:94:
06:54:7c:7c:20:65:1a:b2:d1:60:86:89:37:2d:d5:
f3:4f:3e:00:f3:bb:81:ae:78:be:6c:4b:68:ac:d9:
07:f0:aa:f7:c7:79:b3:d3:f2:32:8b:fd:80:0d:d5:
bf:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
E8:1E:7E:7E:48:9B:34:7E:27:93:17:EB:2E:4E:45:D5:AB:B9:A9:0F
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:chris
Signature Algorithm: sha256WithRSAEncryption
59:8d:36:12:7e:91:f2:0f:d2:74:5a:42:e2:56:0a:9d:16:72:
09:05:40:ea:75:1e:0a:0c:81:0f:b4:e6:82:47:cc:38:67:c5:
f4:76:94:78:b5:02:a1:98:7a:c4:5e:01:90:dd:f9:cd:7b:45:
6e:30:69:b2:9f:5d:b0:fe:e9:23:a6:3e:ae:dd:7d:dc:75:f8:
a2:08:f8:87:34:7b:50:ae:15:49:23:7a:d4:2a:70:c1:ad:04:
e5:af:cb:f4:c5:c9:37:42:fc:ef:00:53:a2:51:92:71:c7:58:
a6:9e:3e:0a:7f:f6:37:5c:c4:e8:b8:20:ae:52:71:b4:5b:34:
8f:26:4e:28:cf:dd:ac:72:4f:81:8e:b8:ce:68:ab:79:21:93:
27:1c:9f:71:fe:f3:00:07:cb:28:bc:91:20:c0:ae:37:0a:33:
cf:9e:25:c1:ce:42:a1:6e:32:07:d2:65:e5:b1:9d:1f:52:25:
0b:9a:af:08:fb:8a:7e:a5:a4:da:3b:fa:85:4a:9c:a8:0c:19:
5d:df:9c:4d:4c:78:1b:ab:03:48:da:ba:a1:cf:3f:a2:ad:9f:
3e:a8:d3:cb:22:74:0f:cf:17:1d:bb:40:63:4e:4b:ff:e6:94:
55:00:79:3a:5b:de:36:35:de:d1:61:fc:d8:d1:98:2d:5d:bc:
fe:b6:f1:8a
-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzIwNTlaFw0zNzA2Mjcy
MzIwNTlaMIG6MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEfMB0GA1UEAxMWVlBOLUthbnpsZWktS2llbC1jaHJpczEZMBcGA1UEKRMQ
VlBOIEthbnpsZWkgS2llbDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVu
LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6vuJljHfkWcPYl2J
drfB5r1ecEC3a2ZD61ELqIzSQN3tmSBuI03cfqqONiQ8TvzPi1+tY5EQM0z065G2
JaaK18NAVbKqZ6E3yztTB6/PQprFoJHtmEJXD0SspZLixlbMwUxlq/d5tZtnXOnX
GX+BPsan2KZC5jT974vi1z+McQpqyVn2w4hAhqfxVE9t0ZVBUDbftGpY/5MewWYt
NzPvbPCaLbopRv5Lc44iM4kzTUWruN3U1a6gzPfE03wkAkaSfZ2inCe+EhFFMzDx
o60XLpQGVHx8IGUastFghok3LdXzTz4A87uBrni+bEtorNkH8Kr3x3mz0/Iyi/2A
DdW/lwIDAQABo4IBfTCCAXkwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFz
eS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBToHn5+SJs0fieT
F+suTkXVq7mpDzCB6QYDVR0jBIHhMIHegBROgh4UgeubyHEssSJokL/u2dT/1KGB
uqSBtzCBtDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG
QmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2Vydmlj
ZXMxGTAXBgNVBAMTEFZQTi1LYW56bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56
bGVpIEtpZWwxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAP5Z
rV6+kAU+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREE
CTAHggVjaHJpczANBgkqhkiG9w0BAQsFAAOCAQEAWY02En6R8g/SdFpC4lYKnRZy
CQVA6nUeCgyBD7TmgkfMOGfF9HaUeLUCoZh6xF4BkN35zXtFbjBpsp9dsP7pI6Y+
rt193HX4ogj4hzR7UK4VSSN61Cpwwa0E5a/L9MXJN0L87wBTolGSccdYpp4+Cn/2
N1zE6LggrlJxtFs0jyZOKM/drHJPgY64zmireSGTJxyfcf7zAAfLKLyRIMCuNwoz
z54lwc5CoW4yB9Jl5bGdH1IlC5qvCPuKfqWk2jv6hUqcqAwZXd+cTUx4G6sDSNq6
oc8/oq2fPqjTyyJ0D88XHbtAY05L/+aUVQB5OlveNjXe0WH82NGYLV28/rbxig==
-----END CERTIFICATE-----

99
Kanzlei-Kiel/openvpn/keys/03.pem Normal file
View File

@ -0,0 +1,99 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:24:59 2017 GMT
Not After : Jun 27 23:24:59 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-gw-ckubu/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cb:3a:12:41:57:f6:08:8a:9d:c8:f2:7d:de:eb:
9a:0a:05:44:82:28:16:30:bf:be:20:50:93:61:6f:
a4:ed:ae:61:dc:2a:4b:61:03:a8:c5:c1:86:c2:88:
34:66:c7:49:3d:61:59:e9:d0:88:d3:ad:af:8d:92:
c8:5a:ad:a6:4d:0b:38:41:b1:85:61:34:8e:94:56:
55:d4:05:85:02:5e:6d:cc:3d:81:26:1d:93:04:0a:
38:d5:c0:93:22:00:93:bd:dc:1f:9b:af:1f:78:1c:
f1:2c:b0:11:7e:4e:cf:62:8b:ce:7e:e2:bc:b3:8e:
af:a9:c6:cc:f3:40:a2:30:d6:a0:4d:9e:3f:54:5e:
74:35:67:3b:c5:78:ef:f5:9e:b1:39:fc:ad:71:13:
e9:84:cf:11:55:78:59:49:26:e9:1e:35:62:66:8b:
d2:f8:d7:19:94:31:5f:28:6a:69:25:a1:f7:c7:23:
82:d3:48:e9:58:2d:b9:a7:8d:41:6e:dd:3b:cd:27:
16:bd:6c:4d:7b:35:62:fd:b7:5a:90:ce:bb:6d:31:
c7:53:b0:df:aa:08:eb:69:d5:11:c6:66:58:8d:02:
61:79:bb:a0:fd:fd:8d:5f:67:26:8b:a2:d6:09:e5:
78:e2:f0:7a:2f:f4:98:ec:98:7a:a8:5f:f3:64:c1:
82:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
19:56:3C:B0:C3:18:52:DE:13:D0:D0:A6:B9:FB:E2:71:73:EC:63:2B
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:gw-ckubu
Signature Algorithm: sha256WithRSAEncryption
bb:0b:05:a8:4c:67:80:ce:29:fd:b2:8f:9a:e9:3b:e4:40:9d:
9d:96:27:46:0b:4e:cb:0e:48:9f:4e:78:b4:fe:5c:93:f2:54:
c6:55:c2:18:7a:b0:c9:6f:f5:8b:a5:e6:87:0a:0d:75:23:6f:
cd:a2:32:d6:89:39:ad:46:3c:27:e2:cd:5d:8a:6f:7b:6a:43:
65:60:9d:9c:22:a8:34:52:a7:29:f4:c4:ba:65:18:86:70:6d:
82:09:d5:b1:4b:7d:f4:1d:5d:9f:a3:89:36:6b:62:7b:01:ea:
41:76:4e:22:b2:8e:b9:b7:70:e1:9e:76:d8:f9:f7:0f:67:1f:
fc:cb:71:4a:af:aa:60:91:15:f4:df:52:2b:c6:1e:3e:63:87:
cd:86:1f:52:fb:73:9f:20:d3:77:20:41:c2:fc:b7:34:93:6e:
8f:6f:55:3f:9f:e9:17:1d:23:63:84:d1:55:94:bf:b8:9d:46:
f4:d9:bf:1c:09:99:b4:dc:d0:b1:65:d0:3b:d6:94:8a:fd:78:
c4:b3:d9:52:24:6d:88:56:f9:ff:bb:d9:c3:c8:0c:3d:b6:60:
ae:5d:2c:3a:79:2d:fc:3c:46:05:a1:9d:e7:ba:07:f7:f2:48:
88:1b:21:36:49:72:9a:e2:a9:6f:ca:84:89:f6:83:ea:0d:b1:
d1:95:1f:16
-----BEGIN CERTIFICATE-----
MIIFcDCCBFigAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzI0NTlaFw0zNzA2Mjcy
MzI0NTlaMIG9MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEiMCAGA1UEAxMZVlBOLUthbnpsZWktS2llbC1ndy1ja3VidTEZMBcGA1UE
KRMQVlBOIEthbnpsZWkgS2llbDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9v
cGVuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyzoSQVf2CIqd
yPJ93uuaCgVEgigWML++IFCTYW+k7a5h3CpLYQOoxcGGwog0ZsdJPWFZ6dCI062v
jZLIWq2mTQs4QbGFYTSOlFZV1AWFAl5tzD2BJh2TBAo41cCTIgCTvdwfm68feBzx
LLARfk7PYovOfuK8s46vqcbM80CiMNagTZ4/VF50NWc7xXjv9Z6xOfytcRPphM8R
VXhZSSbpHjViZovS+NcZlDFfKGppJaH3xyOC00jpWC25p41Bbt07zScWvWxNezVi
/bdakM67bTHHU7DfqgjradURxmZYjQJhebug/f2NX2cmi6LWCeV44vB6L/SY7Jh6
qF/zZMGCZQIDAQABo4IBgDCCAXwwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYe
RWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQZVjywwxhS
3hPQ0Ka5++Jxc+xjKzCB6QYDVR0jBIHhMIHegBROgh4UgeubyHEssSJokL/u2dT/
1KGBuqSBtzCBtDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UE
BxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2Vy
dmljZXMxGTAXBgNVBAMTEFZQTi1LYW56bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBL
YW56bGVpIEtpZWwxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJ
AP5ZrV6+kAU+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDATBgNV
HREEDDAKgghndy1ja3VidTANBgkqhkiG9w0BAQsFAAOCAQEAuwsFqExngM4p/bKP
muk75ECdnZYnRgtOyw5In054tP5ck/JUxlXCGHqwyW/1i6XmhwoNdSNvzaIy1ok5
rUY8J+LNXYpve2pDZWCdnCKoNFKnKfTEumUYhnBtggnVsUt99B1dn6OJNmtiewHq
QXZOIrKOubdw4Z522Pn3D2cf/MtxSq+qYJEV9N9SK8YePmOHzYYfUvtznyDTdyBB
wvy3NJNuj29VP5/pFx0jY4TRVZS/uJ1G9Nm/HAmZtNzQsWXQO9aUiv14xLPZUiRt
iFb5/7vZw8gMPbZgrl0sOnkt/DxGBaGd57oH9/JIiBshNklymuKpb8qEifaD6g2x
0ZUfFg==
-----END CERTIFICATE-----

98
Kanzlei-Kiel/openvpn/keys/04.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:26:40 2017 GMT
Not After : Jun 27 23:26:40 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-axel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e5:35:af:6e:3a:87:14:35:5f:63:33:30:64:1b:
98:ec:5a:5c:cf:ac:ea:fb:aa:12:f4:6d:8e:b0:b6:
da:3f:71:e3:b6:63:54:de:86:ed:1d:f3:7f:d0:d9:
39:3b:1b:ae:51:80:ba:41:04:a1:28:fc:75:b9:b5:
db:c8:ae:cc:e3:0e:24:72:e7:7f:74:2a:2a:3a:f2:
b7:92:54:82:5a:a5:25:8a:e2:5d:3b:5d:c7:36:cc:
3f:40:7f:fe:ae:27:9e:b7:28:06:51:4c:da:e1:61:
eb:a8:ce:1e:25:c1:d5:3e:37:74:a2:a0:ae:6a:3a:
53:48:b1:72:f6:80:07:d9:37:a1:b9:50:6a:2a:96:
e6:00:bc:1f:2b:bd:db:72:dc:a0:60:62:ce:90:7b:
fe:3a:cc:be:1a:ec:90:70:16:70:69:ac:cb:59:3e:
c0:54:a4:b1:7e:27:d3:18:78:ea:ea:b4:cf:87:3a:
30:0b:64:04:fc:3f:e0:d2:a2:b5:71:51:40:63:0e:
5b:74:b6:c5:ef:43:c1:b5:48:3d:a2:79:1b:16:6e:
fe:75:aa:d8:e5:1b:b9:93:cf:c8:9b:13:91:27:6d:
55:70:61:df:46:78:9f:d2:62:bc:6f:e5:a9:e0:85:
c0:04:ba:62:ee:e5:6b:95:3f:31:5e:27:dc:54:68:
86:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
17:D3:57:7D:98:66:AD:F3:AC:E5:29:BE:F0:74:F9:E4:74:36:FE:C1
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:axel
Signature Algorithm: sha256WithRSAEncryption
6c:fd:9c:bd:77:25:a5:9e:e0:2c:09:80:76:88:aa:77:3c:63:
7d:71:d3:21:d5:66:2d:88:b7:48:50:04:c1:63:84:35:a1:cd:
7e:2e:eb:7f:0c:f0:69:c1:66:81:28:00:fa:62:43:7e:cc:34:
43:98:7a:4d:05:b1:07:f7:2d:1d:0f:71:0d:56:4d:4f:7c:fd:
06:50:e8:52:f0:ee:28:63:2c:0e:b6:4e:c4:72:90:59:e5:57:
47:36:64:f2:a9:66:d4:b1:e6:7d:53:82:27:0b:1d:cb:c0:a4:
54:40:1f:cf:1c:01:91:2c:7a:7e:a6:d9:61:fa:77:8d:36:75:
f0:30:1c:cb:c9:2b:fa:2b:fe:1f:2f:c6:7d:66:9b:b1:37:6f:
c0:e8:ac:eb:01:57:1a:1f:84:96:83:8f:ba:c4:8f:a8:c5:0e:
3f:f5:58:42:ba:cf:25:2b:ca:d4:13:d6:2d:2e:a9:a6:90:c3:
9d:32:f0:ee:dc:31:3f:ad:8e:a7:4c:bf:ad:f6:1b:b3:7e:27:
c6:68:b3:87:2b:62:0f:49:2b:70:db:67:d1:b8:8f:96:10:6a:
09:e7:ee:d7:ea:9a:24:b1:22:75:5a:7a:c5:3d:39:d5:6a:bc:
30:51:b3:f4:06:1c:fc:ed:a7:df:c8:56:c0:7c:8c:a5:2a:02:
94:39:2e:12
-----BEGIN CERTIFICATE-----
MIIFaDCCBFCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzI2NDBaFw0zNzA2Mjcy
MzI2NDBaMIG5MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEeMBwGA1UEAxMVVlBOLUthbnpsZWktS2llbC1heGVsMRkwFwYDVQQpExBW
UE4gS2FuemxlaSBLaWVsMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4u
ZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlNa9uOocUNV9jMzBk
G5jsWlzPrOr7qhL0bY6wtto/ceO2Y1Tehu0d83/Q2Tk7G65RgLpBBKEo/HW5tdvI
rszjDiRy5390Kio68reSVIJapSWK4l07Xcc2zD9Af/6uJ563KAZRTNrhYeuozh4l
wdU+N3SioK5qOlNIsXL2gAfZN6G5UGoqluYAvB8rvdty3KBgYs6Qe/46zL4a7JBw
FnBprMtZPsBUpLF+J9MYeOrqtM+HOjALZAT8P+DSorVxUUBjDlt0tsXvQ8G1SD2i
eRsWbv51qtjlG7mTz8ibE5EnbVVwYd9GeJ/SYrxv5anghcAEumLu5WuVPzFeJ9xU
aIa1AgMBAAGjggF8MIIBeDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5
LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBfTV32YZq3zrOUp
vvB0+eR0Nv7BMIHpBgNVHSMEgeEwgd6AFE6CHhSB65vIcSyxImiQv+7Z1P/UoYG6
pIG3MIG0MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
ZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
czEZMBcGA1UEAxMQVlBOLUthbnpsZWktS2llbDEZMBcGA1UEKRMQVlBOIEthbnps
ZWkgS2llbDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA/lmt
Xr6QBT4wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA8GA1UdEQQI
MAaCBGF4ZWwwDQYJKoZIhvcNAQELBQADggEBAGz9nL13JaWe4CwJgHaIqnc8Y31x
0yHVZi2It0hQBMFjhDWhzX4u638M8GnBZoEoAPpiQ37MNEOYek0FsQf3LR0PcQ1W
TU98/QZQ6FLw7ihjLA62TsRykFnlV0c2ZPKpZtSx5n1TgicLHcvApFRAH88cAZEs
en6m2WH6d402dfAwHMvJK/or/h8vxn1mm7E3b8DorOsBVxofhJaDj7rEj6jFDj/1
WEK6zyUrytQT1i0uqaaQw50y8O7cMT+tjqdMv632G7N+J8Zos4crYg9JK3DbZ9G4
j5YQagnn7tfqmiSxInVaesU9OdVqvDBRs/QGHPztp9/IVsB8jKUqApQ5LhI=
-----END CERTIFICATE-----

98
Kanzlei-Kiel/openvpn/keys/05.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:34:37 2017 GMT
Not After : Jun 27 23:34:37 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-pc-hh/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:75:0a:f0:f5:5e:f2:5d:05:60:43:b9:b5:10:
e4:0f:19:fc:2b:bb:59:d0:b9:59:6e:f0:f5:88:ec:
5b:2d:6b:97:6e:2c:a1:c8:40:bd:03:23:0d:90:69:
22:2c:4f:4c:a1:2a:e9:29:a7:8f:c7:0b:b8:f8:04:
3e:2b:7c:1e:14:a8:4f:d7:32:1e:dc:cd:4f:31:f5:
80:51:5a:1f:2e:f3:01:3a:c1:3a:8a:ab:ef:8e:41:
e3:09:7f:9a:4c:a7:11:e2:c8:e1:5d:9c:6f:57:31:
ad:ed:28:c7:70:8a:2b:c5:3f:bf:28:e5:aa:f8:41:
22:fa:8b:4d:35:10:4a:0c:42:9f:83:6b:f2:05:6b:
84:36:59:88:e9:f6:f0:43:64:e6:9a:9b:a3:37:26:
a9:33:93:03:4f:71:16:d4:29:ce:c6:ea:e8:af:34:
98:33:ec:1f:23:80:97:93:be:2a:97:f0:38:3f:a9:
bc:40:60:73:24:c5:ef:25:bd:64:39:6e:b6:d6:75:
a2:11:0a:d2:5e:5a:8b:2e:8c:f5:84:2e:bd:16:b1:
16:f7:1e:9b:bd:04:00:27:e1:15:45:60:f9:86:58:
70:39:eb:1e:4e:93:cf:0a:7b:39:44:33:50:74:83:
a6:b6:30:43:c8:af:cc:0a:bf:66:ad:22:c8:3f:81:
35:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
7C:B4:73:C3:8B:56:98:7E:8A:0C:20:58:7D:94:1B:B6:D8:56:83:C5
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:pc-hh
Signature Algorithm: sha256WithRSAEncryption
a2:54:ef:2a:43:8d:28:8e:06:72:42:61:e2:a3:0c:1f:d9:a9:
7b:78:70:0c:9b:24:ad:8b:a6:db:27:4c:e9:d9:de:ad:fe:fd:
d4:dc:3b:ec:2c:dc:3d:29:7c:03:0c:da:1f:c3:f7:f4:63:e1:
c6:3a:a1:9a:a4:0d:34:06:58:ab:e2:62:3f:9b:9e:ae:77:56:
f0:1e:a3:00:dd:7e:20:7f:95:5f:5d:19:65:a8:4f:a7:1a:04:
84:c7:8f:a9:b8:c3:3b:f9:1c:d9:0b:2f:03:a6:fa:c9:cb:60:
92:d5:80:cf:d1:12:d6:0f:80:e7:23:2c:ed:f6:1e:50:1d:2d:
c2:5f:72:bb:fa:54:99:43:aa:e1:a4:78:cc:5a:32:be:1b:e8:
02:f5:ad:58:29:c9:a8:ca:f6:e4:e7:47:ad:9e:7f:83:42:4f:
cf:dd:ea:95:00:1b:bf:c7:00:92:b1:1e:d4:e3:ae:19:f3:5f:
00:5d:d4:46:ca:84:82:1e:db:c2:2d:07:ab:30:1c:7e:a4:79:
c7:9c:2d:6e:3c:22:d3:a2:cf:2b:ad:75:81:0b:3a:f6:c1:71:
9e:cb:39:14:17:c8:f2:a0:0e:ca:86:51:75:a6:35:c9:70:3b:
b7:45:e7:a3:81:35:99:77:94:26:42:a3:84:92:75:45:60:bb:
93:ec:6b:b7
-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzM0MzdaFw0zNzA2Mjcy
MzM0MzdaMIG6MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEfMB0GA1UEAxMWVlBOLUthbnpsZWktS2llbC1wYy1oaDEZMBcGA1UEKRMQ
VlBOIEthbnpsZWkgS2llbDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVu
LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqHUK8PVe8l0FYEO5
tRDkDxn8K7tZ0LlZbvD1iOxbLWuXbiyhyEC9AyMNkGkiLE9MoSrpKaePxwu4+AQ+
K3weFKhP1zIe3M1PMfWAUVofLvMBOsE6iqvvjkHjCX+aTKcR4sjhXZxvVzGt7SjH
cIorxT+/KOWq+EEi+otNNRBKDEKfg2vyBWuENlmI6fbwQ2TmmpujNyapM5MDT3EW
1CnOxurorzSYM+wfI4CXk74ql/A4P6m8QGBzJMXvJb1kOW621nWiEQrSXlqLLoz1
hC69FrEW9x6bvQQAJ+EVRWD5hlhwOeseTpPPCns5RDNQdIOmtjBDyK/MCr9mrSLI
P4E11wIDAQABo4IBfTCCAXkwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFz
eS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR8tHPDi1aYfooM
IFh9lBu22FaDxTCB6QYDVR0jBIHhMIHegBROgh4UgeubyHEssSJokL/u2dT/1KGB
uqSBtzCBtDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG
QmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2Vydmlj
ZXMxGTAXBgNVBAMTEFZQTi1LYW56bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56
bGVpIEtpZWwxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAP5Z
rV6+kAU+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREE
CTAHggVwYy1oaDANBgkqhkiG9w0BAQsFAAOCAQEAolTvKkONKI4GckJh4qMMH9mp
e3hwDJskrYum2ydM6dnerf791Nw77CzcPSl8AwzaH8P39GPhxjqhmqQNNAZYq+Ji
P5uerndW8B6jAN1+IH+VX10ZZahPpxoEhMePqbjDO/kc2QsvA6b6yctgktWAz9ES
1g+A5yMs7fYeUB0twl9yu/pUmUOq4aR4zFoyvhvoAvWtWCnJqMr25OdHrZ5/g0JP
z93qlQAbv8cAkrEe1OOuGfNfAF3URsqEgh7bwi0HqzAcfqR5x5wtbjwi06LPK611
gQs69sFxnss5FBfI8qAOyoZRdaY1yXA7t0Xno4E1mXeUJkKjhJJ1RWC7k+xrtw==
-----END CERTIFICATE-----

98
Kanzlei-Kiel/openvpn/keys/06.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:42:32 2017 GMT
Not After : Jun 27 23:42:32 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-doro/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:3d:01:a9:e3:1e:54:11:53:26:ae:ab:33:8d:
91:e4:f6:ba:08:3d:8c:37:14:83:84:97:83:e4:80:
fd:04:b4:3a:f7:18:ce:d8:72:86:49:c9:f0:f4:7c:
cf:66:cc:8a:3e:5e:18:12:6d:f9:2d:ac:56:17:15:
0a:1c:94:62:17:f4:2e:b1:3f:81:c9:51:4f:0a:45:
8e:b4:ce:0f:bf:cd:cb:c1:e8:21:7d:dc:0b:13:74:
aa:5a:2f:29:3d:ec:63:13:2a:46:98:8c:ba:01:64:
a6:46:83:d9:22:1d:dc:d5:f5:19:5f:0b:39:88:39:
57:92:31:5a:8d:50:7e:a6:4a:ff:9e:57:77:c6:0f:
65:95:1c:a6:7a:6f:9f:03:00:15:e6:50:7c:49:62:
72:d8:0f:27:ea:84:f9:91:d5:b0:d2:86:23:78:bc:
cb:d9:33:91:30:28:75:13:46:38:a1:ca:20:66:3b:
28:58:3c:21:a9:e1:94:42:92:52:96:2d:51:16:bd:
a2:d3:32:ab:95:b3:3a:92:95:b6:20:bc:d6:5d:dc:
5f:a8:51:f0:d6:9e:22:ca:17:30:d1:c5:9e:f7:42:
cc:d5:56:b7:e8:43:fd:b7:5d:8a:c6:40:9b:39:ba:
61:42:6a:3e:3d:82:44:15:ad:43:a4:08:79:e0:61:
b0:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
BE:2A:6F:2C:EF:0C:B1:1D:B2:48:5E:3A:68:14:9B:EF:BC:E5:E6:86
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:doro
Signature Algorithm: sha256WithRSAEncryption
9a:3d:1f:11:18:ff:a9:0b:b0:38:95:4a:98:69:a9:76:65:10:
d0:5e:04:60:da:81:46:bc:44:dc:55:a3:59:4f:24:b7:27:ff:
c6:b5:28:10:59:b7:b9:5e:78:c4:32:d6:f2:4c:e6:aa:05:75:
68:e4:fa:8b:84:98:c1:65:1b:f5:f5:1a:a6:66:3e:a1:27:58:
8b:ad:e9:b1:6e:e9:e4:92:08:96:18:ac:c1:d6:48:33:45:18:
14:f9:75:75:3b:a1:2b:4f:23:4d:de:34:0b:6e:a0:95:25:fd:
8b:89:d9:d6:dc:47:b1:c5:35:d1:ac:8b:29:a8:95:f3:a4:c0:
54:a0:7e:15:97:de:6d:4a:27:98:af:e2:0c:4c:28:94:b8:ab:
15:2f:0b:29:32:13:2c:ae:46:c1:52:87:88:8c:43:a4:47:b5:
b3:85:68:57:de:5a:95:a8:c6:69:56:07:52:15:6b:88:67:27:
3a:23:36:57:8d:c9:e6:76:75:06:fd:00:e9:f8:d6:b0:d9:d0:
4e:4d:9c:4b:8a:1f:84:fd:86:19:52:d9:9c:0d:30:cf:65:c5:
df:d8:b8:90:9b:7e:01:cc:07:ae:94:16:15:df:40:22:68:70:
c1:4d:3c:f0:e5:93:2a:d8:8e:4e:bd:13:09:0f:eb:ba:c1:f0:
9b:ae:67:97
-----BEGIN CERTIFICATE-----
MIIFaDCCBFCgAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzQyMzJaFw0zNzA2Mjcy
MzQyMzJaMIG5MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEeMBwGA1UEAxMVVlBOLUthbnpsZWktS2llbC1kb3JvMRkwFwYDVQQpExBW
UE4gS2FuemxlaSBLaWVsMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4u
ZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGPQGp4x5UEVMmrqsz
jZHk9roIPYw3FIOEl4PkgP0EtDr3GM7YcoZJyfD0fM9mzIo+XhgSbfktrFYXFQoc
lGIX9C6xP4HJUU8KRY60zg+/zcvB6CF93AsTdKpaLyk97GMTKkaYjLoBZKZGg9ki
HdzV9RlfCzmIOVeSMVqNUH6mSv+eV3fGD2WVHKZ6b58DABXmUHxJYnLYDyfqhPmR
1bDShiN4vMvZM5EwKHUTRjihyiBmOyhYPCGp4ZRCklKWLVEWvaLTMquVszqSlbYg
vNZd3F+oUfDWniLKFzDRxZ73QszVVrfoQ/23XYrGQJs5umFCaj49gkQVrUOkCHng
YbCbAgMBAAGjggF8MIIBeDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5
LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFL4qbyzvDLEdskhe
OmgUm++85eaGMIHpBgNVHSMEgeEwgd6AFE6CHhSB65vIcSyxImiQv+7Z1P/UoYG6
pIG3MIG0MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
ZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
czEZMBcGA1UEAxMQVlBOLUthbnpsZWktS2llbDEZMBcGA1UEKRMQVlBOIEthbnps
ZWkgS2llbDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA/lmt
Xr6QBT4wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA8GA1UdEQQI
MAaCBGRvcm8wDQYJKoZIhvcNAQELBQADggEBAJo9HxEY/6kLsDiVSphpqXZlENBe
BGDagUa8RNxVo1lPJLcn/8a1KBBZt7leeMQy1vJM5qoFdWjk+ouEmMFlG/X1GqZm
PqEnWIut6bFu6eSSCJYYrMHWSDNFGBT5dXU7oStPI03eNAtuoJUl/YuJ2dbcR7HF
NdGsiymolfOkwFSgfhWX3m1KJ5iv4gxMKJS4qxUvCykyEyyuRsFSh4iMQ6RHtbOF
aFfeWpWoxmlWB1IVa4hnJzojNleNyeZ2dQb9AOn41rDZ0E5NnEuKH4T9hhlS2ZwN
MM9lxd/YuJCbfgHMB66UFhXfQCJocMFNPPDlkyrYjk69EwkP67rB8JuuZ5c=
-----END CERTIFICATE-----

98
Kanzlei-Kiel/openvpn/keys/axel.crt Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:26:40 2017 GMT
Not After : Jun 27 23:26:40 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-axel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e5:35:af:6e:3a:87:14:35:5f:63:33:30:64:1b:
98:ec:5a:5c:cf:ac:ea:fb:aa:12:f4:6d:8e:b0:b6:
da:3f:71:e3:b6:63:54:de:86:ed:1d:f3:7f:d0:d9:
39:3b:1b:ae:51:80:ba:41:04:a1:28:fc:75:b9:b5:
db:c8:ae:cc:e3:0e:24:72:e7:7f:74:2a:2a:3a:f2:
b7:92:54:82:5a:a5:25:8a:e2:5d:3b:5d:c7:36:cc:
3f:40:7f:fe:ae:27:9e:b7:28:06:51:4c:da:e1:61:
eb:a8:ce:1e:25:c1:d5:3e:37:74:a2:a0:ae:6a:3a:
53:48:b1:72:f6:80:07:d9:37:a1:b9:50:6a:2a:96:
e6:00:bc:1f:2b:bd:db:72:dc:a0:60:62:ce:90:7b:
fe:3a:cc:be:1a:ec:90:70:16:70:69:ac:cb:59:3e:
c0:54:a4:b1:7e:27:d3:18:78:ea:ea:b4:cf:87:3a:
30:0b:64:04:fc:3f:e0:d2:a2:b5:71:51:40:63:0e:
5b:74:b6:c5:ef:43:c1:b5:48:3d:a2:79:1b:16:6e:
fe:75:aa:d8:e5:1b:b9:93:cf:c8:9b:13:91:27:6d:
55:70:61:df:46:78:9f:d2:62:bc:6f:e5:a9:e0:85:
c0:04:ba:62:ee:e5:6b:95:3f:31:5e:27:dc:54:68:
86:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
17:D3:57:7D:98:66:AD:F3:AC:E5:29:BE:F0:74:F9:E4:74:36:FE:C1
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:axel
Signature Algorithm: sha256WithRSAEncryption
6c:fd:9c:bd:77:25:a5:9e:e0:2c:09:80:76:88:aa:77:3c:63:
7d:71:d3:21:d5:66:2d:88:b7:48:50:04:c1:63:84:35:a1:cd:
7e:2e:eb:7f:0c:f0:69:c1:66:81:28:00:fa:62:43:7e:cc:34:
43:98:7a:4d:05:b1:07:f7:2d:1d:0f:71:0d:56:4d:4f:7c:fd:
06:50:e8:52:f0:ee:28:63:2c:0e:b6:4e:c4:72:90:59:e5:57:
47:36:64:f2:a9:66:d4:b1:e6:7d:53:82:27:0b:1d:cb:c0:a4:
54:40:1f:cf:1c:01:91:2c:7a:7e:a6:d9:61:fa:77:8d:36:75:
f0:30:1c:cb:c9:2b:fa:2b:fe:1f:2f:c6:7d:66:9b:b1:37:6f:
c0:e8:ac:eb:01:57:1a:1f:84:96:83:8f:ba:c4:8f:a8:c5:0e:
3f:f5:58:42:ba:cf:25:2b:ca:d4:13:d6:2d:2e:a9:a6:90:c3:
9d:32:f0:ee:dc:31:3f:ad:8e:a7:4c:bf:ad:f6:1b:b3:7e:27:
c6:68:b3:87:2b:62:0f:49:2b:70:db:67:d1:b8:8f:96:10:6a:
09:e7:ee:d7:ea:9a:24:b1:22:75:5a:7a:c5:3d:39:d5:6a:bc:
30:51:b3:f4:06:1c:fc:ed:a7:df:c8:56:c0:7c:8c:a5:2a:02:
94:39:2e:12
-----BEGIN CERTIFICATE-----
MIIFaDCCBFCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzI2NDBaFw0zNzA2Mjcy
MzI2NDBaMIG5MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEeMBwGA1UEAxMVVlBOLUthbnpsZWktS2llbC1heGVsMRkwFwYDVQQpExBW
UE4gS2FuemxlaSBLaWVsMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4u
ZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlNa9uOocUNV9jMzBk
G5jsWlzPrOr7qhL0bY6wtto/ceO2Y1Tehu0d83/Q2Tk7G65RgLpBBKEo/HW5tdvI
rszjDiRy5390Kio68reSVIJapSWK4l07Xcc2zD9Af/6uJ563KAZRTNrhYeuozh4l
wdU+N3SioK5qOlNIsXL2gAfZN6G5UGoqluYAvB8rvdty3KBgYs6Qe/46zL4a7JBw
FnBprMtZPsBUpLF+J9MYeOrqtM+HOjALZAT8P+DSorVxUUBjDlt0tsXvQ8G1SD2i
eRsWbv51qtjlG7mTz8ibE5EnbVVwYd9GeJ/SYrxv5anghcAEumLu5WuVPzFeJ9xU
aIa1AgMBAAGjggF8MIIBeDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5
LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBfTV32YZq3zrOUp
vvB0+eR0Nv7BMIHpBgNVHSMEgeEwgd6AFE6CHhSB65vIcSyxImiQv+7Z1P/UoYG6
pIG3MIG0MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
ZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
czEZMBcGA1UEAxMQVlBOLUthbnpsZWktS2llbDEZMBcGA1UEKRMQVlBOIEthbnps
ZWkgS2llbDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA/lmt
Xr6QBT4wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA8GA1UdEQQI
MAaCBGF4ZWwwDQYJKoZIhvcNAQELBQADggEBAGz9nL13JaWe4CwJgHaIqnc8Y31x
0yHVZi2It0hQBMFjhDWhzX4u638M8GnBZoEoAPpiQ37MNEOYek0FsQf3LR0PcQ1W
TU98/QZQ6FLw7ihjLA62TsRykFnlV0c2ZPKpZtSx5n1TgicLHcvApFRAH88cAZEs
en6m2WH6d402dfAwHMvJK/or/h8vxn1mm7E3b8DorOsBVxofhJaDj7rEj6jFDj/1
WEK6zyUrytQT1i0uqaaQw50y8O7cMT+tjqdMv632G7N+J8Zos4crYg9JK3DbZ9G4
j5YQagnn7tfqmiSxInVaesU9OdVqvDBRs/QGHPztp9/IVsB8jKUqApQ5LhI=
-----END CERTIFICATE-----

19
Kanzlei-Kiel/openvpn/keys/axel.csr Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC/zCCAecCAQAwgbkxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMR4wHAYDVQQDExVWUE4tS2FuemxlaS1LaWVsLWF4ZWwxGTAXBgNV
BCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBv
b3Blbi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOU1r246hxQ1
X2MzMGQbmOxaXM+s6vuqEvRtjrC22j9x47ZjVN6G7R3zf9DZOTsbrlGAukEEoSj8
dbm128iuzOMOJHLnf3QqKjryt5JUglqlJYriXTtdxzbMP0B//q4nnrcoBlFM2uFh
66jOHiXB1T43dKKgrmo6U0ixcvaAB9k3oblQaiqW5gC8Hyu923LcoGBizpB7/jrM
vhrskHAWcGmsy1k+wFSksX4n0xh46uq0z4c6MAtkBPw/4NKitXFRQGMOW3S2xe9D
wbVIPaJ5GxZu/nWq2OUbuZPPyJsTkSdtVXBh30Z4n9JivG/lqeCFwAS6Yu7la5U/
MV4n3FRohrUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQANXKMonvUBAcWYPmIh
tvhfIYy3ZfROFShhtI8VOXr2rO1dYbwOrYc06Z+d0/L04sWU88cnDMG8AUstytnE
PITNWoG4n4WxSuMKoC+K3JQxtBbj/vME8Nd6Oq1Lk0GqYSVQYcnNc+8+8Vby0GVk
4rFl7wh5+vzME6YWhja/0PNovWJejfef5MYkiK0zlb5ZwE5F/+SHrrmSlki4/1U6
aNQHyx58+MMJYFOAUoTvpqS3ZjXfvo5YjEaffmMxefhRdUnRSs1bT33A4UeqcywS
sWS7O2sbV/6GcxIE7SXadF75ZaSy+AWrSE1OBuhQzXWZGc10QQLgBnRFgxCMMtBi
SVvl
-----END CERTIFICATE REQUEST-----

30
Kanzlei-Kiel/openvpn/keys/axel.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIeY8Z8uioO0MCAggA
MBQGCCqGSIb3DQMHBAhVquS8Svup+ASCBMhFkAI+gaQfB7nswLZ/KAimvU7auAfz
haUXnxIB5SKsyHT6ODhmNFM4KJmPo0dizYE10AsfMXxBdeAGLCLANNC/XX/jwRBM
BiXrW/4QqoWHNCBrvSAtqXPy7DgHxOAP/JP+13nRQxBl13z+kK4cTpcZEMxxQJed
awckJMHwQ5gyHfx5xcczCHZYCUwTeu3azyMJSCVS7NUGwmcUbXWNhb1guT3CikLz
19/BNjcT+51S67hfr50jvVKJApkwd76bu2bCM4/J4rLY8Ds/nQF3inEu8TcKwwNY
pI5cwtocvRwkCIiiqQokiHRRIR0TP/4NcG/WXMWLXAXSnKEAmrqwJpjUt5p8Ahcl
0fEe/AQmllE6y3l1zFiG2JiHNjy/FV3ymjTGhiD6xykyy5jflznH6Lh0cIx8nbyC
6e0dqV80t0rvQkqxRoeAJA2EvdjRI1udixXov7iLa/SbovXwpfMpWvk8NggTtgcx
gTumYMsqriYGgYdr/wXj6EbKNAzcskxLvP8kJorhO5l7juBf8Sx2AFI4XpufvQBW
Luq6VQMSz9JbvfGjlEpuSE6EnGoK98QO85J777Hnhyk5185wE8/2nCkVdafrKGVq
eSpapLZtsG1BF9SXgHh299Q9tJEnuRIu1ftJlJVV+vGUd9upJLxYCSY8jHziQ153
VXDXBP3/CuuKC37YHAgUd8Pi7s3SwDVFVry/ifxvwC47I28voVKFZz3/0QwCA6Xq
URagl3jNKwtXn6KMi7E/3BICOYPIRcgNb6sJzYlclq7HMrKS3baWiScXEX9qGiLi
5EHcyymSSej5cEXT2RxO55URG97mP5NWUXaJ8yvswHjxKksU3K7jvQTUtLcENA4K
WYydPhszCXDkAvMkMHro0G8wYZPpBikRmfc8PF3jVssOkB66rKaCi1EK00lASOTY
/x2Cyrl58wI3D35DJ8wp70jehwViQokUTAOaLF6D1GihkBD25sLNJSEL2HPlzPB3
G0OyMVbGNlrYL/glaAlsQf2jhjwQ2qKv+e1yEps+sXZLtBbck5YVAHdoFSrWzQcN
LTpIaA+MbsqqY4D8zFhn2WIH3l461ly49V2NIK8LIN8b00uHnoNEivJ6YexcDr9z
EXKQmfINl9pnuBPjdUzB7Fw2CfIZjxUcRpX3HxfEz8tWIj/ORv9GLQ4+MnJX5AP4
aKrStwi5CsPaovJ44/EINKUzo/IL324gudF2zMi5T6kAcSVU/+Z+0CBlZslh5Lu+
f1aBcEwjz6IyX8BUE3UYGQUTOBV0X8bnLARHK/RHcSUYoi1Zz19gIthICTtXWq6R
U3KbmNeoPxzgvLPbZohI8pb2RApctbaszLPeWaI4WQlkRcVO/N57Y9dPsM70fEZQ
1tcFe+ph6JazYnL+Kg3Jb1PmqOQciqHn8D+sre4y7JfF/CmZeWDtRNwXtcDWH1/p
vaIJJynHSSmN7nrZ0p/7kQ1GKK+d7AEzRU4yoq+D1aWLl5NoIFmpr/v1Vgf1qn1G
aRVKRldfE1/n9MFBTY1X8NYz7XQhebCqieOYlj14OF11YtWIdV16IkaBZvT1QcJw
+Cr1OqFjwXgQnoBYdqSxwtr7lFEHsDWhi8F8UxcNdTaKjQHHGoZ2Ta98hf9wE6z+
+s4=
-----END ENCRYPTED PRIVATE KEY-----

29
Kanzlei-Kiel/openvpn/keys/ca.crt Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgIJAP5ZrV6+kAU+MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEZMBcGA1UEAxMQ
VlBOLUthbnpsZWktS2llbDEZMBcGA1UEKRMQVlBOIEthbnpsZWkgS2llbDEhMB8G
CSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlMB4XDTE3MDYyNzIzMDc1NloX
DTQ5MDYyNzIzMDc1NlowgbQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3
b3JrIFNlcnZpY2VzMRkwFwYDVQQDExBWUE4tS2FuemxlaS1LaWVsMRkwFwYDVQQp
ExBWUE4gS2FuemxlaSBLaWVsMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29w
ZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFxAf/gwUw+PD7
xYRGHHmYzbjP/hl+cx60qwGZYbyitlIGIZ/0EjzSxyvL47EAB0gBHWuSofYD2L1d
k9mYKLbBCAk+VdV+O1rPuE3DSc/T01vEEhlqYGfm6iTgKTLeIWFaPE4k5rNgGM+F
A0LZXdWnH6/xj7Vp55UWl/G7/rzptKY9XTdBuV8pqFl1Cvs0dLlFG8JMyrl0ozEf
w8cI8dyLsTSZWBEOEAaQQmwOE8WEPXwAhgXDzsQfXdMsKJlfMgM1nOlflux0AftE
0Hi+jgTV9uvcjssOetpyf7fmsjvLwsoEIrgZcYK9cUtpO/sAuvDIo/cgbV3SBNIP
68jXrrmvAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQUToIeFIHrm8hxLLEiaJC/7tnU
/9QwgekGA1UdIwSB4TCB3oAUToIeFIHrm8hxLLEiaJC/7tnU/9ShgbqkgbcwgbQx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEP
MA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRkwFwYD
VQQDExBWUE4tS2FuemxlaS1LaWVsMRkwFwYDVQQpExBWUE4gS2FuemxlaSBLaWVs
MSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGWCCQD+Wa1evpAFPjAM
BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCxLfN8SL5ANfwfU0OKi0MH
cXlk2czIC9pcfrMaVp6gWgUKEqmNAC7NOqv8rN+fHXmfQhQ58s7SDqEJgYlfpwyW
mAIT6D72NN2z8t4iYhu48R1fV+Ml7g9LfCtSOpJXezpzylKvNKAQL7QYOYsfZN1N
SCIDyf9Ub65GLDiWmi3nrOUBlYO0yFddJ3c1MtU3aUAucMZGGGwORtEswqVzMcw1
ZbQppHcWiwJ4nFNmTC6d2nct1ELrv2ckaaPT+HazFHVtiqkQ2yoYQwoZhjZqOAPp
uxIR5f7mS9PtugPSuvf4aftN+7DZq6otfTEmOoIoN0dznV60Jc8xTQkzHuNRjwVi
-----END CERTIFICATE-----

28
Kanzlei-Kiel/openvpn/keys/ca.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDFxAf/gwUw+PD7
xYRGHHmYzbjP/hl+cx60qwGZYbyitlIGIZ/0EjzSxyvL47EAB0gBHWuSofYD2L1d
k9mYKLbBCAk+VdV+O1rPuE3DSc/T01vEEhlqYGfm6iTgKTLeIWFaPE4k5rNgGM+F
A0LZXdWnH6/xj7Vp55UWl/G7/rzptKY9XTdBuV8pqFl1Cvs0dLlFG8JMyrl0ozEf
w8cI8dyLsTSZWBEOEAaQQmwOE8WEPXwAhgXDzsQfXdMsKJlfMgM1nOlflux0AftE
0Hi+jgTV9uvcjssOetpyf7fmsjvLwsoEIrgZcYK9cUtpO/sAuvDIo/cgbV3SBNIP
68jXrrmvAgMBAAECggEAO/aPMkLorQueDci6rYNuvw0JT09NLZD8K216Q6ZlyrQb
NK63UArDlGk9d0mnXknW5DemaURgUpRB/oCYxlD58JdeLh9aZzbZ9wd71I2pzSFV
vqJ6QE3Q0ywFWE5FlSJr4S9NxlSI6Mc9DKiLeVrBMDYkY8reB6lnA/24FvdLElTi
MnTzgUdvOvqT6Jxnz6P4DDU4pjHo38OSX5kIwl2vGMonMRNsEUBPylV6TiStxVxt
YebCgm6Hcd66gW4HqbIRj0OBcx21OGm/ZuMxD+7hsdod1aXVXyTT1qbvauW3Djc9
uNs8LYv73tLME6aUjMgnrxRFoAjUxbuSVUlQnzxmWQKBgQDuVPzKBT6LMaudhSjY
XYnef7K5EpO8xnmpmXN2S2/JX/wBV40KhhmjkRBELr3w5facgdacykdppOTM+ZDI
SBE6JWb3Eueud6MDC0NmEDaHZG5FIPtBFuaE8WD8l90dkJJqdc21BuOYgPRwM0CF
xvtqkm/uPnRtMMjRDLg7DV4cNQKBgQDUbS/EisId0nlhKQql4sKCPHjvhS/tG95x
55a3h4JkGKM6gdpQ3usgWCMqGybViE8BbLlthR3Xq9NeV3u6/IpzA0nDrjUhvpjR
Lkvl5dR5RdY2KculAk74vWp1JhTgjD7eF63nqPmtPL/qAf2RcqF83lQG+NjP36yg
i7PLG1LS0wKBgH5+3SzcW7XFRzDz3Bn6i5JsdI+GLKOlNC2wJHhE0bAwIbEUpudP
BYyrEdced/HEHIA06ZOOSRjpTAb+7rlehsY109CPWChhl0OmVr91G3wA8gX+21xQ
q0kkVDW85L8sXInkvKm4XlQzHYnvqe9XDVojHwV0YJcTrYJHHgE5txmBAoGADwor
955bYAEm1toxBs2nN9FQPqUPX5o5hZb/9L6DXNLhu6K18kPWIdQbqT+C4FtmPJOW
DUr/ceWYcXWALRz0MHBrKI+M83arGyRL+1rqUCvBntQWtvgS30mJ4AFyOPO0/8Rt
a5lrE/jZHZhGe6XCCTU0fcngj9cmQbeiYx7sHkECgYBLGhs6aUJBXoVB+zbcQYOY
7vZCSvu9nwDJfuGz7tqWnQggK67zpg5/++sEwV+3sT2WxP8bNvfry+3PJm6kFilC
nogMCihx7nJvstHTTAmf/Fqr7aFDqLU+HlBpf/cebBfPcV/PivVzWLkJnKodHrtF
nt6p54bz6admeD3HllcUiA==
-----END PRIVATE KEY-----

98
Kanzlei-Kiel/openvpn/keys/chris.crt Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Jun 27 23:20:59 2017 GMT
Not After : Jun 27 23:20:59 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-Kanzlei-Kiel-chris/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:fb:89:96:31:df:91:67:0f:62:5d:89:76:b7:
c1:e6:bd:5e:70:40:b7:6b:66:43:eb:51:0b:a8:8c:
d2:40:dd:ed:99:20:6e:23:4d:dc:7e:aa:8e:36:24:
3c:4e:fc:cf:8b:5f:ad:63:91:10:33:4c:f4:eb:91:
b6:25:a6:8a:d7:c3:40:55:b2:aa:67:a1:37:cb:3b:
53:07:af:cf:42:9a:c5:a0:91:ed:98:42:57:0f:44:
ac:a5:92:e2:c6:56:cc:c1:4c:65:ab:f7:79:b5:9b:
67:5c:e9:d7:19:7f:81:3e:c6:a7:d8:a6:42:e6:34:
fd:ef:8b:e2:d7:3f:8c:71:0a:6a:c9:59:f6:c3:88:
40:86:a7:f1:54:4f:6d:d1:95:41:50:36:df:b4:6a:
58:ff:93:1e:c1:66:2d:37:33:ef:6c:f0:9a:2d:ba:
29:46:fe:4b:73:8e:22:33:89:33:4d:45:ab:b8:dd:
d4:d5:ae:a0:cc:f7:c4:d3:7c:24:02:46:92:7d:9d:
a2:9c:27:be:12:11:45:33:30:f1:a3:ad:17:2e:94:
06:54:7c:7c:20:65:1a:b2:d1:60:86:89:37:2d:d5:
f3:4f:3e:00:f3:bb:81:ae:78:be:6c:4b:68:ac:d9:
07:f0:aa:f7:c7:79:b3:d3:f2:32:8b:fd:80:0d:d5:
bf:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
E8:1E:7E:7E:48:9B:34:7E:27:93:17:EB:2E:4E:45:D5:AB:B9:A9:0F
X509v3 Authority Key Identifier:
keyid:4E:82:1E:14:81:EB:9B:C8:71:2C:B1:22:68:90:BF:EE:D9:D4:FF:D4
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-Kanzlei-Kiel/name=VPN Kanzlei Kiel/emailAddress=ckubu-adm@oopen.de
serial:FE:59:AD:5E:BE:90:05:3E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:chris
Signature Algorithm: sha256WithRSAEncryption
59:8d:36:12:7e:91:f2:0f:d2:74:5a:42:e2:56:0a:9d:16:72:
09:05:40:ea:75:1e:0a:0c:81:0f:b4:e6:82:47:cc:38:67:c5:
f4:76:94:78:b5:02:a1:98:7a:c4:5e:01:90:dd:f9:cd:7b:45:
6e:30:69:b2:9f:5d:b0:fe:e9:23:a6:3e:ae:dd:7d:dc:75:f8:
a2:08:f8:87:34:7b:50:ae:15:49:23:7a:d4:2a:70:c1:ad:04:
e5:af:cb:f4:c5:c9:37:42:fc:ef:00:53:a2:51:92:71:c7:58:
a6:9e:3e:0a:7f:f6:37:5c:c4:e8:b8:20:ae:52:71:b4:5b:34:
8f:26:4e:28:cf:dd:ac:72:4f:81:8e:b8:ce:68:ab:79:21:93:
27:1c:9f:71:fe:f3:00:07:cb:28:bc:91:20:c0:ae:37:0a:33:
cf:9e:25:c1:ce:42:a1:6e:32:07:d2:65:e5:b1:9d:1f:52:25:
0b:9a:af:08:fb:8a:7e:a5:a4:da:3b:fa:85:4a:9c:a8:0c:19:
5d:df:9c:4d:4c:78:1b:ab:03:48:da:ba:a1:cf:3f:a2:ad:9f:
3e:a8:d3:cb:22:74:0f:cf:17:1d:bb:40:63:4e:4b:ff:e6:94:
55:00:79:3a:5b:de:36:35:de:d1:61:fc:d8:d1:98:2d:5d:bc:
fe:b6:f1:8a
-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGTAXBgNVBAMTEFZQTi1LYW56
bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56bGVpIEtpZWwxITAfBgkqhkiG9w0B
CQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNzA2MjcyMzIwNTlaFw0zNzA2Mjcy
MzIwNTlaMIG6MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
EwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2
aWNlczEfMB0GA1UEAxMWVlBOLUthbnpsZWktS2llbC1jaHJpczEZMBcGA1UEKRMQ
VlBOIEthbnpsZWkgS2llbDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVu
LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6vuJljHfkWcPYl2J
drfB5r1ecEC3a2ZD61ELqIzSQN3tmSBuI03cfqqONiQ8TvzPi1+tY5EQM0z065G2
JaaK18NAVbKqZ6E3yztTB6/PQprFoJHtmEJXD0SspZLixlbMwUxlq/d5tZtnXOnX
GX+BPsan2KZC5jT974vi1z+McQpqyVn2w4hAhqfxVE9t0ZVBUDbftGpY/5MewWYt
NzPvbPCaLbopRv5Lc44iM4kzTUWruN3U1a6gzPfE03wkAkaSfZ2inCe+EhFFMzDx
o60XLpQGVHx8IGUastFghok3LdXzTz4A87uBrni+bEtorNkH8Kr3x3mz0/Iyi/2A
DdW/lwIDAQABo4IBfTCCAXkwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFz
eS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBToHn5+SJs0fieT
F+suTkXVq7mpDzCB6QYDVR0jBIHhMIHegBROgh4UgeubyHEssSJokL/u2dT/1KGB
uqSBtzCBtDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG
QmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2Vydmlj
ZXMxGTAXBgNVBAMTEFZQTi1LYW56bGVpLUtpZWwxGTAXBgNVBCkTEFZQTiBLYW56
bGVpIEtpZWwxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAP5Z
rV6+kAU+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREE
CTAHggVjaHJpczANBgkqhkiG9w0BAQsFAAOCAQEAWY02En6R8g/SdFpC4lYKnRZy
CQVA6nUeCgyBD7TmgkfMOGfF9HaUeLUCoZh6xF4BkN35zXtFbjBpsp9dsP7pI6Y+
rt193HX4ogj4hzR7UK4VSSN61Cpwwa0E5a/L9MXJN0L87wBTolGSccdYpp4+Cn/2
N1zE6LggrlJxtFs0jyZOKM/drHJPgY64zmireSGTJxyfcf7zAAfLKLyRIMCuNwoz
z54lwc5CoW4yB9Jl5bGdH1IlC5qvCPuKfqWk2jv6hUqcqAwZXd+cTUx4G6sDSNq6
oc8/oq2fPqjTyyJ0D88XHbtAY05L/+aUVQB5OlveNjXe0WH82NGYLV28/rbxig==
-----END CERTIFICATE-----

Some files were not shown because too many files have changed in this diff Show More