o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
MBR/README.txt Normal file
View File

@ -0,0 +1,25 @@
Notice:
You have to change some configuration files becaus the because
the configuration of network interfaces must not be equal.
!! Take care, to use the right device names !!
Maybe they are called i.e. 'enp0sXX', but you can rename it.
See also : README.rename.netdevices
For the backup gateway host:
eth1 --> LAN
eth2 --> WAN or ppp0 (DSL device)
eth0 --> WLAN or second LAN or what ever
or
br0 --> WLAN or second LAN or what ever
So you have to change the following files
dsl-provider.MBR: ppp0 comes over eth2
interfaces.MBR: see above
default_isc-dhcp-server.MBR
ipt-firewall.MBR: LAN device (mostly ) = eth1
second LAN WLAN or what ever (if present) = eth0

1
MBR/bin/admin-stuff Submodule

Submodule MBR/bin/admin-stuff added at 6c91fc0987

1
MBR/bin/manage-gw-config Submodule

Submodule MBR/bin/manage-gw-config added at 2a96dfdc8f

1
MBR/bin/monitoring Submodule

Submodule MBR/bin/monitoring added at 0611d0a2ad

1
MBR/bin/postfix Submodule

Submodule MBR/bin/postfix added at c1934d5bde

69
MBR/bind/bind.keys Normal file
View File

@ -0,0 +1,69 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;
# the key will remain in place but the zone will be otherwise empty.
# Configuring "dnssec-lookaside auto;" to activate this key is
# harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
# the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

12
MBR/bind/db.0 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

13
MBR/bind/db.127 Normal file
View File

@ -0,0 +1,13 @@
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.

92
MBR/bind/db.192.168.112.0 Normal file
View File

@ -0,0 +1,92 @@
;
; BIND reverse data file for local mbr-bln.netz zone
;
$TTL 43600
@ IN SOA ns.mbr-bln.netz. ckubu.oopen.de. (
2012122401 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.mbr-bln.netz.
; Gateway/Firewall
254 IN PTR gw-mbr.mbr-bln.netz.
; (Caching ) Nameserver
1 IN PTR ns.mbr-bln.netz.
; - Fileserver
10 IN PTR file-mbr.mbr-bln.netz.
201 IN PTR file-ipmi-alt.mbr-bln.netz.
15 IN PTR file-ipmi.mbr-bln.netz.
; - KVM Windows 7
20 IN PTR file-win10.mbr-bln.netz.
21 IN PTR file-win7-alt.mbr-bln.netz.
; Accesspoint - WAG54GX2
; 52 IN PTR linksys-wag54gx2.mbr-bln.netz.
; Laserdrucker Kyocera FS 3838DN
;230 IN PTR fs_3830dtn.mbr-bln.netz.
; Multifunktionsgeraet (Triumph)
5 IN PTR drucker-triumph.mbr-bln.netz.
6 IN PTR drucker-samsung.mbr-bln.netz.
7 IN PTR canon-lpb712cx.mbr-bln.netz.
35 IN PTR camera.mbr-bln.netz.
; - Office PCs
101 IN PTR pc101.mbr-bln.netz.
102 IN PTR pc102.mbr-bln.netz.
103 IN PTR pc103.mbr-bln.netz.
104 IN PTR pc104.mbr-bln.netz.
105 IN PTR pc105.mbr-bln.netz.
106 IN PTR pc106.mbr-bln.netz.
107 IN PTR pc107.mbr-bln.netz.
108 IN PTR pc108.mbr-bln.netz.
109 IN PTR pc109.mbr-bln.netz.
110 IN PTR pc110.mbr-bln.netz.
111 IN PTR pc111.mbr-bln.netz.
112 IN PTR pc112.mbr-bln.netz.
113 IN PTR pc113.mbr-bln.netz.
114 IN PTR pc114.mbr-bln.netz.
115 IN PTR pc115.mbr-bln.netz.
116 IN PTR pc116.mbr-bln.netz.
117 IN PTR pc117.mbr-bln.netz.
118 IN PTR pc118.mbr-bln.netz.
119 IN PTR pc119.mbr-bln.netz.
120 IN PTR pc120.mbr-bln.netz.
121 IN PTR pc121.mbr-bln.netz.
122 IN PTR pc122.mbr-bln.netz.
123 IN PTR pc123.mbr-bln.netz.
124 IN PTR pc124.mbr-bln.netz.
125 IN PTR pc125.mbr-bln.netz.
126 IN PTR pc126.mbr-bln.netz.
127 IN PTR pc127.mbr-bln.netz.
128 IN PTR pc128.mbr-bln.netz.
129 IN PTR pc129.mbr-bln.netz.
130 IN PTR pc130.mbr-bln.netz.
131 IN PTR pc131.mbr-bln.netz.
132 IN PTR pc132.mbr-bln.netz.
133 IN PTR pc133.mbr-bln.netz.
134 IN PTR pc134.mbr-bln.netz.
135 IN PTR pc135.mbr-bln.netz.
136 IN PTR pc136.mbr-bln.netz.
137 IN PTR pc137.mbr-bln.netz.
138 IN PTR pc138.mbr-bln.netz.
; - Laptops
151 IN PTR lap151.mbr-bln.netz.
; - ckubu
90 IN PTR devil.mbr-bln.netz.

12
MBR/bind/db.255 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
MBR/bind/db.empty Normal file
View File

@ -0,0 +1,14 @@
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
MBR/bind/db.local Normal file
View File

@ -0,0 +1,14 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

114
MBR/bind/db.mbr-bln.netz Normal file
View File

@ -0,0 +1,114 @@
;
; BIND data file for local mbr-bln.netz zone
;
$TTL 43600
@ IN SOA ns.mbr-bln.netz. ckubu.oopen.de. (
2017122402 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.mbr-bln.netz.
; - Gateway/Firewall
gw-mbr IN A 192.168.112.254
gate IN CNAME gw-mbr
gw IN CNAME gw-mbr
gw-ipmi IN A 172.16.112.15
; - (Caching ) Nameserver
ns IN A 192.168.112.1
nscache IN CNAME ns
; - Fileserver
file-mbr IN A 192.168.112.10
file IN CNAME file-mbr
file-mbr-alt IN A 192.168.112.210
file-mbr-neu IN A 192.168.112.10
file-ipmi-alt IN A 192.168.112.201
file-ipmi IN A 192.168.112.15
; - KVM Windows 7
file-win7-alt IN A 192.168.112.21
; - KVM Windows 10
file-win10 IN A 192.168.112.20
winserver IN CNAME file-win10
; - Accesspoint - WAG54GX2
;linksys_wag54gx2 IN A 192.168.112.52
;ap-nuclear IN CNAME linksys-wag54gx2
; - Laserdrucker Kyocera FS 3838DN
;fs-3830dtn IN A 192.168.112.230
;drucker IN CNAME fs-3830dtn
drucker-triumph IN A 192.168.112.5
drucker-samsung IN A 192.168.112.6
canon-lpb712cx IN A 192.168.112.7
canondb88b2 IN CNAME canon-lpb712cx
camera IN A 192.168.112.35
; - Lancom 1781VAW
lancom IN A 172.16.112.254
; - Office PCs
pc101 IN A 192.168.112.101
pc102 IN A 192.168.112.102
pc103 IN A 192.168.112.103
pc104 IN A 192.168.112.104
pc105 IN A 192.168.112.105
pc106 IN A 192.168.112.106
pc107 IN A 192.168.112.107
pc108 IN A 192.168.112.108
pc109 IN A 192.168.112.109
pc110 IN A 192.168.112.110
pc111 IN A 192.168.112.111
pc112 IN A 192.168.112.112
pc113 IN A 192.168.112.113
pc114 IN A 192.168.112.114
pc115 IN A 192.168.112.115
pc116 IN A 192.168.112.116
pc117 IN A 192.168.112.117
pc118 IN A 192.168.112.118
pc119 IN A 192.168.112.119
pc120 IN A 192.168.112.120
pc121 IN A 192.168.112.121
pc122 IN A 192.168.112.122
pc123 IN A 192.168.112.123
pc124 IN A 192.168.112.124
pc125 IN A 192.168.112.125
pc126 IN A 192.168.112.126
pc127 IN A 192.168.112.127
pc128 IN A 192.168.112.128
pc129 IN A 192.168.112.129
pc130 IN A 192.168.112.130
pc131 IN A 192.168.112.131
pc132 IN A 192.168.112.132
pc133 IN A 192.168.112.133
pc134 IN A 192.168.112.134
pc135 IN A 192.168.112.135
pc136 IN A 192.168.112.136
pc137 IN A 192.168.112.137
pc138 IN A 192.168.112.138
; - Laptops
lap151 IN A 192.168.112.151
; - ckubu
devil IN A 192.168.112.90
kvm-win7 IN A 192.168.112.41

90
MBR/bind/db.root Normal file
View File

@ -0,0 +1,90 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: February 17, 2016
; related version of root zone: 2016021701
;
; formerly NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

11
MBR/bind/named.conf Normal file
View File

@ -0,0 +1,11 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

30
MBR/bind/named.conf.default-zones Normal file
View File

@ -0,0 +1,30 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

23
MBR/bind/named.conf.local Normal file
View File

@ -0,0 +1,23 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "mbr-bln.netz" {
type master;
file "/etc/bind/db.mbr-bln.netz";
};
zone "112.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.112.0";
};
zone "mbr.netz" {
type slave;
file "/etc/bind/slave/db.mbr.netz";
masters { 192.168.112.10; };
};

8
MBR/bind/named.conf.local.ORIG Normal file
View File

@ -0,0 +1,8 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

97
MBR/bind/named.conf.options Normal file
View File

@ -0,0 +1,97 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
// Security options
listen-on port 53 {
127.0.0.1;
192.168.112.1;
};
allow-query {
127.0.0.1;
192.168.0.0/16;
10.0.0.0/8;
172.16.0/12;
};
// caching name services
recursion yes;
allow-recursion {
127.0.0.1;
192.168.0.0/16;
10.0.0.0/16;
172.16.0/12;
};
allow-transfer { none; };
listen-on-v6 { any; };
check-names slave ignore;
};
logging {
channel simple_log {
file "/var/log/named/bind.log" versions 3 size 5m;
//severity warning;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel queries_log {
file "/var/log/named/query.log" versions 10 size 5m;
severity debug;
//severity notice;
print-time yes;
print-severity yes;
print-category no;
};
channel log_zone_transfers {
file "/var/log/named/axfr.log" versions 5 size 2m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category resolver {
queries_log;
};
category queries {
queries_log;
};
category xfer-in {
log_zone_transfers;
};
category xfer-out {
log_zone_transfers;
};
category notify {
log_zone_transfers;
};
category default{
simple_log;
};
};

26
MBR/bind/named.conf.options.ORIG Normal file
View File

@ -0,0 +1,26 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
MBR/bind/rndc.key Normal file
View File

@ -0,0 +1,4 @@
key "rndc-key" {
algorithm hmac-md5;
secret "/tSHIKySQHHdATfB4yUyuQ==";
};

BIN
MBR/bind/slave/db.mbr.netz Normal file
View File

Binary file not shown.

BIN
MBR/bind/slave/db.mbr.netz.jnl Normal file
View File

Binary file not shown.

20
MBR/bind/zones.rfc1918 Normal file
View File

@ -0,0 +1,20 @@
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

39
MBR/cron_root.MBR Normal file
View File

@ -0,0 +1,39 @@
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.OeRUKo/crontab installed on Tue Dec 19 01:18:53 2017)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
PATH=/root/bin:/root/bin/admin-stuff:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
# if not set this entry to "1"
#
0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
# check if openvpn is running if not restart the service
#
0-59/30 * * * * /root/bin/monitoring/check_vpn.sh
# - Copy gateway configuration
# -
09 3 * * * /root/bin/manage-gw-config/copy_gateway-config.sh MBR

14
MBR/ddclient.conf.MBR Normal file
View File

@ -0,0 +1,14 @@
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
protocol=dyndns2
use=web, web=checkip.dyndns.com, web-skip='IP Address'
server=members.dyndns.org
login=ckubu
password='7213b4e6178a11e6ab1362f831f6741e'
mbr-bln.homelinux.org
ssl=yes
mail=argus@oopen.de
mail-failure=root

18
MBR/default_isc-dhcp-server.MBR Normal file
View File

@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="eth1"
#INTERFACESv6=""

404
MBR/dhcpd.conf.MBR Normal file
View File

@ -0,0 +1,404 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.112.255;
#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;
option domain-name-servers nscache.mbr-bln.netz;
option domain-name "mbr-bln.netz";
option routers gw-mbr.mbr-bln.netz;
default-lease-time 600;
max-lease-time 7200;
#default-lease-time 86400;
#max-lease-time 259200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 192.168.112.0 netmask 255.255.255.0 {
range 192.168.112.161 192.168.112.190;
# --- 192.168.102.160/27 ---
# network address....: 192.168.112.160
# Broadcast address..: 192.168.112.191
# netmask............: 255.255.255.224
# network range......: 192.168.112.160 - 192.168.112.191
# Usable range.......: 192.168.112.161 - 192.168.112.190
option domain-name-servers file-mbr.mbr-bln.netz, nscache.mbr-bln.netz;
option domain-name "mbr-bln.netz";
option domain-search "mbr.netz", "mbr-bln.netz";
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.112.255;
option routers gw-mbr.mbr-bln.netz;
default-lease-time 86400;
max-lease-time 259200;
}
## - group domain
group {
default-lease-time 86400;
max-lease-time 259200;
host file-mbr {
hardware ethernet 00:25:90:7e:9d:68;
fixed-address file-mbr.mbr-bln.netz ;
}
host file-ipmi {
hardware ethernet ac:1f:6b:05:11:de ;
fixed-address file-ipmi.mbr-bln.netz ;
}
host file-ipmi-alt {
hardware ethernet 00:25:90:7e:9a:8b ;
fixed-address file-ipmi-alt.mbr-bln.netz ;
}
host file-win10 {
hardware ethernet 52:54:00:21:dd:d4;
fixed-address file-win10.mbr-bln.netz ;
}
host file-win7-alt {
hardware ethernet 52:54:00:a2:e3:93;
fixed-address file-win7-alt.mbr-bln.netz ;
}
host drucker-triumph {
hardware ethernet 00:c0:ee:1a:9b:f6;
fixed-address drucker-triumph.mbr-bln.netz ;
}
host drucker-samsung {
hardware ethernet 00:15:99:5e:3b:f3;
fixed-address drucker-samsung.mbr-bln.netz ;
}
host canon-lpb712cx {
hardware ethernet 60:12:8b:db:88:b2;
fixed-address canon-lpb712cx.mbr-bln.netz ;
}
host camera {
hardware ethernet 00:40:8c:99:eb:b1;
fixed-address camera.mbr-bln.netz ;
}
host pc101 {
hardware ethernet 54:04:a6:0a:73:25;
fixed-address pc101.mbr-bln.netz ;
}
host pc130 {
hardware ethernet 80:ee:73:b9:8e:9c;
fixed-address pc130.mbr-bln.netz ;
}
host pc102 {
hardware ethernet 54:04:a6:0a:5f:a3;
fixed-address pc102.mbr-bln.netz ;
}
host pc103 {
hardware ethernet 00:19:66:22:79:92;
fixed-address pc103.mbr-bln.netz ;
}
host pc104 {
hardware ethernet 00:19:66:92:dd:34;
fixed-address pc104.mbr-bln.netz ;
}
host pc105 {
hardware ethernet 54:04:a6:0a:5f:84;
fixed-address pc105.mbr-bln.netz ;
}
host pc106 {
hardware ethernet 20:cf:30:5c:60:6a;
fixed-address pc106.mbr-bln.netz ;
}
host pc107 {
hardware ethernet 54:04:a6:0a:72:d9;
fixed-address pc107.mbr-bln.netz ;
}
host pc108 {
hardware ethernet 00:19:66:71:d7:84;
fixed-address pc108.mbr-bln.netz ;
}
host pc109 {
hardware ethernet 00:1f:e2:54:0f:b9;
fixed-address pc109.mbr-bln.netz ;
}
host pc110 {
hardware ethernet 00:25:11:59:2e:0f;
fixed-address pc110.mbr-bln.netz ;
}
host pc111 {
hardware ethernet 00:19:66:2d:35:fb;
fixed-address pc111.mbr-bln.netz ;
}
host pc112 {
hardware ethernet 00:19:66:6a:86:fc;
fixed-address pc112.mbr-bln.netz ;
}
host pc113 {
hardware ethernet 00:19:66:42:1f:4e;
fixed-address pc113.mbr-bln.netz ;
}
host pc114 {
hardware ethernet 00:19:66:92:80:9e;
fixed-address pc114.mbr-bln.netz ;
}
host pc115 {
hardware ethernet 00:13:8f:88:4b:d3 ;
fixed-address pc115.mbr-bln.netz ;
}
host pc116 {
hardware ethernet 54:04:a6:f2:17:8e ;
fixed-address pc116.mbr-bln.netz ;
}
#host pc117 {
# hardware ethernet ;
# fixed-address pc117.mbr-bln.netz ;
#}
host pc118 {
hardware ethernet 00:22:4D:88:4B:BE ;
fixed-address pc118.mbr-bln.netz ;
}
host pc119 {
hardware ethernet 00:22:4D:88:4B:B2;
fixed-address pc119.mbr-bln.netz ;
}
host pc120 {
hardware ethernet 00:22:4d:88:48:c7;
fixed-address pc120.mbr-bln.netz ;
}
host pc121 {
hardware ethernet 00:22:4d:88:4b:33;
fixed-address pc121.mbr-bln.netz ;
}
host pc122 {
hardware ethernet 00:22:4d:88:4b:dc ;
fixed-address pc122.mbr-bln.netz ;
}
host pc123 {
hardware ethernet 00:22:4d:88:4b:d0 ;
fixed-address pc123.mbr-bln.netz ;
}
host pc124 {
hardware ethernet 74:d4:35:8d:0d:8c ;
fixed-address pc124.mbr-bln.netz ;
}
host pc125 {
hardware ethernet 20:25:64:0c:55:ca ;
fixed-address pc125.mbr-bln.netz ;
}
host pc126 {
hardware ethernet 20:25:64:0c:55:6b ;
fixed-address pc126.mbr-bln.netz ;
}
host pc127 {
hardware ethernet 74:d4:35:be:a4:5a ;
fixed-address pc127.mbr-bln.netz ;
}
host pc128 {
hardware ethernet 80:ee:73:b5:e2:95 ;
fixed-address pc128.mbr-bln.netz ;
}
host pc129 {
hardware ethernet 80:ee:73:b5:e4:50 ;
fixed-address pc129.mbr-bln.netz ;
}
host pc131 {
hardware ethernet 80:ee:73:b7:d2:c3 ;
fixed-address pc131.mbr-bln.netz ;
}
host pc132 {
hardware ethernet 80:ee:73:bd:ad:57 ;
fixed-address pc132.mbr-bln.netz ;
}
host pc133 {
hardware ethernet 80:ee:73:c0:7f:fb ;
fixed-address pc133.mbr-bln.netz ;
}
host pc134 {
hardware ethernet 80:ee:73:c5:e8:39 ;
fixed-address pc134.mbr-bln.netz ;
}
host pc135 {
hardware ethernet 80:ee:73:c5:e6:5f ;
fixed-address pc135.mbr-bln.netz ;
}
#host pc136 {
# hardware ethernet ;
# fixed-address pc136.mbr-bln.netz ;
#}
host pc137 {
hardware ethernet 80:ee:73:c5:e7:4f ;
fixed-address pc137.mbr-bln.netz ;
}
host pc138 {
hardware ethernet 80:ee:73:c9:91:d7 ;
#hardware ethernet 80:ee:73:c9:91:d8 ;
fixed-address pc138.mbr-bln.netz ;
}
host lap151 {
hardware ethernet f0:de:f1:67:d1:9d;
fixed-address lap151.mbr-bln.netz ;
}
host devil {
hardware ethernet 5c:ff:35:01:e9:03;
fixed-address devil.mbr-bln.netz ;
}
# kvm windows 7 on sol
host kvm-win7 {
hardware ethernet 52:54:00:e4:f9:81;
fixed-address kvm-win7.mbr-bln.netz ;
}
}
subnet 192.168.63.0 netmask 255.255.255.0 {
}
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

102
MBR/dhcpd6.conf.MBR Normal file
View File

@ -0,0 +1,102 @@
# Server configuration file example for DHCPv6
# From the file used for TAHI tests - addresses chosen
# to match TAHI rather than example block.
# IPv6 address valid lifetime
# (at the end the address is no longer usable by the client)
# (set to 30 days, the usual IPv6 default)
default-lease-time 2592000;
# IPv6 address preferred lifetime
# (at the end the address is deprecated, i.e., the client should use
# other addresses for new connections)
# (set to 7 days, the usual IPv6 default)
preferred-lifetime 604800;
# T1, the delay before Renew
# (default is 1/2 preferred lifetime)
# (set to 1 hour)
option dhcp-renewal-time 3600;
# T2, the delay before Rebind (if Renews failed)
# (default is 3/4 preferred lifetime)
# (set to 2 hours)
option dhcp-rebinding-time 7200;
# Enable RFC 5007 support (same than for DHCPv4)
allow leasequery;
# Global definitions for name server address(es) and domain search list
option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:3f3e;
option dhcp6.domain-search "test.example.com","example.com";
# Set preference to 255 (maximum) in order to avoid waiting for
# additional servers when there is only one
##option dhcp6.preference 255;
# Server side command to enable rapid-commit (2 packet exchange)
##option dhcp6.rapid-commit;
# The delay before information-request refresh
# (minimum is 10 minutes, maximum one day, default is to not refresh)
# (set to 6 hours)
option dhcp6.info-refresh-time 21600;
# Static definition (must be global)
#host myclient {
# # The entry is looked up by this
# host-identifier option
# dhcp6.client-id 00:01:00:01:00:04:93:e0:00:00:00:00:a2:a2;
#
# # A fixed address
# fixed-address6 3ffe:501:ffff:100::1234;
#
# # A fixed prefix
# fixed-prefix6 3ffe:501:ffff:101::/64;
#
# # Override of the global definitions,
# # works only when a resource (address or prefix) is assigned
# option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:4f4e;
#
# # For debug (to see when the entry statements are executed)
# # (log "sol" when a matching Solicitation is received)
# ##if packet(0,1) = 1 { log(debug,"sol"); }
#}
#
#host otherclient {
# # This host entry is hopefully matched if the client supplies a DUID-LL
# # or DUID-LLT containing this MAC address.
# hardware ethernet 01:00:80:a2:55:67;
#
# fixed-address6 3ffe:501:ffff:100::4321;
#}
# The subnet where the server is attached
# (i.e., the server has an address in this subnet)
#subnet6 3ffe:501:ffff:100::/64 {
# # Two addresses available to clients
# # (the third client should get NoAddrsAvail)
# range6 3ffe:501:ffff:100::10 3ffe:501:ffff:100::11;
#
# # Use the whole /64 prefix for temporary addresses
# # (i.e., direct application of RFC 4941)
# range6 3ffe:501:ffff:100:: temporary;
#
# # Some /64 prefixes available for Prefix Delegation (RFC 3633)
# prefix6 3ffe:501:ffff:100:: 3ffe:501:ffff:111:: /64;
#}
# A second subnet behind a relay agent
#subnet6 3ffe:501:ffff:101::/64 {
# range6 3ffe:501:ffff:101::10 3ffe:501:ffff:101::11;
#
# # Override of the global definitions,
# # works only when a resource (address or prefix) is assigned
# option dhcp6.name-servers 3ffe:501:ffff:101:200:ff:fe00:3f3e;
#
#}
# A third subnet behind a relay agent chain
#subnet6 3ffe:501:ffff:102::/64 {
# range6 3ffe:501:ffff:102::10 3ffe:501:ffff:102::11;
#}

1
MBR/hostname.MBR Normal file
View File

@ -0,0 +1 @@
gw-mbr

7
MBR/hosts.MBR Normal file
View File

@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 gw-mbr.mbr.netz gw-mbr
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

49
MBR/interfaces.MBR Normal file
View File

@ -0,0 +1,49 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
#-----------------------------
# eth2 - WAN
#-----------------------------
auto eth2
iface eth2 inet static
address 172.16.112.1
network 172.16.112.0
netmask 255.255.255.0
broadcast 172.16.112.255
gateway 172.16.112.254
#-----------------------------
# eth1 - LAN + WLAN
#-----------------------------
auto eth1 eth1:ns
iface eth1 inet static
address 192.168.112.254
network 192.168.112.0
netmask 255.255.255.0
broadcast 192.168.112.255
iface eth1:ns inet static
address 192.168.112.1
network 192.168.112.0
netmask 255.255.255.0
broadcast 192.168.112.255
## - wlan
iface eth1:1 inet static
address 192.168.113.254
network 192.168.113.0
netmask 255.255.255.0
broadcast 192.168.113.255
# The primary network interface
#allow-hotplug enp0s20f2
#iface enp0s20f2 inet dhcp

14
MBR/ipt-firewall.service.MBR Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
SyslogIdentifier="ipt-gateway"
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-gateway start
ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
User=root
[Install]
WantedBy=multi-user.target

44
MBR/ipt-firewall/default_ports.conf Normal file
View File

@ -0,0 +1,44 @@
#!/usr/bin/env bash
# =============
# --- Define Ports for Services out
# =============
standard_ident_port=113
standard_silc_port=706
standard_irc_port=6667
standard_jabber_port=5222
standard_smtp_port=25
standard_ssh_port=22
standard_http_port=80
standard_https_port=443
standard_ftp_port=21
standard_tftp_udp_port=69
standard_ntp_port=123
standard_snmp_port=161
standard_snmp_trap_port=162
standard_timeserver_port=37
standard_pgp_keyserver_port=11371
standard_telnet_port=23
standard_whois_port=43
standard_cpan_wait_port=1404
standard_xymon_port=1984
standard_hbci_port=3000
standard_mysql_port=3306
standard_ipp_port=631
standard_cups_port=$standard_ipp_port
standard_print_raw_port=515
standard_print_port=9100
standard_remote_console_port=5900
# - IPsec - Internet Security Association and
# - Key Management Protocol
standard_isakmp_port=500
standard_ipsec_nat_t=4500
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"

113
MBR/ipt-firewall/include_functions.conf Normal file
View File

@ -0,0 +1,113 @@
#!/usr/bin/env bash
# =============
# --- Some functions
# =============
# - Is this script running on terminal ?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
echo_done() {
if $terminal ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
else
echo " [ done ]"
fi
}
echo_ok() {
if $terminal ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
else
echo " [ ok ]"
fi
}
echo_warning() {
if $terminal ; then
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
else
echo " [ warning ]"
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
else
echo ' [ failed! ]'
fi
}
echo_skipped() {
if $terminal ; then
echo -e "\033[75G[ \033[37mskipped\033[m ]"
else
echo " [ skipped ]"
fi
}
fatal (){
echo ""
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
echo ""
echo -e "\t\033[31m\033[1m Firewall Script will be interrupted..\033[m\033[m"
else
echo "fatal: $*"
echo "Firewall Script will be interrupted.."
fi
echo ""
exit 1
}
error(){
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
else
echo "Error: $*"
fi
echo ""
}
warn (){
echo ""
if $terminal ; then
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
else
echo "Warning: $*"
fi
echo ""
}
info (){
echo ""
if $terminal ; then
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
else
echo "Info: $*"
fi
echo ""
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}

49
MBR/ipt-firewall/interfaces_ipv4.conf Normal file
View File

@ -0,0 +1,49 @@
#!/usr/bin/env bash
# =============
# --- Define Network Interfaces / Ip-Adresses / Ports
# =============
# - Extern Interfaces DSL Lines
# - (blank separated list)
ext_if_dsl_1=""
ext_if_dsl_2=""
ext_if_dsl_3=""
ext_if_dsl_4=""
ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
# - Extern Interfaces Static Lines
# - (blank separated list)
ext_if_static_1="eth2"
ext_if_static_2=""
ext_if_static_3=""
ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
# - VPN Interfaces
# - (blank separated list)
vpn_ifs="tun+"
# - Local Interfaces
local_if_1="eth1"
local_if_2=""
local_if_3=""
local_if_4=""
local_if_5=""
local_if_6=""
local_if_7=""
local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
# - Devices given in list "nat_devices" will be natted
# -
# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
# -
# - Blank separated list
# -
nat_devices=""
# - Are local alias interfaces like eth0:0 defined"
# -
local_alias_interfaces=true

36
MBR/ipt-firewall/load_modules_ipv4.conf Normal file
View File

@ -0,0 +1,36 @@
# =============
# - Load Kernel Modules
# =============
# - Note:!
# - Since Kernel 4.7 the automatic conntrack helper assignment
# - is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# - Enable it by setting this variable in file /etc/sysctl.conf:
# -
# - net.netfilter.nf_conntrack_helper = 1
# -
# - Reboot or type "sysctl -p"
ip_tables
iptable_nat
iptable_filter
iptable_mangle
iptable_raw
# - Load base modules for tracking
# -
nf_conntrack
nf_nat
# - Load module for FTP Connection tracking and NAT
# -
nf_conntrack_ftp
nf_nat_ftp
# - Load modules for SIP VOIP
# -
nf_conntrack_sip
nf_nat_sip

9
MBR/ipt-firewall/load_modules_ipv6.conf Normal file
View File

@ -0,0 +1,9 @@
# =============
# - Load Kernel Modules
# =============
ip6_tables
ip6table_filter
ip6t_REJECT
ip6table_mangle

40
MBR/ipt-firewall/logging_ipv4.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=false
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv4:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

40
MBR/ipt-firewall/logging_ipv6.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=false
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv6:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

1374
MBR/ipt-firewall/main_ipv4.conf Normal file
View File

File diff suppressed because it is too large Load Diff

505
MBR/ipt-firewall/post_decalrations.conf Normal file
View File

@ -0,0 +1,505 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# - Masquerade TCP Connections
# ---
declare -a nat_network_arr
for _net in $nat_networks ; do
nat_network_arr+=("$_net")
done
declare -a masquerade_tcp_con_arr
for _str in $masquerade_tcp_cons ; do
masquerade_tcp_con_arr+=("$_str")
done
# ---
# - Extern Network interfaces (DSL, Staic Lines, All together)
# ---
declare -a nat_device_arr
declare -a dsl_device_arr
declare -a ext_if_arr
for _dev in $ext_ifs_dsl ; do
dsl_device_arr+=("$_dev")
ext_if_arr+=("$_dev")
nat_device_arr+=("$_dev")
done
for _dev in $ext_ifs_static ; do
ext_if_arr+=("$_dev")
done
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Allow these local networks any access to the internet
# ---
declare -a any_access_to_inet_network_arr
for _net in $any_access_to_inet_networks ; do
any_access_to_inet_network_arr+=("$_net")
done
declare -a any_access_from_inet_network_arr
for _net in $any_access_from_inet_networks ; do
any_access_from_inet_network_arr+=("$_net")
done
# ---
# - Allow local services from given extern networks
# ---
declare -a allow_ext_net_to_local_service_arr
for _val in $allow_ext_net_to_local_service ; do
allow_ext_net_to_local_service_arr+=("$_val")
done
# ---
# - Allow all traffic from extern address/network to local address/network
# ---
declare -a allow_ext_net_to_local_net_arr
for _val in $allow_ext_net_to_local_net ; do
allow_ext_net_to_local_net_arr+=("$_val")
done
# ---
# - Block all extern traffic to (given) local network
# ---
declare -a block_all_ext_to_local_net_arr
for _net in $block_all_ext_to_local_net ; do
block_all_ext_to_local_net_arr+=("$_net")
done
# ---
# - Allow local services from given local networks
# ---
declare -a allow_local_net_to_local_service_arr
for _val in $allow_local_net_to_local_service ; do
allow_local_net_to_local_service_arr+=("$_val")
done
# ---
# - Allow all traffic from local network to local ip-address
# ---
declare -a allow_local_net_to_local_ip_arr
for _val in $allow_local_net_to_local_ip ; do
allow_local_net_to_local_ip_arr+=("$_val")
done
# ---
# - Allow all traffic from local ip-address to local network
# ---
declare -a allow_local_ip_to_local_net_arr
for _val in $allow_local_ip_to_local_net ; do
allow_local_ip_to_local_net_arr+=("$_val")
done
# ---
# - Allow all traffic from (one) local network to (another) local network
# ---
declare -a allow_local_net_to_local_net_arr
for _val in $allow_local_net_to_local_net ; do
allow_local_net_to_local_net_arr+=("$_val")
done
# ---
# - Allow local ip address from given local interface
# ---
declare -a allow_local_if_to_local_ip_arr
for _val in $allow_local_if_to_local_ip ; do
allow_local_if_to_local_ip_arr+=("$_val")
done
# ---
# - Separate local Networks
# ---
declare -a separate_local_network_arr
for _net in $separate_local_networks ; do
separate_local_network_arr+=("$_net")
done
# ---
# - Separate local Interfaces
# ---
declare -a separate_local_if_arr
for _net in $separate_local_ifs ; do
separate_local_if_arr+=("$_net")
done
# ---
# - Generally block ports on extern interfaces
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Not wanted on intern interfaces
# ---
declare -a not_wanted_on_gw_tcp_port_arr
for _port in $not_wanted_on_gw_tcp_ports ; do
not_wanted_on_gw_tcp_port_arr+=("$_port")
done
declare -a not_wanted_on_gw_udp_port_arr
for _port in $not_wanted_on_gw_udp_ports ; do
not_wanted_on_gw_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - Network Devices local DHCP Client
# ---
declare -a dhcp_client_interfaces_arr
for _dev in $dhcp_client_interfaces ; do
dhcp_client_interfaces_arr+=("$_dev")
done
# ---
# - IP Addresses DHCP Failover Server
# ---
declare -a dhcp_failover_server_ip_arr
for _ip in $dhcp_failover_server_ips ; do
dhcp_failover_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses DNS Server
# ---
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SSH Server only at ocal Networks
# ---
declare -a ssh_server_only_local_ip_arr
for _ip in $ssh_server_only_local_ips ; do
ssh_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses HTTP Server only local Networks
# ---
declare -a http_server_only_local_ip_arr
for _ip in $http_server_only_local_ips ; do
http_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Mail Server only local Networks
# ---
declare -a mail_server_only_local_ip_arr
for _ip in $mail_server_only_local_ips ; do
mail_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
declare -a ftp_server_only_local_ip_arr
for _ip in $ftp_server_only_local_ips ; do
ftp_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Samba Server
# ---
declare -a samba_server_local_ip_arr
for _ip in $samba_server_local_ips ; do
samba_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses LDAP Server
# ---
declare -a ldap_server_local_ip_arr
for _ip in $ldap_server_local_ips ; do
ldap_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Telephone Systems
# ---
declare -a tele_sys_ip_arr
for _ip in $tele_sys_ips ; do
tele_sys_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SNMP Server
# ---
declare -a snmp_server_ip_arr
for _ip in $snmp_server_ips ; do
snmp_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Munin Service
# ---
declare -a munin_local_server_ip_arr
for _ip in $munin_local_server_ips ; do
munin_local_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses IPMI interface
# ---
declare -a ipmi_server_ip_arr
for _ip in $ipmi_server_ips ; do
ipmi_server_ip_arr+=("$_ip")
done
# ---
# -IP Addresses Ubiquiti Unifi Accesspoints
# ---
declare -a unifi_ap_local_ip_arr
for _ip in $unifi_ap_local_ips ; do
unifi_ap_local_ip_arr+=("$_ip")
done
declare -a unifi_controller_gateway_ip_arr
for _ip in $unifi_controller_gateway_ips ; do
unifi_controller_gateway_ip_arr+=("$_ip")
done
declare -a unify_controller_local_net_ip_arr
for _ip in $unify_controller_local_net_ips ; do
unify_controller_local_net_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Printer
# -
declare -a printer_ip_arr
for _ip in $printer_ips ; do
printer_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Brother Scanner (brscan)
# ---
declare -a brother_scanner_ip_arr
for _ip in $brother_scanner_ips ; do
brother_scanner_ip_arr+=("$_ip")
done
# ---
# - IP Addresses PCNS Server
# ---
declare -a pcns_server_ip_arr
for _ip in $pcns_server_ips ; do
pcns_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses VNC Service
# ---
declare -a rm_server_ip_arr
for _ip in $rm_server_ips ; do
rm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# ---
# - Other local Services
# ---
declare -a other_service_arr
for _val in $other_services ; do
other_service_arr+=("$_val")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - Cisco kompartible VPN Ports
# ---
declare -a cisco_vpn_out_port_arr
for _port in $cisco_vpn_out_ports ; do
cisco_vpn_out_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
declare -a vpn_gw_port_arr
for _port in $vpn_gw_ports ; do
vpn_gw_port_arr+=("$_port")
done
declare -a vpn_local_net_port_arr
for _port in $vpn_local_net_ports ; do
vpn_local_net_port_arr+=("$_port")
done
declare -a vpn_out_port_arr
for _port in $vpn_out_ports ; do
vpn_out_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Samba Ports
# ---
declare -a samba_udp_port_arr
for _port in $samba_udp_ports ; do
samba_udp_port_arr+=("$_port")
done
declare -a samba_tcp_port_arr
for _port in $samba_tcp_ports ; do
samba_tcp_port_arr+=("$_port")
done
# ---
# - LDAP Ports
# ---
declare -a ldap_udp_port_arr
for _port in $ldap_udp_ports ; do
ldap_udp_port_arr+=("$_port")
done
declare -a ldap_tcp_port_arr
for _port in $ldap_tcp_ports ; do
ldap_tcp_port_arr+=("$_port")
done
# ---
# - IPMI
# ---
declare -a ipmi_udp_port_arr
for _port in $ipmi_udp_ports ; do
ipmi_udp_port_arr+=("$_port")
done
declare -a ipmi_tcp_port_arr
for _port in $ipmi_tcp_ports ; do
ipmi_tcp_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done
# ---
# - MAC Address Filtering
# ---
declare -a allow_all_mac_src_address_arr
for _mac in $allow_all_mac_src_addresses ; do
allow_all_mac_src_address_arr+=("$_mac")
done
declare -a allow_local_mac_src_address_arr
for _mac in $allow_local_mac_src_addresses ; do
allow_local_mac_src_address_arr+=("$_mac")
done
declare -a allow_remote_mac_src_address_arr
for _mac in $allow_remote_mac_src_addresses ; do
allow_remote_mac_src_address_arr+=("$_mac")
done

1
MBR/mailname.MBR Normal file
View File

@ -0,0 +1 @@
gw-mbr.mbr-bln.netz

268
MBR/main.cf.MBR Normal file
View File

@ -0,0 +1,268 @@
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
#172.16.112.2
myhostname = gw-mbr.mbr-bln.netz
mydestination =
gw-mbr.mbr-bln.netz
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
#172.16.112.2/32
#smtp_bind_address = 172.16.112.2
#smtp_bind_address6 =
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = $maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
# ============ Relay parameters ============
#relayhost =
# ============ SASL authentication ============
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [b.mx.oopen.de]
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Force using a (TLS) security connection
# obsulete - use smtp_tls_security_level instead
#smtp_use_tls = yes
#smtp_tls_enforce_peername = no
smtp_tls_security_level = encrypt
# Disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - /bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

3
MBR/openvpn/gw-ckubu/ccd/server-gw-ckubu/VPN-MBR-gw-ckubu Normal file
View File

@ -0,0 +1,3 @@
ifconfig-push 10.1.112.2 255.255.255.0
iroute 192.168.63.0 255.255.255.0
iroute 192.168.64.0 255.255.255.0

18
MBR/openvpn/gw-ckubu/crl.pem Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN X509 CRL-----
MIIC6TCB0jANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCREUxDzANBgNVBAgT
BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNV
BAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIxEDAOBgNVBCkT
B1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZRcNMTcx
MjE4MjEyODQ3WhcNNDkxMjE4MjEyODQ3WjANBgkqhkiG9w0BAQsFAAOCAgEAqs9Y
cggwWSmE4gncdcp/UuPs08KMIi7lfGzvVSzH/45V64nWuPOBApcKNSx8rQPDLGmz
VRfEUh1L8rgVJ0q4f9xrjHETbf9jrT25q2hZTjNjApieOmu0OEaJiDjXer2EOuzo
QkTstBnJtWzDDD6UiALFuVunlgOYx7H9ZuFYBk4de9xd3xj7KtvWNDwqhBk233K4
oirbLkBjO2yS6fZcK5jg+EMHbTQrNUz5MPNrFBzxmrfphtXKFx5ZiuT4TZbGv+/c
1fC0mVhaqd1wcH9YjrEHRmYq3XjvLBIWv28r5+SdoXf4ZvAbDgHasQbXlT5VsE/7
TfHnRYVxvidrMChf2OX9ZE4mHNR5n254xYRJxcndn7YL9MmV2YT3zBpiXiRIjA32
kwqC7KyHS0nmO2c0qNXb2zylqYmrXJscxHHb05dmEs0UnZm8EOw854PG+Nx+HZA2
jlvd55Qvud4CuaGu3lzOcFbaoJmLwslibhVzSD9fbOx3bhkuHy9pxEQOvZVRa16V
bn7GhJBBYt8PspAGnSImIzwkYkhG6mBsq+IXCI/YAh3KMd6JgqmypgjbYMeWrRVy
kyUp8tZ4E4XZmhMu93T1sUsf+Mjg569zv/9l/rX+O3ka2U+hH+/CmBQ3D5Jv9k7M
NDLwskSg0I9LHqoZ5NAyhdXG6k2GQuLRA4PLS78=
-----END X509 CRL-----

1
MBR/openvpn/gw-ckubu/easy-rsa/build-ca Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-ca

1
MBR/openvpn/gw-ckubu/easy-rsa/build-dh Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-dh

1
MBR/openvpn/gw-ckubu/easy-rsa/build-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-inter

1
MBR/openvpn/gw-ckubu/easy-rsa/build-key Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key

1
MBR/openvpn/gw-ckubu/easy-rsa/build-key-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pass

1
MBR/openvpn/gw-ckubu/easy-rsa/build-key-pkcs12 Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pkcs12

1
MBR/openvpn/gw-ckubu/easy-rsa/build-key-server Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-server

1
MBR/openvpn/gw-ckubu/easy-rsa/build-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req

1
MBR/openvpn/gw-ckubu/easy-rsa/build-req-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req-pass

1
MBR/openvpn/gw-ckubu/easy-rsa/clean-all Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/clean-all

1
MBR/openvpn/gw-ckubu/easy-rsa/inherit-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/inherit-inter

1
MBR/openvpn/gw-ckubu/easy-rsa/list-crl Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/list-crl

268
MBR/openvpn/gw-ckubu/easy-rsa/openssl-0.9.6.cnf Normal file
View File

@ -0,0 +1,268 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

293
MBR/openvpn/gw-ckubu/easy-rsa/openssl-0.9.8.cnf Normal file
View File

@ -0,0 +1,293 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

290
MBR/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf Normal file
View File

@ -0,0 +1,290 @@
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
#default_days = 3650 # how long to certify for
default_days = 11688
#default_crl_days= 30 # how long before next CRL
default_crl_days = 11688
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

288
MBR/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf.ORIG Normal file
View File

@ -0,0 +1,288 @@
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

1
MBR/openvpn/gw-ckubu/easy-rsa/openssl.cnf Symbolic link
View File

@ -0,0 +1 @@
/etc/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf

1
MBR/openvpn/gw-ckubu/easy-rsa/pkitool Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/pkitool

1
MBR/openvpn/gw-ckubu/easy-rsa/revoke-full Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/revoke-full

1
MBR/openvpn/gw-ckubu/easy-rsa/sign-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/sign-req

96
MBR/openvpn/gw-ckubu/easy-rsa/vars Normal file
View File

@ -0,0 +1,96 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
##export EASY_RSA="`pwd`"
export BASE_DIR="/etc/openvpn/gw-ckubu"
export EASY_RSA="$BASE_DIR/easy-rsa"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
##export KEY_DIR="$EASY_RSA/keys"
export KEY_DIR="$BASE_DIR/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
##export KEY_SIZE=2048
export KEY_SIZE=4096
# In how many days should the root CA key expire?
##export CA_EXPIRE=3650
export CA_EXPIRE=11688
# In how many days should certificates expire?
##export KEY_EXPIRE=3650
export KEY_EXPIRE=7305
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
##export KEY_COUNTRY="US"
export KEY_COUNTRY="DE"
##export KEY_PROVINCE="CA"
export KEY_PROVINCE="Berlin"
##export KEY_CITY="SanFrancisco"
export KEY_CITY="Berlin"
##export KEY_ORG="Fort-Funston"
export KEY_ORG="O.OPEN"
##export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL="ckubu-adm@oopen.de"
##export KEY_OU="MyOrganizationalUnit"
export KEY_OU="Network Services"
# X509 Subject Field
##export KEY_NAME="EasyRSA"
export KEY_NAME="VPN MBR"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
## export KEY_CN="CommonName"
export KEY_CN="VPN-MBR"
export KEY_ALTNAMES="VPN MBR"

80
MBR/openvpn/gw-ckubu/easy-rsa/vars.2017-12-18-2133 Normal file
View File

@ -0,0 +1,80 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

1
MBR/openvpn/gw-ckubu/easy-rsa/whichopensslcnf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/whichopensslcnf

258
MBR/openvpn/gw-ckubu/gw-ckubu.conf Normal file
View File

@ -0,0 +1,258 @@
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote gw-mbr.oopen.de 1195
topology subnet
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Server CA
<ca>
-----BEGIN CERTIFICATE-----
MIIG1jCCBL6gAwIBAgIJANEahjl9dpJcMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMH
VlBOLU1CUjEQMA4GA1UEKRMHVlBOIE1CUjEhMB8GCSqGSIb3DQEJARYSY2t1YnUt
YWRtQG9vcGVuLmRlMB4XDTE3MTIxODIwMzc1MVoXDTQ5MTIxODIwMzc1MVowgaIx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEP
MA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRAwDgYD
VQQDEwdWUE4tTUJSMRAwDgYDVQQpEwdWUE4gTUJSMSEwHwYJKoZIhvcNAQkBFhJj
a3VidS1hZG1Ab29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCxgVOFpm61twgXerJYeVjTi7Kv4R/aOxh9UCXqjJN6cfR2Dhj5CX07fIf7Ed0S
8s+xBrwl3PZXACiz3CkTP7Zygw4TtYyUuTvvjzfcJfE+hv7SeYxOU/YYVlznGbqC
o8R9uNJYKeKEJnX2oo9RnR3Q10d03twKFlm50Rv8L4Oi502Qo5gaeLMP2D81rz4o
UcEVWU1PtnblkV7ARQOR0QF77ea3UwM5pnBxD0UnsaH4tJc7MwDSUxaDaiUZ9ecE
sJ0+ZaTrsgB//kbF3iB0cjBs1/Qfz8vgQMVpOax6lckZZ4WKwdo3iOckglvjh6NU
SED6H8ru2p6bmfyqjMMzpj4AQw+BYFQhDuXQpx9d5vyxS+fjW1qDVGG84Ahaj6pf
XdznK5BXygnyItcD5Q4ZHQdz1GqCL1LdcNXiurWbSvUYLlIpotMxePEmncv006hx
YvbLzjvsAGfsbs2gnx9IxCi+sPiFacWvpYolVdd8l67kDAihG8iokTR3wpHM6Xe6
vD49xDnd86rRSn30dDgxsWSI8lyh15akAhzS2dUk/8aX7lIcpFNTPBJHppXalrsx
4wuXAR/78v2eiLpdORBerzIYjgyzcpsZZZe85BrkhKi3mgu1tJZMH1yhRKvgUhnu
K1HF8AgBi63YTvari6R1HiTtKXZqaxlJ4d3/OwIjvcxa5QIDAQABo4IBCzCCAQcw
HQYDVR0OBBYEFGHocrkyEFyjv6enWR014LS1UYD7MIHXBgNVHSMEgc8wgcyAFGHo
crkyEFyjv6enWR014LS1UYD7oYGopIGlMIGiMQswCQYDVQQGEwJERTEPMA0GA1UE
CBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcG
A1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLU1CUjEQMA4GA1UE
KRMHVlBOIE1CUjEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA
0RqGOX12klwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAdTsZUi6m
BS0MqhTwPmCF2bjFOwFs+oHpEIRKwBQXSFJfOysFl6RPgn9PlmsGmNmn/2gH7GTN
YMjPjnlArRZTVhcULG7IsabXCAgWIXcxwYciCmtFAse15kda/EUohP2yG4EIJURK
cUCK/fer3Blh63t+K0/Dq9eWJ4bVrfLoYp+Fl+ciomQhQXz9pZrgGSvDZLGg0upi
zGPsrEJHT+zPcJfQunZHXGF36eq5uWMuB83WYhvE8rNwz4OIDhLlongt2Lf/gWP7
rpVlDzNarOc2tl800C3/UePtAhEr4Nr3UYcbV7Nb063o0nGklxIr3FE5jMkzOj3p
q8Lyd+wHqPG18ysXaSbyCAjXSOQ4OjIOz1tPC3QabycNkrV4QGN6KlJypfJ16P7t
2ui2HB1bfX9wbwXOHxjDlx7mssaaygI3+RVB5yjJGJs286AO+YInWul6T3kPAZNn
EXhjZz8fOjRsaKR4dVZfI6/zzyg7vv++iNQ2/yNe11Bcjo5jwpuKZyFmmFpj9xoL
0uCOJnnHrhqIfy/LVTH+b9K3UQDgBHd3InFKt/Uy1rMNyBbH0tcnj2PZGct7Mg2G
vIgjygOKrYJytFrVtHFw2xKGIW40ohy7JzXTPjTFUj2q5GtVcGLIBiryOlTz3bsv
s4eV4pJgMrNqR14qsRN3HvAvf4DLigpuYR8=
-----END CERTIFICATE-----
</ca>
# Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
MIIHOjCCBSKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIx
EDAOBgNVBCkTB1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZTAeFw0xNzEyMTgyMzMzMzBaFw0zNzEyMTgyMzMzMzBaMIGrMQswCQYDVQQG
EwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoT
Bk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEZMBcGA1UEAxMQVlBO
LU1CUi1ndy1ja3VidTEQMA4GA1UEKRMHVlBOIE1CUjEhMB8GCSqGSIb3DQEJARYS
Y2t1YnUtYWRtQG9vcGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAx/Q0+5i0lCTsMpXtQfxqi/OWcGOgWG50lqapVshmCOXKh5JT5bWRYqpumOYB
T2VLprpWnurVCkksKO5U/rMISRxmKckThTgyG9GJLkw9we8gXxXGHfdfSo1mnY48
9J3+pp7r+C3OSVGceBv1IGvkVRRAS2jL5IKi8TBE3YSbvPQ0Bm9CHAWXtDKE85a0
ocj++z26WvmuCnl5mYbs39LwKbusYOzEQN+ffuTU24PKQk5R32YqxOiCxQr9kgi8
m9CUtO3BVgF8hJBUXVc2tiDu/3QhpcafDi/nf4rLr7mlJs808BTwU8gw2aP+vnqe
yTrKcv+wTl1D2lyhy3WVErctPJG9tijr0B/2cnAdeqf8Xh+fBysZNdV6m8u4jA3l
oht6JnFqbRtpmUh9YQEfGm4WJ3F/BJopPvZRa5+DZYKFYySdFjtxiJmXO1E9dT1F
2/fBUVQBdgOqHYLccySPVYDy5CFGu0VuKdl/bCqB+KNzlQi3DF0R64DGMJfF8NsW
14+SmmdwytcYyE0LEQU4vL9Nit+pZbKbrMU3nXgMoArAiKRShS4ceJOl2koNOAmr
ZezesJ7f0L5IArjlk7HzhxTNWq63AG/NtRMQtJzkdlihV4OVE0Guya/N8SknZXPp
TZnWLCn7Vq3FiPRHw0ieLD6bUvYuqEk4JWW/brwZMKBEpeECAwEAAaOCAW4wggFq
MAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyCmYxdwfXdP9ZsTs9RHh/GYg+XwwgdcGA1Ud
IwSBzzCBzIAUYehyuTIQXKO/p6dZHTXgtLVRgPuhgaikgaUwgaIxCzAJBgNVBAYT
AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
Ty5PUEVOMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRAwDgYDVQQDEwdWUE4t
TUJSMRAwDgYDVQQpEwdWUE4gTUJSMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1A
b29wZW4uZGWCCQDRGoY5fXaSXDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
BAMCB4AwEwYDVR0RBAwwCoIIZ3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAKaX
0hCwrna+rQvUBQ+RKIYBjThRjNu0cSm6OZIgVqhdhqOKe3CU2SwpzIiEUv2vgN9w
aa38VffKa9J94bYqxBVCNTQvV6hK3dVbsmiVFRXVWkGwtOl0DPb+UPooX7qtdWY8
+6jvUXz6rhOZl0KFrX1Udl06VwZrG5+O0ioZnBpTEqTy+nNHG+QffThY4RMxk4fu
9B63i0bW3dCHV/Us9fsJnxN+TqslLmRnRyVmdFqB69t3jv9Ru1OncC6bF7eHBOmX
P8E91Atr115FVVjZXeZ7+NDpN97oqMX9Bf2OCXu/HjEQIW/zvoFScWkf8FPLjKV2
/ms4X7H5ZDxNumkaJB3DRDPyKrkvJZQ8HqhcMKo7qPFLnBGORad/fto+SAJoBE2v
Ie2h67vU4Wr3qQILebkCqLkYYdE9W02CAZcZ+2O0BZCtrs1HbGDIIt5CfqkrxulE
8opGS53U8A+CXuUcOdPRrdz10/7o76chJfEciOQ1UaHShtNe5g04/SDn1UQuWltv
YhcAZmrOUbzIY8FWFLJ0XwCMFc1m0rABskQGEDjb3UL66cgOIrUg1lDlKGZpi51c
4eqTfuR1dk+wtwWgNU78UrIgPDw1TitA/aDRaugymPUnVeM6/CRqNSrlEU+QmIVf
2VSZXxkvk0sFPh/1h5Hk86tezdb6ucm+3ow3HcCd
-----END CERTIFICATE-----
</cert>
# Client Key
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoJKekP1ZYoMCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHiPXCkPcmkMBIIJSBkqxukBibbl
LdkzjsRmpDCFmPbmEzu/YKmXCMqSbgnEp0Ny2/05sWH2x7DDfZHC8IkzSZb6nqz3
G5AenJ6wZhPhtVEHFJaiVkJv0pIGXpGvqVsXimDSBWMnIwBFUfzrKSOu7Dhiw7Cx
1KdGgfoISh/BTLF2UAJjRqIL/Hw0nlqungeXV46twKFW83fBwxJBMj5HwfHtkTqN
yXOoRLOFJHwYAn6qqBw7n/pJyb4XzOqmmPqC8S96WPQwTCUDlJCSg6AGpobEfxQx
KFreSVCyQadyFSO3C8jGIOsP+55j7sk/GwABYx9iZ+hPiH1uBhhDNzLpnDbLsrgf
chvpMoftpmgZxxd6bFbWdhZGhWKSGivmujfaAQySc8+w9ejjpCiHg9oEBsm78whh
UcxXNrbfVpj4ivZm6K+BoM710imeQu22t/SNeO7S6Mko9Weu/8vlg3976H8E58PG
NwseCQRyVKmIC1i8EuKbYt4Fr66YTkuv+OGdqmvTPRe8aMQOgEFU3NaoQ5rHBfma
24NZoy/Hk1QXYSkCIc6izJdv07u44ZK2X0LGGiETin8lmCmyrph+iP51Hl2np8gk
5PiHAVcnhuSrBP9nVOZ6XFbBFYwItTdtlkpSfJBYlNnEHK2gA6wIF8dQhQE3VXS7
H9F3MdaJx7qVRy7qDwEG/ONBDX/QrU9cTom07TP1T7IHbqfF6koZE8fOEnwFPwpE
4sFuaRfrPdBDaE6jww0NLdAHC8eSdNgrHHVEUnwWosAldapfmj3JNONc+tJPYo4r
usMPPL+THX9UA9D7hxZ5wHz4fqyTlkK2bE0aK0euEaAe7tQ8+teYYEiO+OkRNQI4
yyHAX8b1jCaCOOMTeSHdV3gFhh8wmRsZqa4i1a4lWqeQlXKA9/Iq5Uk0ujNOSYMG
ttMyS7b38IvDCog9G1XYiSqH8DE/IzSi9tUbfUtqRX9jqUp9ZGlY0h8R/5I9oDKa
4IQRYAjktsJDi1dxYffQpWX0XeDZdlT6drhZv3OZHfTzX7pAI8TbEcu48tuI/JpB
zzI9/+yxF2hDNlecWYi8BP5vt5u58oiO+IEReFC1sPVssJSQisOJp1qNQCwgvNxu
/1heDohlurh5Ra3XtFddDVg5r92A9yuM5LZFGNA4VDZe8WzFOv9adKrZARBiWqBH
CG2KwL8o/psC37BT0SRCQd8iOHTlfMUIPd9j7WxfM1DcxywEcLCwtBjMXidVVIB+
YG58huH2AdEgm01f7UeJrd0RBCV4Lx58nNnnkBoTQXzP5KqpAHmSndsOy8dAUf4F
lk0zC1LARseF3r9eeFxNeMC+diQHzLOGLQNhyojlhA2/9FO546lOH3TLlBNgQ41w
CfhTRa5aU+w+OmYjkPEnhde4NzzSXEbFMjGQvt0rrn+6jFMQ/kDLSoJEHBEa+Anf
VAbVZThhy8JhkRrKpEht3sLUd/mR57Vrk47xZnV8uGBW0Ii28rRYdImHV3CGUys+
S6r5o5zLa1yRhz2hGQE8kpnu5HiF4Pz7svBp8FEiRLTxvTQ9D5MgdlXUHr5Ujaco
ivlm4WvXoNyji2FbWDVgscvfbOQgNnaQ5uY5g3rxC2PTCwNbTCGNLxYJbJ4zzkp+
NHS9xuV39AggXJpFpb6vl30NU4pQCLDTYpembdhNmIfgGo4DS1bMSWZyz9I1OkOa
rNtVWidyTgZd3I3v5r5weD30gb+D/aaCxSEa4CCp1e7Wbdjwb9tuj6bJsRlnAn/K
ucDfQzTlImshtBjtWG2C+dpRyTVLpo/49kQmHhXvr/OpDWv5tggrvEZ87gEvCgOA
KkPNFET5itNA3KkVX6fi9Lg4g94hwEqAUnKHFvhatMC6DYYXF2hnZLIAaXjCAysz
ubxOMEeyEYEBpGnWuWgK6uv+IgwYdA9+vca69upH19J9sxvdhUluRo4ghoH2Ufuz
gz1P852iCvVGsGgUgWsyRgEqylP726YxNyxBot8EZ8uUXVaUFs540nJRY85Sli4f
17WzMYKTgV+790XFUgYlV8K9wVL2qCcCPwlUS/sjLIUACnuiDucMT/3J9zQcssY6
3ka8UhMzaFGys0FQl1WwcXZ+gWtQJcF7R1nB8PCbUFt06+adyJaSrE4UTQAZYMM5
NS06CVaVBxhZDukAq9Rw/W1mnfkJTb9IHy3n/5RJqNzf0PXDe4CbXKqRDWx4aPbr
bklCRDCujoECsnYuTEdNbRawubCrt0uAAAudJkHQsDHJcjs1Uxr26duRhElsolJX
bkSOiarjckoGZG2k05aBkZq9HcOMNMHiGsia9/3TmEIWkuOxY+EVB/FHUdjeJA1F
1pI4phDz3rGYJOcWwMtW47P7vemKi7UXzfgCVW0wS/pxI5+PGUxq3NrxLz0TMdxa
lKAH18quz3tRaqlGNQ2d9NVEn17589JLS72OFROnK0tUBQevaVwP4MHwu5g/lz8h
C72U86jx1ps1N32y3SV5T/U0rch1PT9v8PO4kD3ojoMAjxXSe4Iv6gXaJSKmORdD
WHb7W2Tq7IWHRjUWWl0wVsqLyEfu9LAPTw688P17UWvK4fDQDvr0dOyMRSYNBTiU
YudmGZh0lphuEXnMmPgD5l06EmKbXzSIWwg1iMlOKQzENxTR5fr9ozvpe1KDqAGK
Fcd/QRNydHOJcLShwhX2ZTfVMMzoE3t5hizS7cbo3j+OYKJ30P4GFbXrEIj+c6Jd
FOT30UZWZ1lK+jFscJcKCZMDFvHVDk63pOLCdxxQlmovuaCjsdGXRh1mvtYyV+wE
kDCbCdjjlf5Qj8TwxNmKA9Rg5dlTIOSFALGM50YX3Iq/rwJahBOpirKXNcQ8/qoG
0sF+4jQyNQSMu6Y+9RKGBwPESZa05M9N0xbcAz+wFlOKBRXzioMRNoG5rOew1mTj
wgxpNTidqvnVE36gw0hYy1K8+jyYwFwdh+t++p+VQ3kctc1QPVgomouC8DY7UCNg
5wFFqm/lru87YJcsgrso6/fHvaTkA3toS5olRrmhq68hjISk1XArDm1vDo/hcvFX
L4MLrR/LpUCccUFV26NaNJuQdvpzBiGTwyetK1+rC5QtvNvfTQL/1WeKpbOpJCkl
2FqU9ZXvhJH4N3zxGf9LRkg/tQjYKLfDbvjZZzDnk66fJMK19FkuCm2uqeRQZHiQ
j3AScnn8S7SPYjaNkOxAmQ==
-----END ENCRYPTED PRIVATE KEY-----
</key>
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-serve
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
#
# Don't forget to set the 'key-direction' Parameter if using
# Inline Key. Usualy , sever has key direction '0', while client
# has ke direction '1'.
#
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
79d91376ee2c248cb615cd6291bf2954
a8e96540005b24814cf8b156c133033a
8d46114db5bb435551604fcb18c56b09
09750d641767657cebf8151735230e61
b2a9631cd7490ab824333b74e60e4cc0
c3fce42e7518bd6519347f7e111b9f61
be2682407cd8186c2c9b03987a6d0fd0
52599e30c6e2214cd9734f442e4d9a34
62e1dc096e13a894538798a94b2e2d54
f1c5bd884fe95aefdd919a96cdbf8f1d
c60a65e7b59990a11324fa1960b8cb3f
ac2fc846d6860e50f7b35f83eb6b791b
d59707320a80e639b2226c2d16830757
f7d29d94fd8c5fe1ab8c939e394d2126
bd880494edfa929b03b894c6984890c2
8e1ab55c781b17828ec1d4126a9736e2
-----END OpenVPN Static key V1-----
</tls-auth>
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 1
# Setting 'pull' on the client takes care to get the 'push' durectives
# from the server
pull

1
MBR/openvpn/gw-ckubu/ipp.txt Normal file
View File

@ -0,0 +1 @@
VPN-MBR-gw-ckubu,10.1.112.2

4
MBR/openvpn/gw-ckubu/keys-created.txt Normal file
View File

@ -0,0 +1,4 @@
key...............: gw-ckubu.key
common name.......: VPN-MBR-gw-ckubu
password..........: eicoomeisi0eengoh1eev2cioQuuor2f

142
MBR/openvpn/gw-ckubu/keys/01.pem Normal file
View File

@ -0,0 +1,142 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 18 21:28:40 2017 GMT
Not After : Dec 18 21:28:40 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR-server/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a3:59:da:38:7c:2f:ba:c5:c8:b7:64:9d:8b:7b:
f2:f5:f8:60:6e:4b:1b:1e:d0:ce:50:7e:82:ed:d6:
db:f7:d4:29:38:b1:8a:df:14:9f:ed:72:c2:5e:86:
c5:ae:5a:09:0f:74:62:b6:c9:f8:42:95:4f:70:d6:
bc:cf:62:c8:02:97:b0:20:ec:2d:eb:68:09:82:22:
af:6b:f9:9e:ce:63:f9:3a:d1:a9:33:0a:d0:16:95:
33:ee:df:f3:88:97:51:32:88:c8:f3:e7:36:ba:8e:
40:2d:ab:6e:c9:b7:13:d4:59:46:5f:62:61:fd:21:
86:03:45:40:2a:96:6d:f7:87:dc:72:f1:3a:2b:71:
67:86:6a:ef:69:74:a6:de:a0:dc:ed:ad:c7:7f:9a:
cb:b3:06:61:1a:34:45:57:19:d1:37:e0:2d:36:c3:
94:91:5c:02:ce:40:c2:f8:a4:43:8c:f7:5e:a1:b1:
00:19:13:cd:06:85:e0:d7:f8:7d:bb:b6:e5:e4:d7:
7e:82:dc:96:5c:fa:7e:88:a3:42:be:43:78:c8:b3:
40:0f:61:05:55:9f:d0:56:54:19:db:85:48:05:ce:
6d:b2:49:df:b6:54:7d:39:f4:47:b5:98:3b:d5:73:
1b:15:f5:de:b7:af:a9:06:06:de:03:59:84:db:23:
70:87:eb:16:de:80:f1:3f:ac:b0:93:04:69:87:99:
d1:d4:a7:f0:ac:2d:42:73:d5:5a:fb:1d:f4:d6:e9:
20:cb:1f:13:15:5a:b7:1e:ec:d0:e0:d4:5d:0b:61:
66:01:40:6f:e6:86:38:95:e7:a4:ff:0a:8c:c9:1d:
36:e6:56:59:84:15:a4:3f:72:17:ca:61:f8:74:98:
4a:af:c6:55:d9:54:99:bb:fb:40:8b:d4:8c:ab:3d:
de:f3:9e:9d:3d:a4:27:cd:8b:17:12:8e:b7:32:5c:
c0:61:fa:9f:5a:9d:d7:9c:f9:6b:c7:da:a6:50:25:
80:b5:37:88:cf:f0:0c:62:5c:e2:8c:04:b2:e1:a6:
4a:ca:8e:93:a9:fb:e1:72:89:08:23:9e:08:c9:10:
7c:fb:ce:a9:12:e0:1f:f9:1b:a8:b7:d7:ea:84:d3:
9c:f3:5f:97:6a:1d:44:03:42:e9:86:1a:f9:14:3e:
58:67:06:4b:ae:c7:4c:77:4a:80:29:5e:7b:a7:b8:
08:65:e7:b9:aa:e4:eb:45:93:68:28:9f:3f:0f:42:
40:23:ca:4c:9d:5c:4d:b1:55:df:d7:41:2e:31:46:
1e:60:05:75:33:8a:2c:bf:b1:08:c5:b2:31:51:55:
6c:73:ef:a2:8b:e8:aa:fa:bc:4a:81:20:e4:96:30:
f9:09:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
5E:7E:C5:2F:CA:5E:62:27:A2:07:89:20:A0:8A:D0:EB:05:55:95:26
X509v3 Authority Key Identifier:
keyid:61:E8:72:B9:32:10:5C:A3:BF:A7:A7:59:1D:35:E0:B4:B5:51:80:FB
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
serial:D1:1A:86:39:7D:76:92:5C
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
53:de:ad:c7:5d:b2:c0:6c:2e:45:50:21:7f:d8:ff:68:61:8e:
11:bc:13:d0:67:5b:ed:c6:48:46:74:9a:89:6b:2a:1b:8a:01:
c9:3b:5b:3e:1f:d2:24:1e:a0:59:ea:f5:99:d7:35:8d:13:55:
58:ea:8c:2d:8f:7e:8a:c1:0f:a1:0d:ea:ce:46:a9:e1:4f:00:
b8:94:f6:d4:fd:44:83:41:13:9a:98:3a:e2:d2:a2:09:1a:61:
44:39:84:9a:6e:4b:67:ab:18:93:e8:1e:cf:bd:15:2a:a8:76:
ae:d7:36:56:77:3f:88:0d:40:18:6d:e1:d5:a8:e0:17:fe:96:
58:cf:aa:2f:63:a9:f6:bd:c7:61:6d:ea:5f:72:92:8e:08:a9:
60:a3:48:66:91:e8:4b:0d:dc:92:10:b2:57:68:71:9d:f0:86:
36:31:95:3b:f5:ce:fe:fe:96:91:df:90:c4:0f:90:0c:cf:97:
73:38:7b:27:21:43:29:b6:13:5e:11:b3:7b:10:10:ac:3e:9c:
ee:88:cc:e1:c1:a2:40:0a:2b:78:82:85:ba:c1:a6:b9:e7:23:
af:13:ee:16:ba:e6:c9:6e:cd:5f:1c:44:c8:c1:e1:48:e7:0f:
d4:29:a2:c5:80:f3:0d:48:b8:cb:6c:8c:3c:b6:04:c6:a1:41:
2f:99:dd:d3:f6:bf:15:54:e0:a9:79:32:83:21:59:0a:2f:55:
7f:26:c9:28:33:17:24:32:19:a9:d4:41:d1:e2:c1:cf:13:76:
fd:d0:76:14:69:cc:bd:a0:66:5c:8e:8c:f8:23:76:8d:0a:c0:
a5:27:9c:36:21:16:26:18:90:31:97:91:61:4e:47:4f:ed:47:
54:b7:8f:ec:d5:44:cb:f5:c8:35:b1:11:90:8a:2a:d9:ab:97:
1b:26:1a:41:ef:f1:a8:4a:3d:bf:76:d4:e3:31:26:c2:cd:09:
9b:05:0b:8f:6e:ba:15:76:89:2a:38:1c:b2:9e:64:ba:3d:1c:
a4:fe:4b:a2:63:3d:80:07:f7:19:df:db:03:51:7d:ed:16:72:
4e:ce:46:76:47:5a:64:b1:7b:32:4a:53:cc:1a:93:7c:6e:ce:
e4:00:90:86:47:26:9a:51:7b:61:7e:78:05:c2:35:c0:2a:bc:
89:56:e2:4f:67:7f:96:1a:47:9c:99:d4:a2:34:87:b5:e3:c6:
34:45:4f:51:29:49:64:81:de:3b:d8:0c:df:9a:69:c1:e6:4c:
72:5f:a0:84:5e:b3:1d:ca:2b:01:79:a6:70:cb:f8:4b:3c:69:
d1:55:c8:6a:56:cc:6a:9e:24:5f:a6:6d:99:39:6e:bb:d9:09:
a9:70:8d:5f:e2:b4:01:da
-----BEGIN CERTIFICATE-----
MIIHUDCCBTigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIx
EDAOBgNVBCkTB1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZTAeFw0xNzEyMTgyMTI4NDBaFw0zNzEyMTgyMTI4NDBaMIGpMQswCQYDVQQG
EwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoT
Bk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEXMBUGA1UEAxMOVlBO
LU1CUi1zZXJ2ZXIxEDAOBgNVBCkTB1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNr
dWJ1LWFkbUBvb3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AKNZ2jh8L7rFyLdknYt78vX4YG5LGx7QzlB+gu3W2/fUKTixit8Un+1ywl6Gxa5a
CQ90YrbJ+EKVT3DWvM9iyAKXsCDsLetoCYIir2v5ns5j+TrRqTMK0BaVM+7f84iX
UTKIyPPnNrqOQC2rbsm3E9RZRl9iYf0hhgNFQCqWbfeH3HLxOitxZ4Zq72l0pt6g
3O2tx3+ay7MGYRo0RVcZ0TfgLTbDlJFcAs5AwvikQ4z3XqGxABkTzQaF4Nf4fbu2
5eTXfoLcllz6foijQr5DeMizQA9hBVWf0FZUGduFSAXObbJJ37ZUfTn0R7WYO9Vz
GxX13revqQYG3gNZhNsjcIfrFt6A8T+ssJMEaYeZ0dSn8KwtQnPVWvsd9NbpIMsf
ExVatx7s0ODUXQthZgFAb+aGOJXnpP8KjMkdNuZWWYQVpD9yF8ph+HSYSq/GVdlU
mbv7QIvUjKs93vOenT2kJ82LFxKOtzJcwGH6n1qd15z5a8faplAlgLU3iM/wDGJc
4owEsuGmSsqOk6n74XKJCCOeCMkQfPvOqRLgH/kbqLfX6oTTnPNfl2odRANC6YYa
+RQ+WGcGS67HTHdKgClee6e4CGXnuark60WTaCifPw9CQCPKTJ1cTbFV39dBLjFG
HmAFdTOKLL+xCMWyMVFVbHPvoovoqvq8SoEg5JYw+Qk/AgMBAAGjggGGMIIBgjAJ
BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFz
eS1SU0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUXn7F
L8peYieiB4kgoIrQ6wVVlSYwgdcGA1UdIwSBzzCBzIAUYehyuTIQXKO/p6dZHTXg
tLVRgPuhgaikgaUwgaIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRAwDgYDVQQDEwdWUE4tTUJSMRAwDgYDVQQpEwdWUE4gTUJSMSEw
HwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGWCCQDRGoY5fXaSXDATBgNV
HSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVy
MA0GCSqGSIb3DQEBCwUAA4ICAQBT3q3HXbLAbC5FUCF/2P9oYY4RvBPQZ1vtxkhG
dJqJayobigHJO1s+H9IkHqBZ6vWZ1zWNE1VY6owtj36KwQ+hDerORqnhTwC4lPbU
/USDQROamDri0qIJGmFEOYSabktnqxiT6B7PvRUqqHau1zZWdz+IDUAYbeHVqOAX
/pZYz6ovY6n2vcdhbepfcpKOCKlgo0hmkehLDdySELJXaHGd8IY2MZU79c7+/paR
35DED5AMz5dzOHsnIUMpthNeEbN7EBCsPpzuiMzhwaJACit4goW6waa55yOvE+4W
uubJbs1fHETIweFI5w/UKaLFgPMNSLjLbIw8tgTGoUEvmd3T9r8VVOCpeTKDIVkK
L1V/JskoMxckMhmp1EHR4sHPE3b90HYUacy9oGZcjoz4I3aNCsClJ5w2IRYmGJAx
l5FhTkdP7UdUt4/s1UTL9cg1sRGQiirZq5cbJhpB7/GoSj2/dtTjMSbCzQmbBQuP
broVdokqOByynmS6PRyk/kuiYz2AB/cZ39sDUX3tFnJOzkZ2R1pksXsySlPMGpN8
bs7kAJCGRyaaUXthfngFwjXAKryJVuJPZ3+WGkecmdSiNIe148Y0RU9RKUlkgd47
2AzfmmnB5kxyX6CEXrMdyisBeaZwy/hLPGnRVchqVsxqniRfpm2ZOW672QmpcI1f
4rQB2g==
-----END CERTIFICATE-----

139
MBR/openvpn/gw-ckubu/keys/02.pem Normal file
View File

@ -0,0 +1,139 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 18 23:33:30 2017 GMT
Not After : Dec 18 23:33:30 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR-gw-ckubu/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c7:f4:34:fb:98:b4:94:24:ec:32:95:ed:41:fc:
6a:8b:f3:96:70:63:a0:58:6e:74:96:a6:a9:56:c8:
66:08:e5:ca:87:92:53:e5:b5:91:62:aa:6e:98:e6:
01:4f:65:4b:a6:ba:56:9e:ea:d5:0a:49:2c:28:ee:
54:fe:b3:08:49:1c:66:29:c9:13:85:38:32:1b:d1:
89:2e:4c:3d:c1:ef:20:5f:15:c6:1d:f7:5f:4a:8d:
66:9d:8e:3c:f4:9d:fe:a6:9e:eb:f8:2d:ce:49:51:
9c:78:1b:f5:20:6b:e4:55:14:40:4b:68:cb:e4:82:
a2:f1:30:44:dd:84:9b:bc:f4:34:06:6f:42:1c:05:
97:b4:32:84:f3:96:b4:a1:c8:fe:fb:3d:ba:5a:f9:
ae:0a:79:79:99:86:ec:df:d2:f0:29:bb:ac:60:ec:
c4:40:df:9f:7e:e4:d4:db:83:ca:42:4e:51:df:66:
2a:c4:e8:82:c5:0a:fd:92:08:bc:9b:d0:94:b4:ed:
c1:56:01:7c:84:90:54:5d:57:36:b6:20:ee:ff:74:
21:a5:c6:9f:0e:2f:e7:7f:8a:cb:af:b9:a5:26:cf:
34:f0:14:f0:53:c8:30:d9:a3:fe:be:7a:9e:c9:3a:
ca:72:ff:b0:4e:5d:43:da:5c:a1:cb:75:95:12:b7:
2d:3c:91:bd:b6:28:eb:d0:1f:f6:72:70:1d:7a:a7:
fc:5e:1f:9f:07:2b:19:35:d5:7a:9b:cb:b8:8c:0d:
e5:a2:1b:7a:26:71:6a:6d:1b:69:99:48:7d:61:01:
1f:1a:6e:16:27:71:7f:04:9a:29:3e:f6:51:6b:9f:
83:65:82:85:63:24:9d:16:3b:71:88:99:97:3b:51:
3d:75:3d:45:db:f7:c1:51:54:01:76:03:aa:1d:82:
dc:73:24:8f:55:80:f2:e4:21:46:bb:45:6e:29:d9:
7f:6c:2a:81:f8:a3:73:95:08:b7:0c:5d:11:eb:80:
c6:30:97:c5:f0:db:16:d7:8f:92:9a:67:70:ca:d7:
18:c8:4d:0b:11:05:38:bc:bf:4d:8a:df:a9:65:b2:
9b:ac:c5:37:9d:78:0c:a0:0a:c0:88:a4:52:85:2e:
1c:78:93:a5:da:4a:0d:38:09:ab:65:ec:de:b0:9e:
df:d0:be:48:02:b8:e5:93:b1:f3:87:14:cd:5a:ae:
b7:00:6f:cd:b5:13:10:b4:9c:e4:76:58:a1:57:83:
95:13:41:ae:c9:af:cd:f1:29:27:65:73:e9:4d:99:
d6:2c:29:fb:56:ad:c5:88:f4:47:c3:48:9e:2c:3e:
9b:52:f6:2e:a8:49:38:25:65:bf:6e:bc:19:30:a0:
44:a5:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
C8:29:98:C5:DC:1F:5D:D3:FD:66:C4:EC:F5:11:E1:FC:66:20:F9:7C
X509v3 Authority Key Identifier:
keyid:61:E8:72:B9:32:10:5C:A3:BF:A7:A7:59:1D:35:E0:B4:B5:51:80:FB
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
serial:D1:1A:86:39:7D:76:92:5C
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:gw-ckubu
Signature Algorithm: sha256WithRSAEncryption
a6:97:d2:10:b0:ae:76:be:ad:0b:d4:05:0f:91:28:86:01:8d:
38:51:8c:db:b4:71:29:ba:39:92:20:56:a8:5d:86:a3:8a:7b:
70:94:d9:2c:29:cc:88:84:52:fd:af:80:df:70:69:ad:fc:55:
f7:ca:6b:d2:7d:e1:b6:2a:c4:15:42:35:34:2f:57:a8:4a:dd:
d5:5b:b2:68:95:15:15:d5:5a:41:b0:b4:e9:74:0c:f6:fe:50:
fa:28:5f:ba:ad:75:66:3c:fb:a8:ef:51:7c:fa:ae:13:99:97:
42:85:ad:7d:54:76:5d:3a:57:06:6b:1b:9f:8e:d2:2a:19:9c:
1a:53:12:a4:f2:fa:73:47:1b:e4:1f:7d:38:58:e1:13:31:93:
87:ee:f4:1e:b7:8b:46:d6:dd:d0:87:57:f5:2c:f5:fb:09:9f:
13:7e:4e:ab:25:2e:64:67:47:25:66:74:5a:81:eb:db:77:8e:
ff:51:bb:53:a7:70:2e:9b:17:b7:87:04:e9:97:3f:c1:3d:d4:
0b:6b:d7:5e:45:55:58:d9:5d:e6:7b:f8:d0:e9:37:de:e8:a8:
c5:fd:05:fd:8e:09:7b:bf:1e:31:10:21:6f:f3:be:81:52:71:
69:1f:f0:53:cb:8c:a5:76:fe:6b:38:5f:b1:f9:64:3c:4d:ba:
69:1a:24:1d:c3:44:33:f2:2a:b9:2f:25:94:3c:1e:a8:5c:30:
aa:3b:a8:f1:4b:9c:11:8e:45:a7:7f:7e:da:3e:48:02:68:04:
4d:af:21:ed:a1:eb:bb:d4:e1:6a:f7:a9:02:0b:79:b9:02:a8:
b9:18:61:d1:3d:5b:4d:82:01:97:19:fb:63:b4:05:90:ad:ae:
cd:47:6c:60:c8:22:de:42:7e:a9:2b:c6:e9:44:f2:8a:46:4b:
9d:d4:f0:0f:82:5e:e5:1c:39:d3:d1:ad:dc:f5:d3:fe:e8:ef:
a7:21:25:f1:1c:88:e4:35:51:a1:d2:86:d3:5e:e6:0d:38:fd:
20:e7:d5:44:2e:5a:5b:6f:62:17:00:66:6a:ce:51:bc:c8:63:
c1:56:14:b2:74:5f:00:8c:15:cd:66:d2:b0:01:b2:44:06:10:
38:db:dd:42:fa:e9:c8:0e:22:b5:20:d6:50:e5:28:66:69:8b:
9d:5c:e1:ea:93:7e:e4:75:76:4f:b0:b7:05:a0:35:4e:fc:52:
b2:20:3c:3c:35:4e:2b:40:fd:a0:d1:6a:e8:32:98:f5:27:55:
e3:3a:fc:24:6a:35:2a:e5:11:4f:90:98:85:5f:d9:54:99:5f:
19:2f:93:4b:05:3e:1f:f5:87:91:e4:f3:ab:5e:cd:d6:fa:b9:
c9:be:de:8c:37:1d:c0:9d
-----BEGIN CERTIFICATE-----
MIIHOjCCBSKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIx
EDAOBgNVBCkTB1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZTAeFw0xNzEyMTgyMzMzMzBaFw0zNzEyMTgyMzMzMzBaMIGrMQswCQYDVQQG
EwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoT
Bk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEZMBcGA1UEAxMQVlBO
LU1CUi1ndy1ja3VidTEQMA4GA1UEKRMHVlBOIE1CUjEhMB8GCSqGSIb3DQEJARYS
Y2t1YnUtYWRtQG9vcGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAx/Q0+5i0lCTsMpXtQfxqi/OWcGOgWG50lqapVshmCOXKh5JT5bWRYqpumOYB
T2VLprpWnurVCkksKO5U/rMISRxmKckThTgyG9GJLkw9we8gXxXGHfdfSo1mnY48
9J3+pp7r+C3OSVGceBv1IGvkVRRAS2jL5IKi8TBE3YSbvPQ0Bm9CHAWXtDKE85a0
ocj++z26WvmuCnl5mYbs39LwKbusYOzEQN+ffuTU24PKQk5R32YqxOiCxQr9kgi8
m9CUtO3BVgF8hJBUXVc2tiDu/3QhpcafDi/nf4rLr7mlJs808BTwU8gw2aP+vnqe
yTrKcv+wTl1D2lyhy3WVErctPJG9tijr0B/2cnAdeqf8Xh+fBysZNdV6m8u4jA3l
oht6JnFqbRtpmUh9YQEfGm4WJ3F/BJopPvZRa5+DZYKFYySdFjtxiJmXO1E9dT1F
2/fBUVQBdgOqHYLccySPVYDy5CFGu0VuKdl/bCqB+KNzlQi3DF0R64DGMJfF8NsW
14+SmmdwytcYyE0LEQU4vL9Nit+pZbKbrMU3nXgMoArAiKRShS4ceJOl2koNOAmr
ZezesJ7f0L5IArjlk7HzhxTNWq63AG/NtRMQtJzkdlihV4OVE0Guya/N8SknZXPp
TZnWLCn7Vq3FiPRHw0ieLD6bUvYuqEk4JWW/brwZMKBEpeECAwEAAaOCAW4wggFq
MAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyCmYxdwfXdP9ZsTs9RHh/GYg+XwwgdcGA1Ud
IwSBzzCBzIAUYehyuTIQXKO/p6dZHTXgtLVRgPuhgaikgaUwgaIxCzAJBgNVBAYT
AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
Ty5PUEVOMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRAwDgYDVQQDEwdWUE4t
TUJSMRAwDgYDVQQpEwdWUE4gTUJSMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1A
b29wZW4uZGWCCQDRGoY5fXaSXDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
BAMCB4AwEwYDVR0RBAwwCoIIZ3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAKaX
0hCwrna+rQvUBQ+RKIYBjThRjNu0cSm6OZIgVqhdhqOKe3CU2SwpzIiEUv2vgN9w
aa38VffKa9J94bYqxBVCNTQvV6hK3dVbsmiVFRXVWkGwtOl0DPb+UPooX7qtdWY8
+6jvUXz6rhOZl0KFrX1Udl06VwZrG5+O0ioZnBpTEqTy+nNHG+QffThY4RMxk4fu
9B63i0bW3dCHV/Us9fsJnxN+TqslLmRnRyVmdFqB69t3jv9Ru1OncC6bF7eHBOmX
P8E91Atr115FVVjZXeZ7+NDpN97oqMX9Bf2OCXu/HjEQIW/zvoFScWkf8FPLjKV2
/ms4X7H5ZDxNumkaJB3DRDPyKrkvJZQ8HqhcMKo7qPFLnBGORad/fto+SAJoBE2v
Ie2h67vU4Wr3qQILebkCqLkYYdE9W02CAZcZ+2O0BZCtrs1HbGDIIt5CfqkrxulE
8opGS53U8A+CXuUcOdPRrdz10/7o76chJfEciOQ1UaHShtNe5g04/SDn1UQuWltv
YhcAZmrOUbzIY8FWFLJ0XwCMFc1m0rABskQGEDjb3UL66cgOIrUg1lDlKGZpi51c
4eqTfuR1dk+wtwWgNU78UrIgPDw1TitA/aDRaugymPUnVeM6/CRqNSrlEU+QmIVf
2VSZXxkvk0sFPh/1h5Hk86tezdb6ucm+3ow3HcCd
-----END CERTIFICATE-----

39
MBR/openvpn/gw-ckubu/keys/ca.crt Normal file
View File

@ -0,0 +1,39 @@
-----BEGIN CERTIFICATE-----
MIIG1jCCBL6gAwIBAgIJANEahjl9dpJcMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMH
VlBOLU1CUjEQMA4GA1UEKRMHVlBOIE1CUjEhMB8GCSqGSIb3DQEJARYSY2t1YnUt
YWRtQG9vcGVuLmRlMB4XDTE3MTIxODIwMzc1MVoXDTQ5MTIxODIwMzc1MVowgaIx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEP
MA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRAwDgYD
VQQDEwdWUE4tTUJSMRAwDgYDVQQpEwdWUE4gTUJSMSEwHwYJKoZIhvcNAQkBFhJj
a3VidS1hZG1Ab29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCxgVOFpm61twgXerJYeVjTi7Kv4R/aOxh9UCXqjJN6cfR2Dhj5CX07fIf7Ed0S
8s+xBrwl3PZXACiz3CkTP7Zygw4TtYyUuTvvjzfcJfE+hv7SeYxOU/YYVlznGbqC
o8R9uNJYKeKEJnX2oo9RnR3Q10d03twKFlm50Rv8L4Oi502Qo5gaeLMP2D81rz4o
UcEVWU1PtnblkV7ARQOR0QF77ea3UwM5pnBxD0UnsaH4tJc7MwDSUxaDaiUZ9ecE
sJ0+ZaTrsgB//kbF3iB0cjBs1/Qfz8vgQMVpOax6lckZZ4WKwdo3iOckglvjh6NU
SED6H8ru2p6bmfyqjMMzpj4AQw+BYFQhDuXQpx9d5vyxS+fjW1qDVGG84Ahaj6pf
XdznK5BXygnyItcD5Q4ZHQdz1GqCL1LdcNXiurWbSvUYLlIpotMxePEmncv006hx
YvbLzjvsAGfsbs2gnx9IxCi+sPiFacWvpYolVdd8l67kDAihG8iokTR3wpHM6Xe6
vD49xDnd86rRSn30dDgxsWSI8lyh15akAhzS2dUk/8aX7lIcpFNTPBJHppXalrsx
4wuXAR/78v2eiLpdORBerzIYjgyzcpsZZZe85BrkhKi3mgu1tJZMH1yhRKvgUhnu
K1HF8AgBi63YTvari6R1HiTtKXZqaxlJ4d3/OwIjvcxa5QIDAQABo4IBCzCCAQcw
HQYDVR0OBBYEFGHocrkyEFyjv6enWR014LS1UYD7MIHXBgNVHSMEgc8wgcyAFGHo
crkyEFyjv6enWR014LS1UYD7oYGopIGlMIGiMQswCQYDVQQGEwJERTEPMA0GA1UE
CBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcG
A1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLU1CUjEQMA4GA1UE
KRMHVlBOIE1CUjEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlggkA
0RqGOX12klwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAdTsZUi6m
BS0MqhTwPmCF2bjFOwFs+oHpEIRKwBQXSFJfOysFl6RPgn9PlmsGmNmn/2gH7GTN
YMjPjnlArRZTVhcULG7IsabXCAgWIXcxwYciCmtFAse15kda/EUohP2yG4EIJURK
cUCK/fer3Blh63t+K0/Dq9eWJ4bVrfLoYp+Fl+ciomQhQXz9pZrgGSvDZLGg0upi
zGPsrEJHT+zPcJfQunZHXGF36eq5uWMuB83WYhvE8rNwz4OIDhLlongt2Lf/gWP7
rpVlDzNarOc2tl800C3/UePtAhEr4Nr3UYcbV7Nb063o0nGklxIr3FE5jMkzOj3p
q8Lyd+wHqPG18ysXaSbyCAjXSOQ4OjIOz1tPC3QabycNkrV4QGN6KlJypfJ16P7t
2ui2HB1bfX9wbwXOHxjDlx7mssaaygI3+RVB5yjJGJs286AO+YInWul6T3kPAZNn
EXhjZz8fOjRsaKR4dVZfI6/zzyg7vv++iNQ2/yNe11Bcjo5jwpuKZyFmmFpj9xoL
0uCOJnnHrhqIfy/LVTH+b9K3UQDgBHd3InFKt/Uy1rMNyBbH0tcnj2PZGct7Mg2G
vIgjygOKrYJytFrVtHFw2xKGIW40ohy7JzXTPjTFUj2q5GtVcGLIBiryOlTz3bsv
s4eV4pJgMrNqR14qsRN3HvAvf4DLigpuYR8=
-----END CERTIFICATE-----

52
MBR/openvpn/gw-ckubu/keys/ca.key Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCxgVOFpm61twgX
erJYeVjTi7Kv4R/aOxh9UCXqjJN6cfR2Dhj5CX07fIf7Ed0S8s+xBrwl3PZXACiz
3CkTP7Zygw4TtYyUuTvvjzfcJfE+hv7SeYxOU/YYVlznGbqCo8R9uNJYKeKEJnX2
oo9RnR3Q10d03twKFlm50Rv8L4Oi502Qo5gaeLMP2D81rz4oUcEVWU1PtnblkV7A
RQOR0QF77ea3UwM5pnBxD0UnsaH4tJc7MwDSUxaDaiUZ9ecEsJ0+ZaTrsgB//kbF
3iB0cjBs1/Qfz8vgQMVpOax6lckZZ4WKwdo3iOckglvjh6NUSED6H8ru2p6bmfyq
jMMzpj4AQw+BYFQhDuXQpx9d5vyxS+fjW1qDVGG84Ahaj6pfXdznK5BXygnyItcD
5Q4ZHQdz1GqCL1LdcNXiurWbSvUYLlIpotMxePEmncv006hxYvbLzjvsAGfsbs2g
nx9IxCi+sPiFacWvpYolVdd8l67kDAihG8iokTR3wpHM6Xe6vD49xDnd86rRSn30
dDgxsWSI8lyh15akAhzS2dUk/8aX7lIcpFNTPBJHppXalrsx4wuXAR/78v2eiLpd
ORBerzIYjgyzcpsZZZe85BrkhKi3mgu1tJZMH1yhRKvgUhnuK1HF8AgBi63YTvar
i6R1HiTtKXZqaxlJ4d3/OwIjvcxa5QIDAQABAoICAA0cmXfQ4HKpz340gQIKDKar
tgpJ3dl37gorpnFZ6vbrffxOdEfJDKgdPcos+qCQsQjJj5JYbRXmHBuVEq+qUCbL
SXnpOjYuLKA4ew7W+qf8vsv7UILkrtQDZR9pBh7qS/Rhd6Atj97lHGeYgG+t5Grt
zAh1Adn45q3UJXYOaHHbFh6uBulFqyxrc9faVwQRberOyugteUDh6RbYwje+MZbe
7uDxz9YtVjbzws74zxcY9+bWkKP4oTwZ1h3BzUvKZAMc7P7ACktqE/4/tzQCz1Lq
7MyAw/WPs0Vfjj8L22v1+qZSRXU+tpw6yODYvxbVs38GZC4alga2bDSI605gZEnv
KE9H0WoyC8alkne5cTVSrag1UDoHHpxZi0eWdSGIqSEv3vyhqCqrfk+Q0zhxfNwK
8YbiVyqaey5bc3oDf1zWtPkJM8fPs+zupfse8veGyA183WLcaRDNr5HiW8vilPj5
7cNnSwmBIDhEzk7oJi5eClXSFFwhllkNk+0Reo0qFsouSnBa6NTbVOsRU6PQ7hfx
2myZ92i4Ky4Vi/1NhIGIjgNSTdbfN26URQ/3DPNzTQGCAnFv6BHx9X9P+KJXK/uZ
YfSxcVqcWSOTiASReYo248BIBfAji/QUwPAsSXJuvse011Z3VfLpetf8ILbWvzN4
8J9ksAI2xSOFQLZKdp2NAoIBAQDbwnJeLzm3pjlGSE8fUsSVxmAqlwIHHpAl9ckJ
mGYsCD0laZVLtXTWt/+paplyA4c3a6s9dLjUe+MzCt7P67lB1bssCLQfeugwIYaV
D9AW8o0mydgNan9+QR58FlO3Nkxxnj846Xicay+KroxQ9eMfPZzG4oG/GvAIDGwb
Eq/6xlh6IDcfpKmjp8EVVIhW4eLm4KCazS3ABrSeIrgj3XbQfjFpaFPpVR7EWl36
tiH+ZWVRhB+RkFC4zsByk7/gLbAI2k88mtTHll6zDIA7m8Ne+I+zH4FaWM8smFhP
6NRvLr8j0ZIGSVjQBs3KXcFT3JQkJQp7ycqekXVwji4i+LpTAoIBAQDOxwiM0N/B
HnNmfgrRjmK/zy6HTtSE6bofyJR/vUHq/LQf17peWOoKO04Z9uD8VM4caPtwrNw8
AzpakVQX+CqewpDvACnt96oeMHHlpQg3yQDJdIZlUuyA19WkB7pihF69Rw+CHbFy
r/DSRLd1CtZKaMUrRYn6AAHjnHQIozJiEoHeItGk2ABnp7JTlo10bVgMGXZZgEpV
+aeHQszP+DKrhY4JM2IM3b7fLyclkcDtdNAQztCs3LvAZxOg5ApTyTFl96LNPXMC
mXWiuGajlAe4q6ZqDWPxKoy6lJ6GNFdU9Bi+nqYqQWyltk5yf5rOPyJ+CqeFJ+Tc
Nsnc1+4Ij57nAoIBAQC3/oKxFss1VygHD02nxS2w1Qn5PrvE6DL6hWIP9Zg975v6
cf89By1PBXk6CHV2/zs8DJqv9sU1qpBcURKidROD6oYu5Q6ieM5kVf2PWlD4lZXW
zxJkkTEzrSPv8uWetQil7D+0z81a8Wc5rtDujCDgLD7SSh0lu1ES/AubUzciOOUl
Q0nD5aLe0fqYeFE6pR/L/HCbi4RtjW+2Iw2XgboT8ERAo8f1yX3cGmkrG0k07QI6
kOu5fWIIiZqZk9kHwljr4JSNAnl6rgyVzraisdSO9H+kEpHD6i1zgg4WwbLzb+k6
/SFMwCZq7fdpIrxWEY27AYRYhmhuAQ2Z8oDwaN3fAoIBADSswUHWB9oTXsRyQWFG
y2MfbTPs4fiF7fMgzquH093/yAcAlqpoLh6zIt88Y+4D0ImuOLdoYaYsEFZ4BRsi
DgFpgTBRM106pSyRnMIqe2BypO+s7nurVzIvSW5CxblJDTVcf9feppCXv1phRPbc
7t//tpKiYVa9X73S4kA9Cp2vJ0QmTI+Ysum075mZlaleHXrflaWRJ96k/YdYfgJQ
sN++4wL3AvhSGMiUI33Pln0nL8XIWaJfjLijyX1H+lWDwEDAh8mO6Nh1rWDpZsQu
9pSVrYwAo0ARXc4+A/AeL00l7ZPJqHzFM983BN7oINB/htLi9e/WzNdIYb4Ph8TI
iWsCggEBAMXGvUHK0W/AMOas0R+bGd1IzPn/Isra6nlNHC0NuiwsaZfT4XUS6BTO
YNl30OPIsUoDhkH1Bm/N3BJSWimHC8lha181idM8MSe7wdMsKHtGjwgpvWfnWXOK
tuvQTABwLTYbdEeruvLdyHuFy5tTDWCViAOPW812FY1CP/NmBJuNK7fi9i3ovKIJ
SmQ92M6Pe8JJZLPOj9DO0wB74P8Gm+SGNsgpQUhHQB/V2By2PHwzyv7A2zsNvrel
5Jr5N4xjDQrFoE7Gt0WHrDD7GGy287DKFYF90Mlqnsx/bPneBCq/QHnsnr8HSAxO
P7s/MNBA2IUkoHc5DhptsFFVdl6MyOs=
-----END PRIVATE KEY-----

1
MBR/openvpn/gw-ckubu/keys/crl.pem Symbolic link
View File

@ -0,0 +1 @@
../crl.pem

13
MBR/openvpn/gw-ckubu/keys/dh4096.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEAzVro9WhEWdfKVpdJX04JR6fLe1n3lCDVA8a6/tQekZFcTAaapHMU
GT1wsDE0wWauJooT1BbsedDYkHD7ah8pAupqPEKBKOLjCGK3v4cinajL+HKVbZ9/
bCidCSXywCx4OGhihtXVsTta4FEkBUF08LCNoUC1wYKIsYVYB+FTiO0kvn5j6T10
p7yuUDmnIcqAaVoMwy+M2n8mOenPW1Flf2PtPnpaQ2noxvxUWyQ2KO2lZmv6WvDV
dnyKbqfYXZgFcH4B4ZudJYdDNDaTw3J2RxhotR7GeCjyvM3wC5CNsJeJpvXOt5uq
xriepBqrvpsRvCmJFcLmeqR+n/wJbeNZmqsyJ8t3UtkQlqAxjApI6XTgmjMK4P77
lbMySxfS3HMPyp8ZGwJMHSUHUee9WYpSpWwq4OUO2y8utuLQ8Sj3W7CKtXETzCNV
aQwhfHGPjmt/6HLJDqtoRJs1pqOLeP3w9/5mQWYBWnXfVjqTU5l0LvTFwzFGmGDX
7lReW1kIxFjEbPsyZahj5jbcr4qKfjihrn6TZnn4RsVBmTmz2sJZNkWG+RE3R59T
rO17CUtXhtl6hsfYWpfQM2ljCBfzA45y5e8d0kUIWyQo4o2OAhiNF/rbSY+eTWWv
kQHnPRB5K3pDm2SF92EVP0XaV3MBSlSHAgVCz3XT7HhLJTAvQf0hASMCAQI=
-----END DH PARAMETERS-----

139
MBR/openvpn/gw-ckubu/keys/gw-ckubu.crt Normal file
View File

@ -0,0 +1,139 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 18 23:33:30 2017 GMT
Not After : Dec 18 23:33:30 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR-gw-ckubu/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c7:f4:34:fb:98:b4:94:24:ec:32:95:ed:41:fc:
6a:8b:f3:96:70:63:a0:58:6e:74:96:a6:a9:56:c8:
66:08:e5:ca:87:92:53:e5:b5:91:62:aa:6e:98:e6:
01:4f:65:4b:a6:ba:56:9e:ea:d5:0a:49:2c:28:ee:
54:fe:b3:08:49:1c:66:29:c9:13:85:38:32:1b:d1:
89:2e:4c:3d:c1:ef:20:5f:15:c6:1d:f7:5f:4a:8d:
66:9d:8e:3c:f4:9d:fe:a6:9e:eb:f8:2d:ce:49:51:
9c:78:1b:f5:20:6b:e4:55:14:40:4b:68:cb:e4:82:
a2:f1:30:44:dd:84:9b:bc:f4:34:06:6f:42:1c:05:
97:b4:32:84:f3:96:b4:a1:c8:fe:fb:3d:ba:5a:f9:
ae:0a:79:79:99:86:ec:df:d2:f0:29:bb:ac:60:ec:
c4:40:df:9f:7e:e4:d4:db:83:ca:42:4e:51:df:66:
2a:c4:e8:82:c5:0a:fd:92:08:bc:9b:d0:94:b4:ed:
c1:56:01:7c:84:90:54:5d:57:36:b6:20:ee:ff:74:
21:a5:c6:9f:0e:2f:e7:7f:8a:cb:af:b9:a5:26:cf:
34:f0:14:f0:53:c8:30:d9:a3:fe:be:7a:9e:c9:3a:
ca:72:ff:b0:4e:5d:43:da:5c:a1:cb:75:95:12:b7:
2d:3c:91:bd:b6:28:eb:d0:1f:f6:72:70:1d:7a:a7:
fc:5e:1f:9f:07:2b:19:35:d5:7a:9b:cb:b8:8c:0d:
e5:a2:1b:7a:26:71:6a:6d:1b:69:99:48:7d:61:01:
1f:1a:6e:16:27:71:7f:04:9a:29:3e:f6:51:6b:9f:
83:65:82:85:63:24:9d:16:3b:71:88:99:97:3b:51:
3d:75:3d:45:db:f7:c1:51:54:01:76:03:aa:1d:82:
dc:73:24:8f:55:80:f2:e4:21:46:bb:45:6e:29:d9:
7f:6c:2a:81:f8:a3:73:95:08:b7:0c:5d:11:eb:80:
c6:30:97:c5:f0:db:16:d7:8f:92:9a:67:70:ca:d7:
18:c8:4d:0b:11:05:38:bc:bf:4d:8a:df:a9:65:b2:
9b:ac:c5:37:9d:78:0c:a0:0a:c0:88:a4:52:85:2e:
1c:78:93:a5:da:4a:0d:38:09:ab:65:ec:de:b0:9e:
df:d0:be:48:02:b8:e5:93:b1:f3:87:14:cd:5a:ae:
b7:00:6f:cd:b5:13:10:b4:9c:e4:76:58:a1:57:83:
95:13:41:ae:c9:af:cd:f1:29:27:65:73:e9:4d:99:
d6:2c:29:fb:56:ad:c5:88:f4:47:c3:48:9e:2c:3e:
9b:52:f6:2e:a8:49:38:25:65:bf:6e:bc:19:30:a0:
44:a5:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
C8:29:98:C5:DC:1F:5D:D3:FD:66:C4:EC:F5:11:E1:FC:66:20:F9:7C
X509v3 Authority Key Identifier:
keyid:61:E8:72:B9:32:10:5C:A3:BF:A7:A7:59:1D:35:E0:B4:B5:51:80:FB
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
serial:D1:1A:86:39:7D:76:92:5C
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:gw-ckubu
Signature Algorithm: sha256WithRSAEncryption
a6:97:d2:10:b0:ae:76:be:ad:0b:d4:05:0f:91:28:86:01:8d:
38:51:8c:db:b4:71:29:ba:39:92:20:56:a8:5d:86:a3:8a:7b:
70:94:d9:2c:29:cc:88:84:52:fd:af:80:df:70:69:ad:fc:55:
f7:ca:6b:d2:7d:e1:b6:2a:c4:15:42:35:34:2f:57:a8:4a:dd:
d5:5b:b2:68:95:15:15:d5:5a:41:b0:b4:e9:74:0c:f6:fe:50:
fa:28:5f:ba:ad:75:66:3c:fb:a8:ef:51:7c:fa:ae:13:99:97:
42:85:ad:7d:54:76:5d:3a:57:06:6b:1b:9f:8e:d2:2a:19:9c:
1a:53:12:a4:f2:fa:73:47:1b:e4:1f:7d:38:58:e1:13:31:93:
87:ee:f4:1e:b7:8b:46:d6:dd:d0:87:57:f5:2c:f5:fb:09:9f:
13:7e:4e:ab:25:2e:64:67:47:25:66:74:5a:81:eb:db:77:8e:
ff:51:bb:53:a7:70:2e:9b:17:b7:87:04:e9:97:3f:c1:3d:d4:
0b:6b:d7:5e:45:55:58:d9:5d:e6:7b:f8:d0:e9:37:de:e8:a8:
c5:fd:05:fd:8e:09:7b:bf:1e:31:10:21:6f:f3:be:81:52:71:
69:1f:f0:53:cb:8c:a5:76:fe:6b:38:5f:b1:f9:64:3c:4d:ba:
69:1a:24:1d:c3:44:33:f2:2a:b9:2f:25:94:3c:1e:a8:5c:30:
aa:3b:a8:f1:4b:9c:11:8e:45:a7:7f:7e:da:3e:48:02:68:04:
4d:af:21:ed:a1:eb:bb:d4:e1:6a:f7:a9:02:0b:79:b9:02:a8:
b9:18:61:d1:3d:5b:4d:82:01:97:19:fb:63:b4:05:90:ad:ae:
cd:47:6c:60:c8:22:de:42:7e:a9:2b:c6:e9:44:f2:8a:46:4b:
9d:d4:f0:0f:82:5e:e5:1c:39:d3:d1:ad:dc:f5:d3:fe:e8:ef:
a7:21:25:f1:1c:88:e4:35:51:a1:d2:86:d3:5e:e6:0d:38:fd:
20:e7:d5:44:2e:5a:5b:6f:62:17:00:66:6a:ce:51:bc:c8:63:
c1:56:14:b2:74:5f:00:8c:15:cd:66:d2:b0:01:b2:44:06:10:
38:db:dd:42:fa:e9:c8:0e:22:b5:20:d6:50:e5:28:66:69:8b:
9d:5c:e1:ea:93:7e:e4:75:76:4f:b0:b7:05:a0:35:4e:fc:52:
b2:20:3c:3c:35:4e:2b:40:fd:a0:d1:6a:e8:32:98:f5:27:55:
e3:3a:fc:24:6a:35:2a:e5:11:4f:90:98:85:5f:d9:54:99:5f:
19:2f:93:4b:05:3e:1f:f5:87:91:e4:f3:ab:5e:cd:d6:fa:b9:
c9:be:de:8c:37:1d:c0:9d
-----BEGIN CERTIFICATE-----
MIIHOjCCBSKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIx
EDAOBgNVBCkTB1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZTAeFw0xNzEyMTgyMzMzMzBaFw0zNzEyMTgyMzMzMzBaMIGrMQswCQYDVQQG
EwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoT
Bk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEZMBcGA1UEAxMQVlBO
LU1CUi1ndy1ja3VidTEQMA4GA1UEKRMHVlBOIE1CUjEhMB8GCSqGSIb3DQEJARYS
Y2t1YnUtYWRtQG9vcGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAx/Q0+5i0lCTsMpXtQfxqi/OWcGOgWG50lqapVshmCOXKh5JT5bWRYqpumOYB
T2VLprpWnurVCkksKO5U/rMISRxmKckThTgyG9GJLkw9we8gXxXGHfdfSo1mnY48
9J3+pp7r+C3OSVGceBv1IGvkVRRAS2jL5IKi8TBE3YSbvPQ0Bm9CHAWXtDKE85a0
ocj++z26WvmuCnl5mYbs39LwKbusYOzEQN+ffuTU24PKQk5R32YqxOiCxQr9kgi8
m9CUtO3BVgF8hJBUXVc2tiDu/3QhpcafDi/nf4rLr7mlJs808BTwU8gw2aP+vnqe
yTrKcv+wTl1D2lyhy3WVErctPJG9tijr0B/2cnAdeqf8Xh+fBysZNdV6m8u4jA3l
oht6JnFqbRtpmUh9YQEfGm4WJ3F/BJopPvZRa5+DZYKFYySdFjtxiJmXO1E9dT1F
2/fBUVQBdgOqHYLccySPVYDy5CFGu0VuKdl/bCqB+KNzlQi3DF0R64DGMJfF8NsW
14+SmmdwytcYyE0LEQU4vL9Nit+pZbKbrMU3nXgMoArAiKRShS4ceJOl2koNOAmr
ZezesJ7f0L5IArjlk7HzhxTNWq63AG/NtRMQtJzkdlihV4OVE0Guya/N8SknZXPp
TZnWLCn7Vq3FiPRHw0ieLD6bUvYuqEk4JWW/brwZMKBEpeECAwEAAaOCAW4wggFq
MAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyCmYxdwfXdP9ZsTs9RHh/GYg+XwwgdcGA1Ud
IwSBzzCBzIAUYehyuTIQXKO/p6dZHTXgtLVRgPuhgaikgaUwgaIxCzAJBgNVBAYT
AkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMG
Ty5PUEVOMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRAwDgYDVQQDEwdWUE4t
TUJSMRAwDgYDVQQpEwdWUE4gTUJSMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1A
b29wZW4uZGWCCQDRGoY5fXaSXDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
BAMCB4AwEwYDVR0RBAwwCoIIZ3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAKaX
0hCwrna+rQvUBQ+RKIYBjThRjNu0cSm6OZIgVqhdhqOKe3CU2SwpzIiEUv2vgN9w
aa38VffKa9J94bYqxBVCNTQvV6hK3dVbsmiVFRXVWkGwtOl0DPb+UPooX7qtdWY8
+6jvUXz6rhOZl0KFrX1Udl06VwZrG5+O0ioZnBpTEqTy+nNHG+QffThY4RMxk4fu
9B63i0bW3dCHV/Us9fsJnxN+TqslLmRnRyVmdFqB69t3jv9Ru1OncC6bF7eHBOmX
P8E91Atr115FVVjZXeZ7+NDpN97oqMX9Bf2OCXu/HjEQIW/zvoFScWkf8FPLjKV2
/ms4X7H5ZDxNumkaJB3DRDPyKrkvJZQ8HqhcMKo7qPFLnBGORad/fto+SAJoBE2v
Ie2h67vU4Wr3qQILebkCqLkYYdE9W02CAZcZ+2O0BZCtrs1HbGDIIt5CfqkrxulE
8opGS53U8A+CXuUcOdPRrdz10/7o76chJfEciOQ1UaHShtNe5g04/SDn1UQuWltv
YhcAZmrOUbzIY8FWFLJ0XwCMFc1m0rABskQGEDjb3UL66cgOIrUg1lDlKGZpi51c
4eqTfuR1dk+wtwWgNU78UrIgPDw1TitA/aDRaugymPUnVeM6/CRqNSrlEU+QmIVf
2VSZXxkvk0sFPh/1h5Hk86tezdb6ucm+3ow3HcCd
-----END CERTIFICATE-----

29
MBR/openvpn/gw-ckubu/keys/gw-ckubu.csr Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIE8TCCAtkCAQAwgasxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRkwFwYDVQQDExBWUE4tTUJSLWd3LWNrdWJ1MRAwDgYDVQQpEwdW
UE4gTUJSMSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGUwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH9DT7mLSUJOwyle1B/GqL85ZwY6BY
bnSWpqlWyGYI5cqHklPltZFiqm6Y5gFPZUumulae6tUKSSwo7lT+swhJHGYpyROF
ODIb0YkuTD3B7yBfFcYd919KjWadjjz0nf6mnuv4Lc5JUZx4G/Uga+RVFEBLaMvk
gqLxMETdhJu89DQGb0IcBZe0MoTzlrShyP77Pbpa+a4KeXmZhuzf0vApu6xg7MRA
359+5NTbg8pCTlHfZirE6ILFCv2SCLyb0JS07cFWAXyEkFRdVza2IO7/dCGlxp8O
L+d/isuvuaUmzzTwFPBTyDDZo/6+ep7JOspy/7BOXUPaXKHLdZUSty08kb22KOvQ
H/ZycB16p/xeH58HKxk11Xqby7iMDeWiG3omcWptG2mZSH1hAR8abhYncX8Emik+
9lFrn4NlgoVjJJ0WO3GImZc7UT11PUXb98FRVAF2A6odgtxzJI9VgPLkIUa7RW4p
2X9sKoH4o3OVCLcMXRHrgMYwl8Xw2xbXj5KaZ3DK1xjITQsRBTi8v02K36llspus
xTedeAygCsCIpFKFLhx4k6XaSg04Catl7N6wnt/QvkgCuOWTsfOHFM1arrcAb821
ExC0nOR2WKFXg5UTQa7Jr83xKSdlc+lNmdYsKftWrcWI9EfDSJ4sPptS9i6oSTgl
Zb9uvBkwoESl4QIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBALdkkMFEO7T9cpl8
tBREOTaOoy75nx3gMG/5f0HAOuOEo2fmiWgZLhpZqZxfAxffGzy6RN+41wOVkI2b
S102jY5hh2Qtfd09TSpniCGfLqWCLL4jzQgVrYPhSQi4bAEsf/QTspSv5IJliAdv
u4aQl0hrEPyiVqUohUtrEsjRR3aw7FRfU1q+GHcmoL6bOZrxt4wVbLaegsW99wx6
ID53SnMKZyQX40JNcT0WM/WAVh9GsOTij2Qj9beaASw7oOVHq1fjIqTojWOAa0Q9
5q+RWZUEACu3hIUWWwvLrsrr+hZ7fIL188QCFaQOV9FlKUk1S/F/qJpmjWzOf3CB
RAtl+24W7ZC22BgvBiWQA8ZKVSJ/JJaTO/z8pNtO6JP44hIkk8Rsm1psRfNUdNJw
zZhg57IYUFdqMcgLBtTqH6ViERQMNYKX3SfxMAgT3AAG0hSZ0eQeTD6TFaXUg1z3
//OCTtyPCHcxX7/LGG2ZdmbKGapzDE2AMSXAYdK6ZZtLE1w8IJNrddRjqR8h9wSq
AFOZPAJAAZz2umieuVy9kzKiQ2ySYfTPLt7zz+Dek6ATpsk58R2ka+rAfleL9JWV
pcTprTypWbBasH3YaPfBu83ZeA9zAOTftstDFzTG7CkRBlzQzIKN6P82SdagdX0H
B0S7gu4aEINauI/XSITQvOIB1EUH
-----END CERTIFICATE REQUEST-----

54
MBR/openvpn/gw-ckubu/keys/gw-ckubu.key Normal file
View File

@ -0,0 +1,54 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoJKekP1ZYoMCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHiPXCkPcmkMBIIJSBkqxukBibbl
LdkzjsRmpDCFmPbmEzu/YKmXCMqSbgnEp0Ny2/05sWH2x7DDfZHC8IkzSZb6nqz3
G5AenJ6wZhPhtVEHFJaiVkJv0pIGXpGvqVsXimDSBWMnIwBFUfzrKSOu7Dhiw7Cx
1KdGgfoISh/BTLF2UAJjRqIL/Hw0nlqungeXV46twKFW83fBwxJBMj5HwfHtkTqN
yXOoRLOFJHwYAn6qqBw7n/pJyb4XzOqmmPqC8S96WPQwTCUDlJCSg6AGpobEfxQx
KFreSVCyQadyFSO3C8jGIOsP+55j7sk/GwABYx9iZ+hPiH1uBhhDNzLpnDbLsrgf
chvpMoftpmgZxxd6bFbWdhZGhWKSGivmujfaAQySc8+w9ejjpCiHg9oEBsm78whh
UcxXNrbfVpj4ivZm6K+BoM710imeQu22t/SNeO7S6Mko9Weu/8vlg3976H8E58PG
NwseCQRyVKmIC1i8EuKbYt4Fr66YTkuv+OGdqmvTPRe8aMQOgEFU3NaoQ5rHBfma
24NZoy/Hk1QXYSkCIc6izJdv07u44ZK2X0LGGiETin8lmCmyrph+iP51Hl2np8gk
5PiHAVcnhuSrBP9nVOZ6XFbBFYwItTdtlkpSfJBYlNnEHK2gA6wIF8dQhQE3VXS7
H9F3MdaJx7qVRy7qDwEG/ONBDX/QrU9cTom07TP1T7IHbqfF6koZE8fOEnwFPwpE
4sFuaRfrPdBDaE6jww0NLdAHC8eSdNgrHHVEUnwWosAldapfmj3JNONc+tJPYo4r
usMPPL+THX9UA9D7hxZ5wHz4fqyTlkK2bE0aK0euEaAe7tQ8+teYYEiO+OkRNQI4
yyHAX8b1jCaCOOMTeSHdV3gFhh8wmRsZqa4i1a4lWqeQlXKA9/Iq5Uk0ujNOSYMG
ttMyS7b38IvDCog9G1XYiSqH8DE/IzSi9tUbfUtqRX9jqUp9ZGlY0h8R/5I9oDKa
4IQRYAjktsJDi1dxYffQpWX0XeDZdlT6drhZv3OZHfTzX7pAI8TbEcu48tuI/JpB
zzI9/+yxF2hDNlecWYi8BP5vt5u58oiO+IEReFC1sPVssJSQisOJp1qNQCwgvNxu
/1heDohlurh5Ra3XtFddDVg5r92A9yuM5LZFGNA4VDZe8WzFOv9adKrZARBiWqBH
CG2KwL8o/psC37BT0SRCQd8iOHTlfMUIPd9j7WxfM1DcxywEcLCwtBjMXidVVIB+
YG58huH2AdEgm01f7UeJrd0RBCV4Lx58nNnnkBoTQXzP5KqpAHmSndsOy8dAUf4F
lk0zC1LARseF3r9eeFxNeMC+diQHzLOGLQNhyojlhA2/9FO546lOH3TLlBNgQ41w
CfhTRa5aU+w+OmYjkPEnhde4NzzSXEbFMjGQvt0rrn+6jFMQ/kDLSoJEHBEa+Anf
VAbVZThhy8JhkRrKpEht3sLUd/mR57Vrk47xZnV8uGBW0Ii28rRYdImHV3CGUys+
S6r5o5zLa1yRhz2hGQE8kpnu5HiF4Pz7svBp8FEiRLTxvTQ9D5MgdlXUHr5Ujaco
ivlm4WvXoNyji2FbWDVgscvfbOQgNnaQ5uY5g3rxC2PTCwNbTCGNLxYJbJ4zzkp+
NHS9xuV39AggXJpFpb6vl30NU4pQCLDTYpembdhNmIfgGo4DS1bMSWZyz9I1OkOa
rNtVWidyTgZd3I3v5r5weD30gb+D/aaCxSEa4CCp1e7Wbdjwb9tuj6bJsRlnAn/K
ucDfQzTlImshtBjtWG2C+dpRyTVLpo/49kQmHhXvr/OpDWv5tggrvEZ87gEvCgOA
KkPNFET5itNA3KkVX6fi9Lg4g94hwEqAUnKHFvhatMC6DYYXF2hnZLIAaXjCAysz
ubxOMEeyEYEBpGnWuWgK6uv+IgwYdA9+vca69upH19J9sxvdhUluRo4ghoH2Ufuz
gz1P852iCvVGsGgUgWsyRgEqylP726YxNyxBot8EZ8uUXVaUFs540nJRY85Sli4f
17WzMYKTgV+790XFUgYlV8K9wVL2qCcCPwlUS/sjLIUACnuiDucMT/3J9zQcssY6
3ka8UhMzaFGys0FQl1WwcXZ+gWtQJcF7R1nB8PCbUFt06+adyJaSrE4UTQAZYMM5
NS06CVaVBxhZDukAq9Rw/W1mnfkJTb9IHy3n/5RJqNzf0PXDe4CbXKqRDWx4aPbr
bklCRDCujoECsnYuTEdNbRawubCrt0uAAAudJkHQsDHJcjs1Uxr26duRhElsolJX
bkSOiarjckoGZG2k05aBkZq9HcOMNMHiGsia9/3TmEIWkuOxY+EVB/FHUdjeJA1F
1pI4phDz3rGYJOcWwMtW47P7vemKi7UXzfgCVW0wS/pxI5+PGUxq3NrxLz0TMdxa
lKAH18quz3tRaqlGNQ2d9NVEn17589JLS72OFROnK0tUBQevaVwP4MHwu5g/lz8h
C72U86jx1ps1N32y3SV5T/U0rch1PT9v8PO4kD3ojoMAjxXSe4Iv6gXaJSKmORdD
WHb7W2Tq7IWHRjUWWl0wVsqLyEfu9LAPTw688P17UWvK4fDQDvr0dOyMRSYNBTiU
YudmGZh0lphuEXnMmPgD5l06EmKbXzSIWwg1iMlOKQzENxTR5fr9ozvpe1KDqAGK
Fcd/QRNydHOJcLShwhX2ZTfVMMzoE3t5hizS7cbo3j+OYKJ30P4GFbXrEIj+c6Jd
FOT30UZWZ1lK+jFscJcKCZMDFvHVDk63pOLCdxxQlmovuaCjsdGXRh1mvtYyV+wE
kDCbCdjjlf5Qj8TwxNmKA9Rg5dlTIOSFALGM50YX3Iq/rwJahBOpirKXNcQ8/qoG
0sF+4jQyNQSMu6Y+9RKGBwPESZa05M9N0xbcAz+wFlOKBRXzioMRNoG5rOew1mTj
wgxpNTidqvnVE36gw0hYy1K8+jyYwFwdh+t++p+VQ3kctc1QPVgomouC8DY7UCNg
5wFFqm/lru87YJcsgrso6/fHvaTkA3toS5olRrmhq68hjISk1XArDm1vDo/hcvFX
L4MLrR/LpUCccUFV26NaNJuQdvpzBiGTwyetK1+rC5QtvNvfTQL/1WeKpbOpJCkl
2FqU9ZXvhJH4N3zxGf9LRkg/tQjYKLfDbvjZZzDnk66fJMK19FkuCm2uqeRQZHiQ
j3AScnn8S7SPYjaNkOxAmQ==
-----END ENCRYPTED PRIVATE KEY-----

2
MBR/openvpn/gw-ckubu/keys/index.txt Normal file
View File

@ -0,0 +1,2 @@
V 371218212840Z 01 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-MBR-server/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
V 371218233330Z 02 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-MBR-gw-ckubu/name=VPN MBR/emailAddress=ckubu-adm@oopen.de

1
MBR/openvpn/gw-ckubu/keys/index.txt.attr Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

1
MBR/openvpn/gw-ckubu/keys/index.txt.attr.old Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

1
MBR/openvpn/gw-ckubu/keys/index.txt.old Normal file
View File

@ -0,0 +1 @@
V 371218212840Z 01 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-MBR-server/name=VPN MBR/emailAddress=ckubu-adm@oopen.de

1
MBR/openvpn/gw-ckubu/keys/serial Normal file
View File

@ -0,0 +1 @@
03

1
MBR/openvpn/gw-ckubu/keys/serial.old Normal file
View File

@ -0,0 +1 @@
02

142
MBR/openvpn/gw-ckubu/keys/server.crt Normal file
View File

@ -0,0 +1,142 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 18 21:28:40 2017 GMT
Not After : Dec 18 21:28:40 2037 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-MBR-server/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a3:59:da:38:7c:2f:ba:c5:c8:b7:64:9d:8b:7b:
f2:f5:f8:60:6e:4b:1b:1e:d0:ce:50:7e:82:ed:d6:
db:f7:d4:29:38:b1:8a:df:14:9f:ed:72:c2:5e:86:
c5:ae:5a:09:0f:74:62:b6:c9:f8:42:95:4f:70:d6:
bc:cf:62:c8:02:97:b0:20:ec:2d:eb:68:09:82:22:
af:6b:f9:9e:ce:63:f9:3a:d1:a9:33:0a:d0:16:95:
33:ee:df:f3:88:97:51:32:88:c8:f3:e7:36:ba:8e:
40:2d:ab:6e:c9:b7:13:d4:59:46:5f:62:61:fd:21:
86:03:45:40:2a:96:6d:f7:87:dc:72:f1:3a:2b:71:
67:86:6a:ef:69:74:a6:de:a0:dc:ed:ad:c7:7f:9a:
cb:b3:06:61:1a:34:45:57:19:d1:37:e0:2d:36:c3:
94:91:5c:02:ce:40:c2:f8:a4:43:8c:f7:5e:a1:b1:
00:19:13:cd:06:85:e0:d7:f8:7d:bb:b6:e5:e4:d7:
7e:82:dc:96:5c:fa:7e:88:a3:42:be:43:78:c8:b3:
40:0f:61:05:55:9f:d0:56:54:19:db:85:48:05:ce:
6d:b2:49:df:b6:54:7d:39:f4:47:b5:98:3b:d5:73:
1b:15:f5:de:b7:af:a9:06:06:de:03:59:84:db:23:
70:87:eb:16:de:80:f1:3f:ac:b0:93:04:69:87:99:
d1:d4:a7:f0:ac:2d:42:73:d5:5a:fb:1d:f4:d6:e9:
20:cb:1f:13:15:5a:b7:1e:ec:d0:e0:d4:5d:0b:61:
66:01:40:6f:e6:86:38:95:e7:a4:ff:0a:8c:c9:1d:
36:e6:56:59:84:15:a4:3f:72:17:ca:61:f8:74:98:
4a:af:c6:55:d9:54:99:bb:fb:40:8b:d4:8c:ab:3d:
de:f3:9e:9d:3d:a4:27:cd:8b:17:12:8e:b7:32:5c:
c0:61:fa:9f:5a:9d:d7:9c:f9:6b:c7:da:a6:50:25:
80:b5:37:88:cf:f0:0c:62:5c:e2:8c:04:b2:e1:a6:
4a:ca:8e:93:a9:fb:e1:72:89:08:23:9e:08:c9:10:
7c:fb:ce:a9:12:e0:1f:f9:1b:a8:b7:d7:ea:84:d3:
9c:f3:5f:97:6a:1d:44:03:42:e9:86:1a:f9:14:3e:
58:67:06:4b:ae:c7:4c:77:4a:80:29:5e:7b:a7:b8:
08:65:e7:b9:aa:e4:eb:45:93:68:28:9f:3f:0f:42:
40:23:ca:4c:9d:5c:4d:b1:55:df:d7:41:2e:31:46:
1e:60:05:75:33:8a:2c:bf:b1:08:c5:b2:31:51:55:
6c:73:ef:a2:8b:e8:aa:fa:bc:4a:81:20:e4:96:30:
f9:09:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
5E:7E:C5:2F:CA:5E:62:27:A2:07:89:20:A0:8A:D0:EB:05:55:95:26
X509v3 Authority Key Identifier:
keyid:61:E8:72:B9:32:10:5C:A3:BF:A7:A7:59:1D:35:E0:B4:B5:51:80:FB
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-MBR/name=VPN MBR/emailAddress=ckubu-adm@oopen.de
serial:D1:1A:86:39:7D:76:92:5C
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
53:de:ad:c7:5d:b2:c0:6c:2e:45:50:21:7f:d8:ff:68:61:8e:
11:bc:13:d0:67:5b:ed:c6:48:46:74:9a:89:6b:2a:1b:8a:01:
c9:3b:5b:3e:1f:d2:24:1e:a0:59:ea:f5:99:d7:35:8d:13:55:
58:ea:8c:2d:8f:7e:8a:c1:0f:a1:0d:ea:ce:46:a9:e1:4f:00:
b8:94:f6:d4:fd:44:83:41:13:9a:98:3a:e2:d2:a2:09:1a:61:
44:39:84:9a:6e:4b:67:ab:18:93:e8:1e:cf:bd:15:2a:a8:76:
ae:d7:36:56:77:3f:88:0d:40:18:6d:e1:d5:a8:e0:17:fe:96:
58:cf:aa:2f:63:a9:f6:bd:c7:61:6d:ea:5f:72:92:8e:08:a9:
60:a3:48:66:91:e8:4b:0d:dc:92:10:b2:57:68:71:9d:f0:86:
36:31:95:3b:f5:ce:fe:fe:96:91:df:90:c4:0f:90:0c:cf:97:
73:38:7b:27:21:43:29:b6:13:5e:11:b3:7b:10:10:ac:3e:9c:
ee:88:cc:e1:c1:a2:40:0a:2b:78:82:85:ba:c1:a6:b9:e7:23:
af:13:ee:16:ba:e6:c9:6e:cd:5f:1c:44:c8:c1:e1:48:e7:0f:
d4:29:a2:c5:80:f3:0d:48:b8:cb:6c:8c:3c:b6:04:c6:a1:41:
2f:99:dd:d3:f6:bf:15:54:e0:a9:79:32:83:21:59:0a:2f:55:
7f:26:c9:28:33:17:24:32:19:a9:d4:41:d1:e2:c1:cf:13:76:
fd:d0:76:14:69:cc:bd:a0:66:5c:8e:8c:f8:23:76:8d:0a:c0:
a5:27:9c:36:21:16:26:18:90:31:97:91:61:4e:47:4f:ed:47:
54:b7:8f:ec:d5:44:cb:f5:c8:35:b1:11:90:8a:2a:d9:ab:97:
1b:26:1a:41:ef:f1:a8:4a:3d:bf:76:d4:e3:31:26:c2:cd:09:
9b:05:0b:8f:6e:ba:15:76:89:2a:38:1c:b2:9e:64:ba:3d:1c:
a4:fe:4b:a2:63:3d:80:07:f7:19:df:db:03:51:7d:ed:16:72:
4e:ce:46:76:47:5a:64:b1:7b:32:4a:53:cc:1a:93:7c:6e:ce:
e4:00:90:86:47:26:9a:51:7b:61:7e:78:05:c2:35:c0:2a:bc:
89:56:e2:4f:67:7f:96:1a:47:9c:99:d4:a2:34:87:b5:e3:c6:
34:45:4f:51:29:49:64:81:de:3b:d8:0c:df:9a:69:c1:e6:4c:
72:5f:a0:84:5e:b3:1d:ca:2b:01:79:a6:70:cb:f8:4b:3c:69:
d1:55:c8:6a:56:cc:6a:9e:24:5f:a6:6d:99:39:6e:bb:d9:09:
a9:70:8d:5f:e2:b4:01:da
-----BEGIN CERTIFICATE-----
MIIHUDCCBTigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIx
EDAOBgNVBCkTB1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZTAeFw0xNzEyMTgyMTI4NDBaFw0zNzEyMTgyMTI4NDBaMIGpMQswCQYDVQQG
EwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoT
Bk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEXMBUGA1UEAxMOVlBO
LU1CUi1zZXJ2ZXIxEDAOBgNVBCkTB1ZQTiBNQlIxITAfBgkqhkiG9w0BCQEWEmNr
dWJ1LWFkbUBvb3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AKNZ2jh8L7rFyLdknYt78vX4YG5LGx7QzlB+gu3W2/fUKTixit8Un+1ywl6Gxa5a
CQ90YrbJ+EKVT3DWvM9iyAKXsCDsLetoCYIir2v5ns5j+TrRqTMK0BaVM+7f84iX
UTKIyPPnNrqOQC2rbsm3E9RZRl9iYf0hhgNFQCqWbfeH3HLxOitxZ4Zq72l0pt6g
3O2tx3+ay7MGYRo0RVcZ0TfgLTbDlJFcAs5AwvikQ4z3XqGxABkTzQaF4Nf4fbu2
5eTXfoLcllz6foijQr5DeMizQA9hBVWf0FZUGduFSAXObbJJ37ZUfTn0R7WYO9Vz
GxX13revqQYG3gNZhNsjcIfrFt6A8T+ssJMEaYeZ0dSn8KwtQnPVWvsd9NbpIMsf
ExVatx7s0ODUXQthZgFAb+aGOJXnpP8KjMkdNuZWWYQVpD9yF8ph+HSYSq/GVdlU
mbv7QIvUjKs93vOenT2kJ82LFxKOtzJcwGH6n1qd15z5a8faplAlgLU3iM/wDGJc
4owEsuGmSsqOk6n74XKJCCOeCMkQfPvOqRLgH/kbqLfX6oTTnPNfl2odRANC6YYa
+RQ+WGcGS67HTHdKgClee6e4CGXnuark60WTaCifPw9CQCPKTJ1cTbFV39dBLjFG
HmAFdTOKLL+xCMWyMVFVbHPvoovoqvq8SoEg5JYw+Qk/AgMBAAGjggGGMIIBgjAJ
BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFz
eS1SU0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUXn7F
L8peYieiB4kgoIrQ6wVVlSYwgdcGA1UdIwSBzzCBzIAUYehyuTIQXKO/p6dZHTXg
tLVRgPuhgaikgaUwgaIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRAwDgYDVQQDEwdWUE4tTUJSMRAwDgYDVQQpEwdWUE4gTUJSMSEw
HwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGWCCQDRGoY5fXaSXDATBgNV
HSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVy
MA0GCSqGSIb3DQEBCwUAA4ICAQBT3q3HXbLAbC5FUCF/2P9oYY4RvBPQZ1vtxkhG
dJqJayobigHJO1s+H9IkHqBZ6vWZ1zWNE1VY6owtj36KwQ+hDerORqnhTwC4lPbU
/USDQROamDri0qIJGmFEOYSabktnqxiT6B7PvRUqqHau1zZWdz+IDUAYbeHVqOAX
/pZYz6ovY6n2vcdhbepfcpKOCKlgo0hmkehLDdySELJXaHGd8IY2MZU79c7+/paR
35DED5AMz5dzOHsnIUMpthNeEbN7EBCsPpzuiMzhwaJACit4goW6waa55yOvE+4W
uubJbs1fHETIweFI5w/UKaLFgPMNSLjLbIw8tgTGoUEvmd3T9r8VVOCpeTKDIVkK
L1V/JskoMxckMhmp1EHR4sHPE3b90HYUacy9oGZcjoz4I3aNCsClJ5w2IRYmGJAx
l5FhTkdP7UdUt4/s1UTL9cg1sRGQiirZq5cbJhpB7/GoSj2/dtTjMSbCzQmbBQuP
broVdokqOByynmS6PRyk/kuiYz2AB/cZ39sDUX3tFnJOzkZ2R1pksXsySlPMGpN8
bs7kAJCGRyaaUXthfngFwjXAKryJVuJPZ3+WGkecmdSiNIe148Y0RU9RKUlkgd47
2AzfmmnB5kxyX6CEXrMdyisBeaZwy/hLPGnRVchqVsxqniRfpm2ZOW672QmpcI1f
4rQB2g==
-----END CERTIFICATE-----

29
MBR/openvpn/gw-ckubu/keys/server.csr Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIE7zCCAtcCAQAwgakxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRcwFQYDVQQDEw5WUE4tTUJSLXNlcnZlcjEQMA4GA1UEKRMHVlBO
IE1CUjEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1naOHwvusXIt2Sdi3vy9fhgbksbHtDO
UH6C7dbb99QpOLGK3xSf7XLCXobFrloJD3Ritsn4QpVPcNa8z2LIApewIOwt62gJ
giKva/mezmP5OtGpMwrQFpUz7t/ziJdRMojI8+c2uo5ALatuybcT1FlGX2Jh/SGG
A0VAKpZt94fccvE6K3FnhmrvaXSm3qDc7a3Hf5rLswZhGjRFVxnRN+AtNsOUkVwC
zkDC+KRDjPdeobEAGRPNBoXg1/h9u7bl5Nd+gtyWXPp+iKNCvkN4yLNAD2EFVZ/Q
VlQZ24VIBc5tsknftlR9OfRHtZg71XMbFfXet6+pBgbeA1mE2yNwh+sW3oDxP6yw
kwRph5nR1KfwrC1Cc9Va+x301ukgyx8TFVq3HuzQ4NRdC2FmAUBv5oY4leek/wqM
yR025lZZhBWkP3IXymH4dJhKr8ZV2VSZu/tAi9SMqz3e856dPaQnzYsXEo63MlzA
YfqfWp3XnPlrx9qmUCWAtTeIz/AMYlzijASy4aZKyo6TqfvhcokII54IyRB8+86p
EuAf+Ruot9fqhNOc81+Xah1EA0Lphhr5FD5YZwZLrsdMd0qAKV57p7gIZee5quTr
RZNoKJ8/D0JAI8pMnVxNsVXf10EuMUYeYAV1M4osv7EIxbIxUVVsc++ii+iq+rxK
gSDkljD5CT8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQCH/TKtCCVzFeCwvYAr
qUbQOobUW9V37cMvziQpHJSUXsWR0Y8VImlbEecCKRg0YpzzH0UKaprO+EFqXSfM
TOiuSIwaeJ/+kOF15mDQnbkCmvK+Dr6AN1DcC8H0SzutaUGMt5jiwIln/54o4/wp
B0NFhxkWg96+Mz3V6IvZUGfuRfaTPL9QYqqzQupdw9rJizVDCLf2JzR/bMfFcLwe
R+SNJRq21Cs9BBbUF9UOfw2gLS+SCFdIyeOFEYJ+nmdAWRVn9PEz+yKdKr9Q73DW
sDK2+M4E0FWUsUw4mDWOJL+Hrc97Vd2xSDmKubuPlK2re8LTiNoXX+xXEfPAL/k/
eJMNKeAm0fXkGqZylDxQyYETGUkxGQS5BOMODh9xRRO/Qazfz0Ym5kRDttIXhDbs
+o1e4f3Lvov9xPLOtEZ5EZF0QDHnrm6dv9lp95VHfC8Qnhf0cblLctU8Fdwk3oQn
zHG8NtlBcSg12GGi8IzNNtUWWI+wOn7SlIjydOCt9WwdrVktWLwyhozCN4AemPgi
MRjCDApvyj2Q1iSjIZJLBO6rvYjONX33XO4+zVe+uSAxRI5ywXCE5waG1q86svIG
857jQqfkpXGB885uPUDXx+sGMbipXHtNaR6Vq1Jk7RtW1eSh9zmDxav1pnbaWfT9
KF1CczRh3eC7miYzpj9lRzRKEg==
-----END CERTIFICATE REQUEST-----

52
MBR/openvpn/gw-ckubu/keys/server.key Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCjWdo4fC+6xci3
ZJ2Le/L1+GBuSxse0M5QfoLt1tv31Ck4sYrfFJ/tcsJehsWuWgkPdGK2yfhClU9w
1rzPYsgCl7Ag7C3raAmCIq9r+Z7OY/k60akzCtAWlTPu3/OIl1EyiMjz5za6jkAt
q27JtxPUWUZfYmH9IYYDRUAqlm33h9xy8TorcWeGau9pdKbeoNztrcd/msuzBmEa
NEVXGdE34C02w5SRXALOQML4pEOM916hsQAZE80GheDX+H27tuXk136C3JZc+n6I
o0K+Q3jIs0APYQVVn9BWVBnbhUgFzm2ySd+2VH059Ee1mDvVcxsV9d63r6kGBt4D
WYTbI3CH6xbegPE/rLCTBGmHmdHUp/CsLUJz1Vr7HfTW6SDLHxMVWrce7NDg1F0L
YWYBQG/mhjiV56T/CozJHTbmVlmEFaQ/chfKYfh0mEqvxlXZVJm7+0CL1IyrPd7z
np09pCfNixcSjrcyXMBh+p9andec+WvH2qZQJYC1N4jP8AxiXOKMBLLhpkrKjpOp
++FyiQgjngjJEHz7zqkS4B/5G6i31+qE05zzX5dqHUQDQumGGvkUPlhnBkuux0x3
SoApXnunuAhl57mq5OtFk2gonz8PQkAjykydXE2xVd/XQS4xRh5gBXUziiy/sQjF
sjFRVWxz76KL6Kr6vEqBIOSWMPkJPwIDAQABAoICAQCep7WoqQ2epV1GqmXORSv8
tSnL1gzYSEwqqEW4hbgOJDWJR/+unhSbBpw8PUAhEHe+V/dMvCvxV53Z5edqsfG7
euLphxsuilS53cBt6fvRUA6Qj3R8C+OCG5ZeS4v4vadyoqIzKv3gAivZb6liJ/wN
gkw0dpTfy8Ciyo8BDixuf7mgtiUebr3zM0enMFKm5qzN+LxMduej0O1dCynR6FRp
pcWkbB+Pc0OSWhpEbx7g+p4iA40pzi6TSFLS0RolyQXO13Kb3W35jp55TcCUlWnp
3Re6GCybNmaegn6+1NvYL+Ahi1jKeZNLR7SibuKmdW74TF7uH6HWJbNao4bDZM90
1qQmGtPS6njBaOb3tqm3LIyGfdxI30glzMVIkC0ckdsN0Tv8EzWvX9wa4Gez/Mjd
9BUVC81mvwnOiNUIkFmvFGrqLPQT2TAO8Ut4R3uBMml6mY6khCciR/oq+wmXpqZf
xoixb+6kleiBrVELnskyDHLHIpCNMM3HG/+opAXotbCi9Qq/ivIlUtANOgP74XBB
Ql32zojB6+RwF1ubw4BhFvbhSjyIF+ZgMFlAyUTfPdO7ReS+SnHueIzgiaD86Je2
FvXq+p9mu/I9pugwNYk8MJ/8HpeQzdfxmDMa7ERTQF8b+iI9gu4Gd1M+XvTKK8yO
/LSFkoHij7gdxbVCmcC+EQKCAQEAzhGW6cz3HX6K2J2HWDRPN7v9xPW+/c0PbTES
sfsF9OoFbcRR/H80D6eABCdTuJ3z3TPs8qmHzIElV5vySTncnWo6bOb+Cvd75/3l
5k05Sqcl4JO79WR0uhAcEVx9d+7zHT4ZXN57okog0Mx/szJE+IaOwOygQIXFCZAw
vCaK/QUTiblklVhuywhR/+zIYQLd25SYeQM8/ncL6ezwc8QxiaZRsA1bw00pOl8m
cOBoNaBm0R8dl/q3n7p7UXpKGJ7tZQ17xhw410wddXGpKPaqLfKaD5dq+18S7chN
bpFjCsS1liylQnPEmz9XcspUUsSqHwuIAI9/IL1SgVlcO1k2twKCAQEAyu59NY6S
n62ZLbzmkg3BIP5WpmrVt85guKnHvZ4wJhypB9GkvnlHfjy11iNS7/o4IxqfX5tK
Rtzxu2ZRgBogYXu80DTSIEywf/bYJALY2/i8UsIWSUs/yekHNI/QBY5sabgjtvnd
CrmIcUrRXIg26NRho4/aboGJTHUYHZYutq+8byCkeiNnPgPL7r5FKb7S4NNdeiFV
CYNDgsVNaH0DVph+69wPv4b4ZfyrzwIxdYtZB9NxISD+YkNZfWDiKpBQlpIQ+9pO
WrERQrHWUGVFwxcA217CMFBCJ2LmAlBs5r344xgu1Hi4AxUkclyo6XvpStvZ83mk
HeldLBwfbnx5uQKCAQBSDp0KsuzAWPCPO4N2szXMWta9xKHuTObUs1LffrcrhLju
sdt38WtYxHlsrgBfpr5CGnhDVRDXdaHaFiZP1HOuV2u2i/EjitNTWT5gC+ZBfPfP
SuTw3bTBlsKmgy8PQB6dSWouGgYfZOdWXeiIAf+G+4YC+vcBWoNQwJM3iR2VjZzv
Hd0Yv2M3BDQq9i4Au3R/CNgCcDCsn9klqI1DfB/B0XH76gXdam99aABVuHamzB3F
Ll/JcjQGreqHUmwJC9g6gjkEdZ6I1S1x4/XZcwfnThDdHo2iVYSjHT0AR3KqChTJ
HTQdlx32OC3pbvpPDzMzM5NPrdSQw/MDwQLCO09XAoIBADh0UHDt0OyLJuoKezp2
iRvcpc52Oi6AQ3gcA21E7LAtmPiL4gD7TGBaE1wXR6NrQOLDLUMzuF4uaTFxLYst
uYRlIAnsJ+jEbPWsfkTGZf4MHJgJVpndTUmmglKlD4H8NTzT9VuZ91xccRDTd5r+
aggrzV3rTyEe+EtE6AiTFzvLd+iSdC9mWfpuo/UvCZ6rb48MPh0T2MxksAtZSEeh
P6R/mA+VkOv/aGs297UHLys8MPB0aiyFOT+s7OBsa37b1w+MYx0thk7Eo8CiKLUE
93tmkt50ZiF6smyynrpWFXW7s9m5iI2jZ82zvAf0rykFR8mDkAaj+Hw5x6nVyQi7
qEECggEAN/vPu/WKtXI9Q5GtyjpoMmPSsATXkWGQnKJisVwfezg6a8juDkbKZH3T
Pxb9pGCKEqTQZVWRYOCR+HYzFijNZJTHMKR230QZl/j9yHCuu/VOnxEBI92hWckv
FEKochdlS0NYMpGuIC6lV355N0bqso08Ko6P2T+9CyFbicLCDzp/xb/pnJdMJdDn
Wbtui6gUOu+XL7Aul7AsdGv67hQlk4aUKqR4e8rx1mqZUmBt+9cydiog+kQIz1I7
dCMkGcQ23QTnHYQRbUIP5DEpsC6irHIUlOqrS5vMIWDY1Qa5dL6y9VRlFCpOGfVj
GAooHZf3VKr732fct7cALGhigjIPpA==
-----END PRIVATE KEY-----

21
MBR/openvpn/gw-ckubu/keys/ta.key Normal file
View File

@ -0,0 +1,21 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
79d91376ee2c248cb615cd6291bf2954
a8e96540005b24814cf8b156c133033a
8d46114db5bb435551604fcb18c56b09
09750d641767657cebf8151735230e61
b2a9631cd7490ab824333b74e60e4cc0
c3fce42e7518bd6519347f7e111b9f61
be2682407cd8186c2c9b03987a6d0fd0
52599e30c6e2214cd9734f442e4d9a34
62e1dc096e13a894538798a94b2e2d54
f1c5bd884fe95aefdd919a96cdbf8f1d
c60a65e7b59990a11324fa1960b8cb3f
ac2fc846d6860e50f7b35f83eb6b791b
d59707320a80e639b2226c2d16830757
f7d29d94fd8c5fe1ab8c939e394d2126
bd880494edfa929b03b894c6984890c2
8e1ab55c781b17828ec1d4126a9736e2
-----END OpenVPN Static key V1-----

260
MBR/openvpn/home/chris.conf Normal file
View File

@ -0,0 +1,260 @@
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote gw-mbr.oopen.de 1194
topology subnet
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Server CA
<ca>
-----BEGIN CERTIFICATE-----
MIIHDzCCBPegAwIBAgIJAJVCoWERyZjAMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMH
VlBOLU1CUjEQMA4GA1UEKRMHVlBOIE1CUjE0MDIGCSqGSIb3DQEJARYlY2t1YnUt
YWRtLm9vcGVuLmRlQGNrdWJ1LWFkbS5vb3Blbi5kZTAeFw0xNzEyMTgyMDE0MDJa
Fw00OTEyMTgyMDE0MDJaMIG1MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGlu
MQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0
d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLU1CUjEQMA4GA1UEKRMHVlBOIE1C
UjE0MDIGCSqGSIb3DQEJARYlY2t1YnUtYWRtLm9vcGVuLmRlQGNrdWJ1LWFkbS5v
b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANUaZu29kklR
KZaXQ2SgHjDribwcLM+XeBDZsrKXIkwYmOHXxX1BcDXhWYeQyJ1n7gyRHZzcSC9u
1NNnYvGMdpcuz9dwXZgBC5zspmyXIRaynlo9xtb44ug7CNoMuLReZB6cLWTbkd47
eQsQOXu+tIy5DvjDxybZaCudLUKfZ3sty64sydqUJZ8cXo1ucdGreB4RLWiI29Dt
ziLtJ0fvkmMLmfvh/RQqWqKYqHQRlMZCZnCghP3oCCZztfylB2iHsp4MZf42rXA4
Q9idVDD8PMu7opzzjgrbUjlJk/Hs6NcM2bjbsCp8/rj/akH6M14W8IJYpuHkgAmU
bCOnPTCcWVjpgF6R5ASXRfbegyNf05BrXQRHtW3Xh94aRrvDzh25aObHnV+P6pnv
8ek1vMSGk9FC1vBomHftqIL6sa+JOevWgK0jFYNungpBezfqDRpf0c/h8OGviN1r
m9s/D6Dc1eSf9vFlPN5faxb+V3xurC3e7/Lh9ZNXqBW4HYd1Da9BQM5vRY/H8ffj
szIrhJ/pTEVKChmBOqvfTuoLHBbiT+XUQcW7C3hKk06rBD9CSIywaC+ctHAtXvEA
Y+0q77VQus1TPcSeGHXShzvv5lEXoMygd786OKF/3ZtT+3YDbk1AeZx49o76hMmP
cWHCRmoWy8t2rHFYshMmPkl7EYlLA/C3AgMBAAGjggEeMIIBGjAdBgNVHQ4EFgQU
D8mVsJqjS31KjAa4+MfmGhkqJDowgeoGA1UdIwSB4jCB34AUD8mVsJqjS31KjAa4
+MfmGhkqJDqhgbukgbgwgbUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3
b3JrIFNlcnZpY2VzMRAwDgYDVQQDEwdWUE4tTUJSMRAwDgYDVQQpEwdWUE4gTUJS
MTQwMgYJKoZIhvcNAQkBFiVja3VidS1hZG0ub29wZW4uZGVAY2t1YnUtYWRtLm9v
cGVuLmRlggkAlUKhYRHJmMAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AgEAV2wqjTAKpWww3jHS/tAMxd6JAjCp1MPV00dHXoez3kHwTw2KlnO0WwtYS4KU
s3+qtOBY35++42hH4U7KCKpjW0w5sTBjw+ql13xh0CueKMvs6T6kVGIBPiyosEE2
VLYeyZf47A/BQSAwNeLKIMxflTBVwqqeaO6bPu6xlfEAwNSmvj/uxKf0mHYCjNSc
Q2KBABU0A+AjvsvuSMec64tvWQA9ty6YZfo/qSRnUkCqISme9IFOWKyuSNGUgbfX
xFK8zcOUqLwvz8OlNHBcLiI4+ue2fy1TrLVyMkJFhllfuGTHpYqDqGJHAl5AocJx
eppXLhUR5xmVXQjn50HTj5GukxZbX+6eUxIpRvydAJ3emU/3g6vS1MygHDGTPb9b
Ovk0mrGS+wlHsx9kmrO3Ge/BULuX/M0qvqWk4w29f5CZy4vcI3l4uhnrFlmp21b7
+EGQQw2+CNyP5CsD+BQlx+5FhthuH+nU85mZkLRIebgNep5O09remcYNka80XFfs
OLXve4/ByQW8iXuxyIlEqv56Bz/H70yug8MI000pZ/DL44+0GnMz7ULP0nAHp3Yd
sU6nFG7fH5cvbw0CMniC+0LBuNzxgUwnoiqj95fvqbseM0LK6YxmblFnD7tCZh4W
Ns4Mjg+3sAI9gmpcFMUU1l+TMV48Xo2FRYwYtW/nz7CIzh0=
-----END CERTIFICATE-----
</ca>
# Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
MIIHWjCCBUKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIx
EDAOBgNVBCkTB1ZQTiBNQlIxNDAyBgkqhkiG9w0BCQEWJWNrdWJ1LWFkbS5vb3Bl
bi5kZUBja3VidS1hZG0ub29wZW4uZGUwHhcNMTcxMjE4MjM0MTI3WhcNMzcxMjE4
MjM0MTI3WjCBqDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UE
BxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2Vy
dmljZXMxFjAUBgNVBAMTDVZQTi1NQlItY2hyaXMxEDAOBgNVBCkTB1ZQTiBNQlIx
ITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAMQtPb0fscWy9ex2AICZnA2ybIHVfEPbsUp24FUd
t6hZ9mIF7cqWKD00ujBUcdRBc9K/vq3wdjwTC9pyRmsFfnI4+EE3Sa8wNBtYA/K8
gIPte2jRlDiRswRjHyQAM7ICzUz1UcfqmI8gm9xz1iEi6FWNDdcPXqwEmWIIcn1T
Px9QqnT0c7J+MNs7G1uaaqlFitlKgTpMAyCi+9My+N0eXxmMT/l5OyMyyCttnRkz
y2I2I/dhoyNfNk0fE4lGwpzZUz+gWXZgxTNDZ+XaEcl84kyx/G1SWMQOe9W21tgW
DtkrXuyVy3qjzc2csSZxoA/ahmqxb+1pEngk1wvuF2y5/wSa4G+SjgSy0z6keygS
YbQ9IIx9ZKzHMxgoy30aEoSIYJ3LKpIZfu860M+LMuhzlKdlADj5MpEL3iOaxCUl
Jcq8j+VDogmJ1+xZauC0w+1bOi2+0z2Gp16s74zVFVCJqrN5JWFP40Z7pgVPb8Ji
foglEyoi+jAsaZ87q4rVHJCi/LKev8EGj20PAFacS2yCzubtLUyA4DJ/4aFIl4MH
3mO5oMPs9hQ06LbzYIjDbh8bUTczFnPhkZa7PHAnE5jwF36/aiP9iprTtMBEvJJ6
sKjlC/vPPk2y79Mc2WbyNlp2qAiEtminnZi7qY/495ePNv5WmG6UYQINwVfs2vxb
FCFNAgMBAAGjggF+MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5
LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPb8U3JvkgcXvtSE
py6Qtz8e6/k0MIHqBgNVHSMEgeIwgd+AFA/JlbCao0t9SowGuPjH5hoZKiQ6oYG7
pIG4MIG1MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
ZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
czEQMA4GA1UEAxMHVlBOLU1CUjEQMA4GA1UEKRMHVlBOIE1CUjE0MDIGCSqGSIb3
DQEJARYlY2t1YnUtYWRtLm9vcGVuLmRlQGNrdWJ1LWFkbS5vb3Blbi5kZYIJAJVC
oWERyZjAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREE
CTAHggVjaHJpczANBgkqhkiG9w0BAQsFAAOCAgEAR+vl8ToNdA0KId+ifagINHpz
OMfFlBkkFVLhZGcoQp+HJV5I97zSt41Ybozrwo6Jnjv3wX/vYzqTl/oUrT9gjAhB
qMy9CEgMzyxBMl6ys2YqdBiRDC6sSkSY0q0BuZ8wHmvvzymlrwjNXIkdk1bbYtzx
9P417K63FSoTmIB8eVNUIoX4xusM80NCAR+1jnSyFoN6CrrnQA5L13GvyPZl7HMY
7gANKpUcPkqo0vnltIih4qbDESVlUIwSLocO6e9QLfmEh6n5onJqSORdrRaj3XdY
vXKQmlu3i0AXhVkQXQ3mdZbjYyYfSXO31uuuAhTR0Ji+p/znHF7Fxc4otmamhFcv
lRuAu4ai5qPsjHMsHMIb6eKKVWTHQ8iDKcOteaJk1x5KqTuKq6aBcmIxIFbZTpR1
rQfQs/9GjdIyJwHVHFAgymHiXjxmx06ZTXdrAMJpnpcMZD0iIrE08UMi3/jTtE4z
PE65tITvaFLtnl1cr3fFNXS0vDkmRQ7ejA5NsggghVU+vWQ8UPKRab7hoWXylVvD
GLQRglmQbM5VQgKLSlDrWFbD6fnI2kWSZmtxK2Mu7ab+HpflWRKTt7xUNlhPWUKz
1I6NVweL4WZ+0l6Y2ETxlUzqCylBrKtqQ44lGsPvJ+j2bwM5OIjKeElWMb2dzZJL
Q3Ox4pNDPk+BEHQrxl0=
-----END CERTIFICATE-----
</cert>
# Client Key
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIxiEqdBH+tBACAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHYLwIQAaxwVBIIJSDIjWSU9/Kok
bbatj//bCab//36qcLRn2ZF3xT5bUevvX6PMDhI9X6d612AVAd7V20/nloX6jmYE
5bmAWiUjDtJNynXcdxe4RtyVfViECX+vGCQwz1MhN24GzGIyCm7V0/nJU6Stqoh5
DQ+RSqpBrjcFZAWNvFYfRKG0K5QCPG3DirP02ndbqZZY+phklAwunZGaf0Ao3n2P
Iqr+/sF7D6MjcS3jFqWYyCtHrqCK+3OyQLoWcsJKK5boYq6ywcPF/9qZJoCAQX4r
tbQ+2hEvL1hVte8l+ZtM331irHdmJ8A3UJNp2zR8SBQoO61lKZ0gNcfQzfnBEJpS
Xymds+2jtcgwGYCNp3fpZk8cn3ejRGEu1Z/2KSXVlDqA4VF+tlQbcHHaQawdL5/i
Gu4tbbxt9ZfBjKn1N7GhOnheF/xK6jxaip5fP+GsU48Qhko7ng4ckGlM3dHEDkhY
005X3pwqNM5+nW73yl6Qhdj7AAq0Rjsxa3crqkDkJ+XFWq7E6Wo+g9xhous+I0lZ
LGE/GaJ8A0Hg/A35b9cCDDToxoSZm8MxZh6rBQeRlMddQ0Bki/WKqg3os9FLEY/a
T++sWWuoPw2Ei0TkKJcNStMhM/0cIY/WduOMx1zg3drApQYM4CU4lt1L8nyAzhoP
QJs0oZreY5Pt0VA9wfvg3ULlXlk0pMsIP58ci8MQ2veyTmmBEqe9TE7UiJuQrmD5
yQFfg56bcibeRJ7l6HCdgpL41s4NvNf/sPvUMx7rNkVOqgXtO5qAMhF1ODLe51BS
t990Ht6atPWEypKoxoja83OIAyn/78HLVyCf229ysQTM/YKF85H9ut+TOE9NgmLS
/7CJntWBf0wzLKzHLVhjnT1XWWvmyGQkci04+82gSwZiURPgNowTUNGozL0bNRQR
aRGlY/DT23vO3NmBz+sz92RUVBkAeJ5ujW8GozlVp8elhdgFnPbrNPVRW16XryyV
Ql/hS56GqswtJXHHMkRx4xLUujKDvkzNUboJZvZLj1pTBEH5irJFYvdHOfd/oZKx
197DIDcL72ESQHKAesogpDc8erl5AFYnEdRg54mR1lcgDzEbK4r1pQdE///H3XSU
90VlO7DOHR5tzp26njZTo8hokXVzxd2MEd8O/2tWCj55mZP8A8Fp+uWu+YBtV4KT
es3j9udI1cAMQiKL/jMOoH78+IRn2Cdw7WlLLCq3hduPJFCwH+S/WFFcDWDhCRcN
ko5CYLvHjb32PakjYgRBelTRGSBl75lUiNrRep5apCMuREvLNP3A+pmmwCs5H+fu
OKrOVHJ0pUHt8439DDeSozT3JKm+ngowuPO6JG77e1gSZ8rSHySoUBI4sGXEDcpp
6+PzATzDJr9ZLYg7UumjIQ08YX14yHPEjl64SHQZQpcE8T8XfSEESi2dBjCcQ14Q
G2a/40MFNn1a9XnMIAdw3DfPV6bTIi/LJaCCU//OFhuiPyONXuMtdCRkoA9tKHlZ
fGZ70AlLG82yJ+2BLLuvxmapmq0OFZQm+nobw0c7lZP8PWCekK6QYVREkDvn42DD
snO5gItiQIgLfW6zqq6kEXn3thBSFEFuizGprhLhnEJs+zDJ50CTs4I2QquGBdVn
Crtyp83Kf9TnaDs0VK0u/bYXjyDx82IZEIERf05La8wS3RprC7fAqAqTQ2BF2u57
2/6B7QvD8nFxYQszU1KUsaTfzRyVziAXC/t5XmMrOtZsWbimKd/o6rt0EsmNXl5R
S/GLJSqhIODLzpf1LclapRzA4JqXHpZ1JG2mr8ohKawouLvvXU39yHMOrnVaWL/S
75ZzcbKwNfnXe6lh8o7g6Ryq+5wRQpTBdEquzrPZod6uiM0Y6QgCOeDwTfpgpdXt
6JF7x75oPEW+Q5ZFvEuopzXCslIbHyycgFmlGNrYn6T0vQ5r3mYjPAtm14S0Yl0D
Dw1ykmqcLFAb6YQUKoSEJG8wPnrR6mYE1643ZQJtbgo5Grgrxd8a3+TJNhU0h4oP
1aMEG0DJFtBV6TSUojZYDwQ+pmWTp2wWyECUUkoFUeHU2oGUzEmUfj6DK3Ewh8mQ
zjUtiYN6yq68u0Y51MOIe2UrP/PjGO+EM7fmQc3oR/hA80+8LHXInEeMc3B6iLH1
MwkrslbSSaynD8bAoO9rQyvWCrwSJwjdGWYd/bPpEXILDkDhqD+E/7cJkSU2CJp9
SWrFm34IStVMGOkqRn0X4Q4Ml+RilgQy/0Nr7CQeODjHJJC6LdqePj8AMphZtWNo
QjI0ysctUJ9AZfy+xfdyxT/66kmisQFeRrYe9t9C1AEz7wQhTXTc/nPB0071JL+h
pcTVywqRPwLD+Dy4qpGc1Ocb355ieIJGi72rVieYCK5clohPeex/iM3Ay+yuhVfM
h/MS2oKaJi5M1HzOfNI/DLlEDtGHmbla12W9wWJGyQ+HKtNO2uFHgE1aRY3Exyev
E9jUDO7KUBwKutQVpvLiX0w8ftAx6QPu/7VZ8jVar9P2kIfijtIghBcPP+/Xb2/R
+OxXjwZrpJSanR8KVMxk1Gtp9dFrry2mtpMpPDqIat7Gj+/YBMov05M7Tk1arrYM
N29MylzYEaJj4+2apMzo3/TW53ld3mc4idVLNavAcCq+t6DZWdbUTkpUpNTMBEmC
ZZ+BOyQMqekM9Lo4My0XvairkmHSmRnQJND0MEc+C547z8vRFHYGo7WGFeaZXEo1
KHH+s1BFMEZFkJZPbuPuSXf+tNEfXjofMIBTUMMLv4MR1OwstDCDo95J6PvMr3/j
8mMJ6F85kkGpj5QfxP5liQhWrMiXJMEAaoZ84eGefeDMWWmiEANl+soCS/MKRYx4
DBWreg5EvXuC9wQM55UOe/DBRmK61WjOXmTuSAf3uxa4R3TjsJPny5U84s44Dq9B
1jN1hHKFLhAppgWqnGDfkp7cmsf5v600Fcn41lE4QMeDTrQMcYUseRv64uDQQI64
+mOaQ/5x26QFBFi7cyc/LkJwLfbQ7+OXgwYRlG1Z78Tx4vx/b3LfTltmSR+93hLW
x5k/sc/xt9nEUwYvqo5fv1pRU0FOJEuHueIz6ZBCjZPcYflm3Yiwzmip5CHf9Tvw
ycysCQUiTfM+oENgq9i6tFbCaOx80R+W6ckRgmXiCmDd6pKnfzZuIa/ODD7zQBh6
AiaXP+oXUEJe7qU8un0wyQ==
-----END ENCRYPTED PRIVATE KEY-----
</key>
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-serve
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
#
# Don't forget to set the 'key-direction' Parameter if using
# Inline Key. Usualy , sever has key direction '0', while client
# has ke direction '1'.
#
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
c1bb483e19d6c90def9e3b3054725c26
83dad3473e46c324617f10954a9ef0c0
04d3e53c787043db4b2f0c0f55d38928
13ccfe3325bdc2a12294ee4a6eee14e1
301e57912bdb03502032b97dd30fa67a
6f7f2af6759ed4a6f7d32e863417c38f
d0d29d7c1c2aea2b60c273878919c815
220984a3a5e996a8ad9e01bc5595b87c
2e60411d8d44f0769ed53afff6259395
112f2218b859ce5ae46542be229ec2aa
ab78338e1db08e5765571faf096fb5d3
ebf22fc761cd3a70ef97c4cb20dd1778
830a8b2b1463e8101825003181e8e188
74dd61d43462ef4f8271c68c5aebdb07
a4300e941ab9bfbdb5f34f23442222b8
7c5b89d7e9ff18e1367af366abf53c3d
-----END OpenVPN Static key V1-----
</tls-auth>
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 1
# Setting 'pull' on the client takes care to get the 'push' durectives
# from the server
pull

18
MBR/openvpn/home/crl.pem Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN X509 CRL-----
MIIC/DCB5TANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCREUxDzANBgNVBAgT
BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNV
BAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1NQlIxEDAOBgNVBCkT
B1ZQTiBNQlIxNDAyBgkqhkiG9w0BCQEWJWNrdWJ1LWFkbS5vb3Blbi5kZUBja3Vi
dS1hZG0ub29wZW4uZGUXDTE3MTIxODIwMzA0NFoXDTQ5MTIxODIwMzA0NFowDQYJ
KoZIhvcNAQELBQADggIBAGlcvnSenmJb68Gw3hLOwZiarTM3jDTvwTvPay3lYUbg
Y9bg1U8ctmfdX89jE1aC1eeD+yxuqy8YebYeHrxXDckQu0mEfXfbqzIXlSAFXqta
KahSofCNCGxBKw71Oa2vZLkZIE2jcmfyGRiZHUqe2RZPGFhz9Brq4yDfkBEwgz0J
Dpej5JKfMsrt1D1bFaATL5OmW/jDSVl9b9vQtBlfXo6LwkRezxuk3e39qctYHmc0
OEk0987lNw9FHfPJ3gBh1hHNui5/yCrKYZbrxInBiTDQIecr4MrV4d+xOyZmotZP
P1XPKtsiHKmvTM824iG7AlaKONmL3E7D4cnKoQGTfTShIAjHeRHvOr3MmKL1RcEk
0xrZXhQ3UjgWC89swD/Jnhoe6stgbzd5FLNxr9CTG02YtsBuTWybasccQCK1NlOK
A4Q+EDuW/gBa8F2n1VrSSxCY9Qx9nCJA+T1XolPDz2tc4lk8iV7KQD9vSnxbABcx
O9k510sqqHQ9w9DWsLp4NEOBIjNUvaki4YD6pUbFxeuNA0NK4swN6u38b5/qNM/S
E7ycFJReHDShp7ldYo0tPBgmC3vA85x5bHB7zMRYGTMFI2BAN9i+Y/fOjqa5VbLP
oNgjoQG/0odzM45YrR9J89dj4C3u9lVmoPi5+OEpLBToIf4cy9R7a/dlFNkZTIJT
-----END X509 CRL-----

1
MBR/openvpn/home/easy-rsa/build-ca Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-ca

1
MBR/openvpn/home/easy-rsa/build-dh Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-dh

1
MBR/openvpn/home/easy-rsa/build-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-inter

1
MBR/openvpn/home/easy-rsa/build-key Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key

1
MBR/openvpn/home/easy-rsa/build-key-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pass

1
MBR/openvpn/home/easy-rsa/build-key-pkcs12 Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pkcs12

1
MBR/openvpn/home/easy-rsa/build-key-server Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-server

Some files were not shown because too many files have changed in this diff Show More