o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ReachOut/openvpn/ccd/server-gw-ckubu/VPN-ReachOut-gw-ckubu Normal file
View File

@ -0,0 +1,5 @@
ifconfig-push 10.1.72.2 255.255.255.0
push "route 192.168.72.0 255.255.255.0 10.1.72.1"
push "route 192.168.73.0 255.255.255.0 10.1.72.1"
iroute 192.168.63.0 255.255.255.0
iroute 192.168.64.0 255.255.255.0

1
ReachOut/openvpn/ccd/server-home/VPN-ReachOut-chris Normal file
View File

@ -0,0 +1 @@
ifconfig-push 10.0.72.3 255.255.255.0

1
ReachOut/openvpn/crl.pem Symbolic link
View File

@ -0,0 +1 @@
keys/crl.pem

1
ReachOut/openvpn/easy-rsa/build-ca Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-ca

1
ReachOut/openvpn/easy-rsa/build-dh Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-dh

1
ReachOut/openvpn/easy-rsa/build-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-inter

1
ReachOut/openvpn/easy-rsa/build-key Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key

1
ReachOut/openvpn/easy-rsa/build-key-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pass

1
ReachOut/openvpn/easy-rsa/build-key-pkcs12 Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pkcs12

1
ReachOut/openvpn/easy-rsa/build-key-server Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-server

1
ReachOut/openvpn/easy-rsa/build-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req

1
ReachOut/openvpn/easy-rsa/build-req-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req-pass

1
ReachOut/openvpn/easy-rsa/clean-all Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/clean-all

1
ReachOut/openvpn/easy-rsa/inherit-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/inherit-inter

1
ReachOut/openvpn/easy-rsa/list-crl Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/list-crl

268
ReachOut/openvpn/easy-rsa/openssl-0.9.6.cnf Normal file
View File

@ -0,0 +1,268 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

293
ReachOut/openvpn/easy-rsa/openssl-0.9.8.cnf Normal file
View File

@ -0,0 +1,293 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

288
ReachOut/openvpn/easy-rsa/openssl-1.0.0.cnf Normal file
View File

@ -0,0 +1,288 @@
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

1
ReachOut/openvpn/easy-rsa/pkitool Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/pkitool

1
ReachOut/openvpn/easy-rsa/revoke-full Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/revoke-full

1
ReachOut/openvpn/easy-rsa/sign-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/sign-req

95
ReachOut/openvpn/easy-rsa/vars Normal file
View File

@ -0,0 +1,95 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
##export EASY_RSA="`pwd`"
export BASE_DIR="/etc/openvpn"
export EASY_RSA="$BASE_DIR/easy-rsa"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
##export KEY_DIR="$EASY_RSA/keys"
export KEY_DIR="$BASE_DIR/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
##export CA_EXPIRE=3650
export CA_EXPIRE=10957
# In how many days should certificates expire?
##export KEY_EXPIRE=3650
export KEY_EXPIRE=7305
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
##export KEY_COUNTRY="US"
export KEY_COUNTRY="DE"
##export KEY_PROVINCE="CA"
export KEY_PROVINCE="Berlin"
##export KEY_CITY="SanFrancisco"
export KEY_CITY="Berlin"
##export KEY_ORG="Fort-Funston"
export KEY_ORG="O.OPEN"
##export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL="ckubu-adm@oopen.de"
##export KEY_OU="MyOrganizationalUnit"
export KEY_OU="Network Services"
# X509 Subject Field
##export KEY_NAME="EasyRSA"
export KEY_NAME="VPN ReachOut"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
## export KEY_CN="CommonName"
export KEY_CN="VPN-ReachOut"
export KEY_ALTNAMES="VPN ReachOut"

1
ReachOut/openvpn/easy-rsa/whichopensslcnf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/whichopensslcnf

0
ReachOut/openvpn/ipp.txt Normal file
View File

101
ReachOut/openvpn/keys/01.pem Normal file
View File

@ -0,0 +1,101 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 2 13:39:49 2016 GMT
Not After : Dec 2 13:39:49 2036 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-server/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:5b:fd:e8:c8:ed:ad:6c:e5:f3:0c:3d:cf:bf:
1a:33:c1:f8:9b:f6:47:b2:ef:55:72:9d:68:76:de:
55:e5:82:42:cd:ae:b0:63:ea:94:a2:61:28:bf:b6:
5f:35:b5:6c:53:61:e0:82:f7:8b:4c:fd:34:ae:ea:
5d:2c:5c:84:eb:51:97:20:d6:ec:5f:b9:25:ae:60:
e3:69:66:7d:1f:d8:11:d3:97:da:4e:dc:5c:21:54:
cd:5d:79:08:91:13:e2:08:f0:ba:23:51:23:99:fd:
d2:e6:42:1f:66:1d:dd:9e:f3:c8:eb:51:42:a7:7c:
5c:fb:81:95:1b:9a:73:5b:48:fe:66:d7:02:fd:16:
94:24:dc:94:b1:5b:6e:bc:d1:89:b7:90:1a:93:ee:
49:14:2c:4d:a7:f5:89:03:ec:6c:02:cf:75:5e:87:
ff:76:f1:27:b6:93:5d:7e:cd:2a:51:dd:58:75:f7:
12:a0:9b:64:60:36:07:bc:cd:c4:88:b3:6f:c7:43:
a8:35:6f:54:ea:df:48:e2:cf:39:d4:84:d7:9b:96:
4c:63:18:4d:73:9f:de:5b:a0:ac:4c:19:74:02:4f:
b4:dd:20:bd:97:ad:1f:f5:ec:df:01:98:21:c1:4c:
9a:7f:74:31:e3:6c:d9:f1:61:f5:55:2f:25:6d:ae:
93:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
12:3B:C5:E0:5F:D0:39:99:F5:9E:1D:28:27:BD:98:6D:47:BE:C6:33
X509v3 Authority Key Identifier:
keyid:5F:DD:9B:C8:1E:20:6B:2D:AA:C9:B2:27:FB:7C:EB:FE:DF:5F:35:7B
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
serial:C9:54:AE:D1:38:24:A9:15
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
49:dc:84:e4:5e:d0:2e:a7:92:bf:9b:25:7f:5d:cf:fd:c2:e8:
69:15:d7:44:20:18:d0:70:8e:f9:c5:25:b5:7d:50:03:ee:45:
99:ec:31:46:6d:0d:98:a4:56:0d:5b:b5:b7:fc:09:9e:d2:55:
10:e6:21:67:f9:e7:44:c8:c8:77:80:88:c1:f3:a6:51:8a:f0:
38:11:59:5d:c7:fc:d1:dc:c9:e3:56:b0:83:40:06:e0:e6:24:
ab:b2:92:9a:cc:77:dc:2c:e4:4f:77:2a:e0:cc:1e:3d:61:59:
70:ee:9a:ab:7f:a0:46:e5:54:68:bf:22:47:44:16:c2:bf:a0:
f2:2c:71:d6:2e:fa:c2:c6:c2:4b:f9:55:34:f5:2f:b4:f4:ad:
b2:bb:c7:d2:93:27:05:4d:0a:2d:76:31:1a:84:39:bb:59:5d:
b9:0f:c7:cd:6a:55:c9:9a:92:bc:90:a7:bb:c6:c9:7b:b7:56:
82:ef:0f:19:69:7f:68:03:7f:7f:ab:5c:f1:1e:ad:d4:50:7e:
02:52:59:67:f4:a7:d9:a9:b6:bf:0f:62:2f:55:fc:b6:46:bf:
f6:d5:11:3b:a0:7e:4b:04:83:72:77:ae:88:e4:2d:5e:c7:2f:
26:c6:02:52:50:f7:07:f7:35:e8:45:37:32:dc:99:0f:42:17:
7b:19:73:55
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD1ZQTi1SZWFj
aE91dC1jYTEVMBMGA1UEKRMMVlBOIFJlYWNoT3V0MSEwHwYJKoZIhvcNAQkBFhJj
a3VidS1hZG1Ab29wZW4uZGUwHhcNMTYxMjAyMTMzOTQ5WhcNMzYxMjAyMTMzOTQ5
WjCBszELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
bGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMx
HDAaBgNVBAMTE1ZQTi1SZWFjaE91dC1zZXJ2ZXIxFTATBgNVBCkTDFZQTiBSZWFj
aE91dDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuVv96MjtrWzl8ww9z78aM8H4m/ZHsu9V
cp1odt5V5YJCza6wY+qUomEov7ZfNbVsU2HggveLTP00rupdLFyE61GXINbsX7kl
rmDjaWZ9H9gR05faTtxcIVTNXXkIkRPiCPC6I1Ejmf3S5kIfZh3dnvPI61FCp3xc
+4GVG5pzW0j+ZtcC/RaUJNyUsVtuvNGJt5Aak+5JFCxNp/WJA+xsAs91Xof/dvEn
tpNdfs0qUd1YdfcSoJtkYDYHvM3EiLNvx0OoNW9U6t9I4s851ITXm5ZMYxhNc5/e
W6CsTBl0Ak+03SC9l60f9ezfAZghwUyaf3Qx42zZ8WH1VS8lba6TLQIDAQABo4IB
kzCCAY8wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgEN
BCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFBI7xeBf0DmZ9Z4dKCe9mG1HvsYzMIHkBgNVHSMEgdwwgdmAFF/dm8geIGst
qsmyJ/t86/7fXzV7oYG1pIGyMIGvMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQ
TmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLVJlYWNoT3V0LWNhMRUwEwYD
VQQpEwxWUE4gUmVhY2hPdXQxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZYIJAMlUrtE4JKkVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIF
oDARBgNVHREECjAIggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEBAEnchORe0C6n
kr+bJX9dz/3C6GkV10QgGNBwjvnFJbV9UAPuRZnsMUZtDZikVg1btbf8CZ7SVRDm
IWf550TIyHeAiMHzplGK8DgRWV3H/NHcyeNWsINABuDmJKuykprMd9ws5E93KuDM
Hj1hWXDumqt/oEblVGi/IkdEFsK/oPIscdYu+sLGwkv5VTT1L7T0rbK7x9KTJwVN
Ci12MRqEObtZXbkPx81qVcmakryQp7vGyXu3VoLvDxlpf2gDf3+rXPEerdRQfgJS
WWf0p9mptr8PYi9V/LZGv/bVETugfksEg3J3rojkLV7HLybGAlJQ9wf3NehFNzLc
mQ9CF3sZc1U=
-----END CERTIFICATE-----

98
ReachOut/openvpn/keys/02.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 2 13:41:22 2016 GMT
Not After : Dec 2 13:41:22 2036 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-chris/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:c4:72:65:27:f8:64:85:43:e3:c5:54:ca:22:
a6:05:d5:b8:83:8d:25:62:a5:a6:0a:c5:cc:a4:1e:
41:1d:2f:92:0d:0e:d4:ad:28:eb:4a:49:79:75:9e:
17:3d:74:a5:e6:77:12:d8:7a:93:5a:71:64:2e:f5:
b6:20:84:d4:d1:7e:54:3f:51:16:e2:7f:09:53:83:
ac:3b:8e:0e:82:81:38:8b:df:b2:2d:76:7d:87:bc:
c9:c0:64:a5:a4:3b:7b:12:1d:0e:30:f6:c8:14:ff:
aa:98:3a:69:86:08:17:cc:b7:b3:48:d3:d1:37:dc:
01:92:ef:a5:6c:5e:5e:5b:77:87:8d:ac:f7:9d:13:
9f:b7:74:af:12:b5:84:d5:1d:53:a9:40:14:89:64:
ce:e2:fe:ae:df:34:94:38:55:45:fe:90:50:22:bc:
c4:21:f5:91:0e:fe:d8:09:52:ca:8e:3e:75:91:dd:
9f:a4:c1:98:19:df:9e:20:03:49:bd:6b:6d:67:f9:
06:60:e9:e0:b3:99:f2:62:0e:3b:cd:b3:30:ae:08:
a4:c7:48:c6:73:a1:b2:a5:d7:fb:60:b7:14:1b:1f:
f2:f1:c0:32:6c:6d:51:44:11:b1:e6:55:96:8b:dc:
dd:60:55:8e:5a:f7:84:8c:be:06:cb:b8:92:08:0b:
46:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
8A:A6:3C:FE:E3:6F:E4:B9:C7:13:B4:C8:39:E5:4B:99:98:62:7E:4B
X509v3 Authority Key Identifier:
keyid:5F:DD:9B:C8:1E:20:6B:2D:AA:C9:B2:27:FB:7C:EB:FE:DF:5F:35:7B
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
serial:C9:54:AE:D1:38:24:A9:15
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:chris
Signature Algorithm: sha256WithRSAEncryption
87:ca:b4:33:8d:55:c5:a5:6c:fc:3d:19:9d:e4:67:6b:09:e3:
1c:bc:3f:b7:72:a9:a9:a8:39:ee:48:17:80:b3:3d:3f:80:79:
5b:09:94:c4:da:f0:80:9a:13:f0:03:ff:31:2e:c6:4c:da:47:
97:91:84:fa:60:c6:03:24:ea:f8:61:c9:16:25:8b:b1:11:29:
c1:25:53:24:cb:5b:ab:56:57:32:7c:f2:68:c8:40:ec:0e:73:
9f:91:b2:13:12:d9:97:f1:c1:31:4d:fd:0f:af:fe:9e:22:8e:
8d:82:a3:ad:1e:14:a9:0b:60:d0:7e:c1:e9:fd:df:3a:ef:a4:
4c:f9:72:7f:65:d9:0f:1a:38:af:c7:94:fb:31:76:4f:f9:b0:
d2:8a:10:83:d3:9c:d7:44:b9:61:46:d1:a3:2a:98:fb:36:22:
8e:fb:10:77:39:20:48:97:f0:69:27:dc:e8:3f:1d:e6:b7:b3:
5f:bb:09:da:fc:09:40:43:19:92:7d:34:10:d8:28:5d:45:52:
17:f9:a2:03:c2:0b:57:91:ef:cf:6e:d6:92:d0:03:c1:15:0a:
50:76:95:c3:77:89:7b:3d:60:66:6e:a7:93:52:1c:f1:68:26:
6d:c5:aa:8c:7a:0e:31:1b:96:2c:91:09:23:8a:89:3a:40:f2:
f3:0b:54:31
-----BEGIN CERTIFICATE-----
MIIFWDCCBECgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD1ZQTi1SZWFj
aE91dC1jYTEVMBMGA1UEKRMMVlBOIFJlYWNoT3V0MSEwHwYJKoZIhvcNAQkBFhJj
a3VidS1hZG1Ab29wZW4uZGUwHhcNMTYxMjAyMTM0MTIyWhcNMzYxMjAyMTM0MTIy
WjCBsjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
bGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMx
GzAZBgNVBAMTElZQTi1SZWFjaE91dC1jaHJpczEVMBMGA1UEKRMMVlBOIFJlYWNo
T3V0MSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5xHJlJ/hkhUPjxVTKIqYF1biDjSVipaYK
xcykHkEdL5INDtStKOtKSXl1nhc9dKXmdxLYepNacWQu9bYghNTRflQ/URbifwlT
g6w7jg6CgTiL37Itdn2HvMnAZKWkO3sSHQ4w9sgU/6qYOmmGCBfMt7NI09E33AGS
76VsXl5bd4eNrPedE5+3dK8StYTVHVOpQBSJZM7i/q7fNJQ4VUX+kFAivMQh9ZEO
/tgJUsqOPnWR3Z+kwZgZ354gA0m9a21n+QZg6eCzmfJiDjvNszCuCKTHSMZzobKl
1/tgtxQbH/LxwDJsbVFEEbHmVZaL3N1gVY5a94SMvgbLuJIIC0a7AgMBAAGjggF4
MIIBdDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIqmPP7jb+S5xxO0yDnlS5mYYn5LMIHk
BgNVHSMEgdwwgdmAFF/dm8geIGstqsmyJ/t86/7fXzV7oYG1pIGyMIGvMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMP
VlBOLVJlYWNoT3V0LWNhMRUwEwYDVQQpEwxWUE4gUmVhY2hPdXQxITAfBgkqhkiG
9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAMlUrtE4JKkVMBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggVjaHJpczANBgkqhkiG
9w0BAQsFAAOCAQEAh8q0M41VxaVs/D0ZneRnawnjHLw/t3Kpqag57kgXgLM9P4B5
WwmUxNrwgJoT8AP/MS7GTNpHl5GE+mDGAyTq+GHJFiWLsREpwSVTJMtbq1ZXMnzy
aMhA7A5zn5GyExLZl/HBMU39D6/+niKOjYKjrR4UqQtg0H7B6f3fOu+kTPlyf2XZ
Dxo4r8eU+zF2T/mw0ooQg9Oc10S5YUbRoyqY+zYijvsQdzkgSJfwaSfc6D8d5rez
X7sJ2vwJQEMZkn00ENgoXUVSF/miA8ILV5Hvz27WktADwRUKUHaVw3eJez1gZm6n
k1Ic8WgmbcWqjHoOMRuWLJEJI4qJOkDy8wtUMQ==
-----END CERTIFICATE-----

29
ReachOut/openvpn/keys/ca.crt Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE/TCCA+WgAwIBAgIJAMlUrtE4JKkVMA0GCSqGSIb3DQEBCwUAMIGvMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMP
VlBOLVJlYWNoT3V0LWNhMRUwEwYDVQQpEwxWUE4gUmVhY2hPdXQxITAfBgkqhkiG
9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTAeFw0xNjEyMDIxMjQ2MzlaFw00NjEy
MDIxMjQ2MzlaMIGvMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYD
VQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBT
ZXJ2aWNlczEYMBYGA1UEAxMPVlBOLVJlYWNoT3V0LWNhMRUwEwYDVQQpEwxWUE4g
UmVhY2hPdXQxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ/Xi+e76pcPgW/mq45tSezbSTlH
qnNmNf82uxgobSdQNKoNm41CJh/W8qjfaGAjLyuIwbPAyRCjxt1WeL9vje0mMd5P
GVNMZsc2c72R7Yel9La51tWoDfkYjU+uQVUjPo12RTnAQwPRAS4q2riHIu+OkAzZ
QnEEy1CC/spLqWvDDyaY2vEKWldFyIdCxT1wV/DJUESriCHoz2fgM5stslgbd3Dj
qHsObhhlGdAI4aZ5KaAbDNk+DyiWRWefTZ7POBcLmSQCYCfbq2JXvt7ZtEt9KZM6
RUpfPaAC2HXt+m2+zTSBhpwm6WN5MxJkQg8Po5mgVYPSVifsy2UjHNWKsVMCAwEA
AaOCARgwggEUMB0GA1UdDgQWBBRf3ZvIHiBrLarJsif7fOv+3181ezCB5AYDVR0j
BIHcMIHZgBRf3ZvIHiBrLarJsif7fOv+3181e6GBtaSBsjCBrzELMAkGA1UEBhMC
REUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZP
Lk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD1ZQTi1S
ZWFjaE91dC1jYTEVMBMGA1UEKRMMVlBOIFJlYWNoT3V0MSEwHwYJKoZIhvcNAQkB
FhJja3VidS1hZG1Ab29wZW4uZGWCCQDJVK7ROCSpFTAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQBaFsB+tMuVX7/Yj8yGngmA3raqK2kPsyPzIDGMSgyZ
lBkjaCIG2+VogDlJhdr4qg0WGVhtLwFdUhVlMdzKhmQFvH8BVEYcJRjinlJ4j6/5
V6eWaVuY2uc/tfOz4vuMLSj2LFIPMjjPlGthUm2M+LITMv8yS27Ww2/5iD4B37vb
znbJkY0khWK/oDNVvabVm/XNLt18vzmtee4XiCQoZEgnCgh7M42icScjNwPVGJx3
co4BQk0M0yO1nnwdtLMKDRTX/FpNv2mztvh4qa/Xm74imeFFtY6WfX+jIxHdMrCX
F4AosN0ktKNj+jFja4Vbhk+r2rME2llSsrrdr3E5JrLy
-----END CERTIFICATE-----

28
ReachOut/openvpn/keys/ca.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCf14vnu+qXD4Fv
5quObUns20k5R6pzZjX/NrsYKG0nUDSqDZuNQiYf1vKo32hgIy8riMGzwMkQo8bd
Vni/b43tJjHeTxlTTGbHNnO9ke2HpfS2udbVqA35GI1PrkFVIz6NdkU5wEMD0QEu
Ktq4hyLvjpAM2UJxBMtQgv7KS6lrww8mmNrxClpXRciHQsU9cFfwyVBEq4gh6M9n
4DObLbJYG3dw46h7Dm4YZRnQCOGmeSmgGwzZPg8olkVnn02ezzgXC5kkAmAn26ti
V77e2bRLfSmTOkVKXz2gAth17fptvs00gYacJuljeTMSZEIPD6OZoFWD0lYn7Mtl
IxzVirFTAgMBAAECggEBAJhgVxMW5VAUjAQtFia0sOCHO4rLcwaHzbn6ZulkwInV
wB7M0hkbklSQCMxMDah4YiNSP7YodoTSXGXsZTe6FMaavrd7GF18XA5VLojtcE78
OglnqBIOHyPz7+Kh785Fxv/8W4nuavRcbo+gctmumfNdKJ3XD6vGMjwSZOpcrqn2
y5N00ximQxx8lJXucxvtz4KFJyzK5CmNnUjHo514TcKk/9j5xnGk6lX4otpvq99Z
esOMOv4mDMLlYUbGiEAMK5b+X2LSQn5wCL4NMeC1zG6XxR+JiGzKlCnp+5jqhBHH
Mmxq0bWuhafS2KCP7FCjerVKwtuOs45B7vwDeCSdP8ECgYEA0z+3Rc9gS35aLSKj
FHyVK0qhJpL4faIvkIOj5gSudlowz/IclZ3miBfImNqUMxAg3ye77t8cqAlYcDU9
vm0aCZkLAgwJIgjc9/dxQt/q3WbHKMvB6+Vj+F3Px0re/pC80Ht/bcpdt+H783N6
LYQP70lcGLHHxFAtJo+vF3vMUzsCgYEAwbP4pk1v7C/fQr56ta1U3+iI7Jl7gbyK
bGGVsbH73onpRGyYGfrKyQdmsOd7HSkEHjqEybihbo8x4jGUKQGqg1Tvw5ahjJhO
NqmaBiAbthx4S3TJXdfVF/heacdU0Z/TZ7hY9PBm635GUqLL71Wum5w2kUUpCvrA
joCS/3dSiMkCgYB5R1Y3vPPiw5qP2RfZNiEJpqHYHH6O2iMGi5z3/G4QwnzNlYk1
mF52eXkP0EVO/45vr0ckv3CbRCpC2T4makqNghCgzzobEQ2TSrr6ksUq8MucL0aY
4KxBNdKI7wIREhVkd9JTvN+LJzFXtk9JfE0Nqoc2IjK3EPSq88io6ckHawKBgGpL
1NuOCylVa/M4jCY+pCDrfpg38arUSDIJqxgET+9jRvshjKZVFgsTYKsbnFf4NiZQ
fqYkB5KgSgOSqXeHTocbiSeP9b8tpV4h3EAYRpy9KtZdlFNHKc0posXxeP4/8scs
RsTDV/dLKFQYukjwgA0swFUf2tIHoLuSmxhN5qDhAoGAYgm1oXLAR8+2oMT8wEu7
KVRQb42mWtSqrVoAZrVxfLX61R+5n/cjh0yeLTXPd/CIlgiSHw//5MHcqzJjyJeZ
y/0y1gyQLkBAynNHiPCrzeLLyQsf56xBe8p+N31yL+NtML5xEqr2fgTnBtPOHx7f
lwCCp9ywpVb8ceTx5nvBN9M=
-----END PRIVATE KEY-----

98
ReachOut/openvpn/keys/chris.crt Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 2 13:41:22 2016 GMT
Not After : Dec 2 13:41:22 2036 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-chris/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:c4:72:65:27:f8:64:85:43:e3:c5:54:ca:22:
a6:05:d5:b8:83:8d:25:62:a5:a6:0a:c5:cc:a4:1e:
41:1d:2f:92:0d:0e:d4:ad:28:eb:4a:49:79:75:9e:
17:3d:74:a5:e6:77:12:d8:7a:93:5a:71:64:2e:f5:
b6:20:84:d4:d1:7e:54:3f:51:16:e2:7f:09:53:83:
ac:3b:8e:0e:82:81:38:8b:df:b2:2d:76:7d:87:bc:
c9:c0:64:a5:a4:3b:7b:12:1d:0e:30:f6:c8:14:ff:
aa:98:3a:69:86:08:17:cc:b7:b3:48:d3:d1:37:dc:
01:92:ef:a5:6c:5e:5e:5b:77:87:8d:ac:f7:9d:13:
9f:b7:74:af:12:b5:84:d5:1d:53:a9:40:14:89:64:
ce:e2:fe:ae:df:34:94:38:55:45:fe:90:50:22:bc:
c4:21:f5:91:0e:fe:d8:09:52:ca:8e:3e:75:91:dd:
9f:a4:c1:98:19:df:9e:20:03:49:bd:6b:6d:67:f9:
06:60:e9:e0:b3:99:f2:62:0e:3b:cd:b3:30:ae:08:
a4:c7:48:c6:73:a1:b2:a5:d7:fb:60:b7:14:1b:1f:
f2:f1:c0:32:6c:6d:51:44:11:b1:e6:55:96:8b:dc:
dd:60:55:8e:5a:f7:84:8c:be:06:cb:b8:92:08:0b:
46:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
8A:A6:3C:FE:E3:6F:E4:B9:C7:13:B4:C8:39:E5:4B:99:98:62:7E:4B
X509v3 Authority Key Identifier:
keyid:5F:DD:9B:C8:1E:20:6B:2D:AA:C9:B2:27:FB:7C:EB:FE:DF:5F:35:7B
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
serial:C9:54:AE:D1:38:24:A9:15
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:chris
Signature Algorithm: sha256WithRSAEncryption
87:ca:b4:33:8d:55:c5:a5:6c:fc:3d:19:9d:e4:67:6b:09:e3:
1c:bc:3f:b7:72:a9:a9:a8:39:ee:48:17:80:b3:3d:3f:80:79:
5b:09:94:c4:da:f0:80:9a:13:f0:03:ff:31:2e:c6:4c:da:47:
97:91:84:fa:60:c6:03:24:ea:f8:61:c9:16:25:8b:b1:11:29:
c1:25:53:24:cb:5b:ab:56:57:32:7c:f2:68:c8:40:ec:0e:73:
9f:91:b2:13:12:d9:97:f1:c1:31:4d:fd:0f:af:fe:9e:22:8e:
8d:82:a3:ad:1e:14:a9:0b:60:d0:7e:c1:e9:fd:df:3a:ef:a4:
4c:f9:72:7f:65:d9:0f:1a:38:af:c7:94:fb:31:76:4f:f9:b0:
d2:8a:10:83:d3:9c:d7:44:b9:61:46:d1:a3:2a:98:fb:36:22:
8e:fb:10:77:39:20:48:97:f0:69:27:dc:e8:3f:1d:e6:b7:b3:
5f:bb:09:da:fc:09:40:43:19:92:7d:34:10:d8:28:5d:45:52:
17:f9:a2:03:c2:0b:57:91:ef:cf:6e:d6:92:d0:03:c1:15:0a:
50:76:95:c3:77:89:7b:3d:60:66:6e:a7:93:52:1c:f1:68:26:
6d:c5:aa:8c:7a:0e:31:1b:96:2c:91:09:23:8a:89:3a:40:f2:
f3:0b:54:31
-----BEGIN CERTIFICATE-----
MIIFWDCCBECgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD1ZQTi1SZWFj
aE91dC1jYTEVMBMGA1UEKRMMVlBOIFJlYWNoT3V0MSEwHwYJKoZIhvcNAQkBFhJj
a3VidS1hZG1Ab29wZW4uZGUwHhcNMTYxMjAyMTM0MTIyWhcNMzYxMjAyMTM0MTIy
WjCBsjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
bGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMx
GzAZBgNVBAMTElZQTi1SZWFjaE91dC1jaHJpczEVMBMGA1UEKRMMVlBOIFJlYWNo
T3V0MSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5xHJlJ/hkhUPjxVTKIqYF1biDjSVipaYK
xcykHkEdL5INDtStKOtKSXl1nhc9dKXmdxLYepNacWQu9bYghNTRflQ/URbifwlT
g6w7jg6CgTiL37Itdn2HvMnAZKWkO3sSHQ4w9sgU/6qYOmmGCBfMt7NI09E33AGS
76VsXl5bd4eNrPedE5+3dK8StYTVHVOpQBSJZM7i/q7fNJQ4VUX+kFAivMQh9ZEO
/tgJUsqOPnWR3Z+kwZgZ354gA0m9a21n+QZg6eCzmfJiDjvNszCuCKTHSMZzobKl
1/tgtxQbH/LxwDJsbVFEEbHmVZaL3N1gVY5a94SMvgbLuJIIC0a7AgMBAAGjggF4
MIIBdDAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIqmPP7jb+S5xxO0yDnlS5mYYn5LMIHk
BgNVHSMEgdwwgdmAFF/dm8geIGstqsmyJ/t86/7fXzV7oYG1pIGyMIGvMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMP
VlBOLVJlYWNoT3V0LWNhMRUwEwYDVQQpEwxWUE4gUmVhY2hPdXQxITAfBgkqhkiG
9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAMlUrtE4JKkVMBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggVjaHJpczANBgkqhkiG
9w0BAQsFAAOCAQEAh8q0M41VxaVs/D0ZneRnawnjHLw/t3Kpqag57kgXgLM9P4B5
WwmUxNrwgJoT8AP/MS7GTNpHl5GE+mDGAyTq+GHJFiWLsREpwSVTJMtbq1ZXMnzy
aMhA7A5zn5GyExLZl/HBMU39D6/+niKOjYKjrR4UqQtg0H7B6f3fOu+kTPlyf2XZ
Dxo4r8eU+zF2T/mw0ooQg9Oc10S5YUbRoyqY+zYijvsQdzkgSJfwaSfc6D8d5rez
X7sJ2vwJQEMZkn00ENgoXUVSF/miA8ILV5Hvz27WktADwRUKUHaVw3eJez1gZm6n
k1Ic8WgmbcWqjHoOMRuWLJEJI4qJOkDy8wtUMQ==
-----END CERTIFICATE-----

18
ReachOut/openvpn/keys/chris.csr Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC+DCCAeACAQAwgbIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRswGQYDVQQDExJWUE4tUmVhY2hPdXQtY2hyaXMxFTATBgNVBCkT
DFZQTiBSZWFjaE91dDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRl
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAucRyZSf4ZIVD48VUyiKm
BdW4g40lYqWmCsXMpB5BHS+SDQ7UrSjrSkl5dZ4XPXSl5ncS2HqTWnFkLvW2IITU
0X5UP1EW4n8JU4OsO44OgoE4i9+yLXZ9h7zJwGSlpDt7Eh0OMPbIFP+qmDpphggX
zLezSNPRN9wBku+lbF5eW3eHjaz3nROft3SvErWE1R1TqUAUiWTO4v6u3zSUOFVF
/pBQIrzEIfWRDv7YCVLKjj51kd2fpMGYGd+eIANJvWttZ/kGYOngs5nyYg47zbMw
rgikx0jGc6Gypdf7YLcUGx/y8cAybG1RRBGx5lWWi9zdYFWOWveEjL4Gy7iSCAtG
uwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAJoFWNaPv04c8y0A2qhRqHg4eLNj
en3W11IimOj/pEr3vHfaXz65Lcc+U6AhKZvInc5nATLoZnIbf3AIWHTo1cFfo3lx
qB/R7/Uo45tq3FBvugimoAgUkDAxsRvhNCdUnlPhTHuoTi+V8c0vU+9kq7kWKcB0
ZOkYdNOdBbHeFXvYy5vw6xSD2A65SdG9roDxMWXurSFwOLWOZ2v0XLX0d8Aqw5fz
UBk01AbyCdyYe5eGNAy26qUfphGnP1vTlRsZ6kAm+tFRuX5v2vFOE8VgQ7NTWt0y
h2TtJ3CF+3bkymNnsyd8bm3HeIHylFjsoGy986c/a4nJWZI8c7lWaXWNSuc=
-----END CERTIFICATE REQUEST-----

30
ReachOut/openvpn/keys/chris.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhy9Qt6so118CAggA
MBQGCCqGSIb3DQMHBAjfnhtwyf86SASCBMgkkblEsVJ/XY2tjFh9aYBKUbqwHVCQ
rr6FpN1sb1Z1+hvzfYGXLINjJvJDNm/goHoCCsMx1EV/ia5Ve42fcv7g/sndFF8T
lxSUxhwdl0PtH4RR6k9Oc62XGMcC8l78zHQ1UOYgsX13cgDg0xESCpbXlfebP8Ot
XSjtkt+prHPJQXNGX7PlbzK4GS9Md5Nf6AX0frtLo5wlf+w7lfWj4oQsTkKybMVP
RkKU/dtSjxihCP1VyDRX+gNaaT2uh3HG22uEmdCIna9mpiepC0mIpxh1pwx2F0R4
h/O+MWihipR2jSKF8Yu8qOocpkIJWtflokvvsTHnL+Ba5XcuPin8nzK0A0+7evV6
3Q4/cmpUHvhkrt9Ju2yNeTz4P5Oztk7rtjYY3GO7gnb7Oq2IktfFsCVcU23OIfCX
ebIgEVGA3F5YBdWsLkV0gpmkrmczYZ2efU619714SJisXkamCN+KYi2V5XVw80YZ
kO2tGntG4X3vYNfTuH6wKtNrLZUmcBwvBoP//tYgs0gPT2zWtAQe6Zg10/FpVmu3
h0ScLAGiTfw4Kwpp0bMSaV1uYZQMdggNgwTxSV7HPbk/X1IA6nb5T+2fWf50NO3N
NXL0vHj13rz/TrUJeGAb7FW32TF5DUp+V1SoScCIFiy8NnrIWaIHzUj5H5CO4FFb
p/4QWI2vNGcy+/nij1uodKnixQSKRPoUi9vmykJFot+KHig0o2sN5E43vX2q5N56
zUtWvqxn+FJTb50DAhS49D2wa1bKsikgXr2+h3cFJJoFPqwuR+NdeeSozcXRNJLi
LVde4LWW5i+a88A/2RzDS1ajDgAUel215NIZO9tsiBrddtpf/QKmia2aT6PonrIm
Dx7uPV2ZcLFB4splQctkRHGF4O2ynpDJ1bXzDL69UzpfawhJQulcgM164aLFtLSU
xTuBUpcQ29BOkQcPluv8s0rv21lysFTwgALqzbH5SVjTuv3BJdMqUCifD/gYx+iN
s8PQR3tT2PFHwtxHCyzWQucZRymSoSbSh0/mivTsoQQwwwkZPD3dH++N2v2gT/BD
k+hdTb8kMAEsKebzGce6Y5V0dlzKcK/GHTVVaMxwTNULR7lXSEdtzwjKemYN1fGz
YbaLkSRBwhNymn37aptQywNcEwpOepYrt3yj2gYE8Q420is7hmOTT4Yjtd+5lh90
A9mt0HoJCcOszpRePXfs+/q9z6nJaVdOKg3XcsI28OBiP/sOGXx3xrg0JUTVMplF
ypUSTN60Lw2xH+oJlwWBBKjrGsjX7bl/x/AmlVo6hG8GUxHHIp9YIhNi6kJOSTzx
kw4W+p44vrBBfQxUKNsqkT9M8zYXJH9A4SKORCn+lbGtmZtnwxjtA52ayepp7WiJ
6hbSY88E0auklQlAvz8RCfe/rc8EQoYuvzYIhdY0kxvo4eVCS46uyr7ELMk+cNz5
SfskgCNEfohUqDDA5ACiNsC0yIls1y35LfwHvFtyV96Mv3TzubFruaOrXeQcLPM+
QsHoXBlLZ4nVXTuh9c8A7XaqxeiZcKUFE5Isr2fM1W7xbYB81iq8QY8ZqQcZaENM
FBWwa3SrIhQUerL0oBClCbxr+jngEZmAmbcuEhBuZOEPrDvFnVbqOaFYkvCwi9+x
E2s=
-----END ENCRYPTED PRIVATE KEY-----

13
ReachOut/openvpn/keys/crl.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN X509 CRL-----
MIIB9jCB3zANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMCREUxDzANBgNVBAgT
BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNV
BAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD1ZQTi1SZWFjaE91dC1jYTEV
MBMGA1UEKRMMVlBOIFJlYWNoT3V0MSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1A
b29wZW4uZGUXDTE2MTIwMjEzNDAxNFoXDTE3MDEwMTEzNDAxNFowDQYJKoZIhvcN
AQELBQADggEBAA/CvwgzTJGoqXw06XL3rwIbQ2UvAkh7A/Rw1AYrJEnnO037JlZM
Brr+luLZyequDyrh9PCwoMv0FAfEIN8rpKmasRKIj/VggdPusKxRsoSCG/Vl3Spg
0gR5U3m1Sb758+6LtWSoL0kwnDlURUZPKH2KaaaPxGu8PXM88/vCfYwRH5sEQHIT
w4e3QwW6GFrpco5gXVk9IvmkF9HZ9PS/EBqrWWL5RJ7F9bswtwOAb4SUQNZXlftJ
Cv8jHS2efuJwRIgZqRuqPFHyI7iOaj5Ur3My8i+et4T/L52SfwncvSD7gpsTbI/5
rdVZfevPIjOp7Y/F+vOYnPPRNWp2O+dAiuU=
-----END X509 CRL-----

8
ReachOut/openvpn/keys/dh2048.pem Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA9zC12bXVmqeG75zqi1lMwgWK9Zpe6TB+aueIbbDoCWx3ZmtydLjr
VmrxFNb8iQlNS7wtDXx4d72L9/+quVklpPwXRboV//3BqPns7Tyd/cLbwmGZ8pJ8
z66xQ8iJho2LX+o/oyM37G9rb8gm8xLE1N5lRT3O2oZ2zRKtRH8BmqhXmOaV0n9D
KbZHA6IfeVSEryYu7RbnoGi0KfoH/D3FGgo+HBIDx3EN6GwHZemfW2TE6T3MZcst
aVgoJqYkxYmKSmvTNF36fSaCEM8TgOIa8mZltd2CZZayDE3x3+GqI1aZ+fGPoe1k
1Mk/3nbtQfCtYRjGKzdGPgdnn9nxhB7rUwIBAg==
-----END DH PARAMETERS-----

98
ReachOut/openvpn/keys/gw-ckubu.crt Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 12 19:50:59 2016 GMT
Not After : Dec 12 19:50:59 2036 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-gw-ckubu/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:96:37:a7:11:5b:b5:7c:04:77:d3:a1:6d:fc:88:
ba:e0:b1:83:32:0b:29:86:7e:7d:40:5e:79:cc:5f:
35:09:fb:8d:3f:7d:22:4f:7d:ed:c9:4b:73:fb:cd:
e2:eb:14:cb:95:29:67:c6:53:c4:81:01:72:e2:9c:
96:6b:a2:a7:3a:08:dc:29:7e:8f:fa:37:73:21:b6:
49:7e:1c:c0:31:f6:34:0c:94:62:f5:57:a8:00:8a:
b1:28:82:f6:4e:a9:c1:64:d3:aa:81:57:d4:9c:6b:
5d:9e:15:cc:b7:b8:a0:a8:00:68:c5:f8:22:c3:26:
db:18:df:da:91:96:34:37:71:8b:d1:cb:e2:1b:52:
27:db:22:57:23:fb:ec:46:79:5e:67:eb:c5:05:8d:
5f:dd:b0:b9:b8:df:6f:c0:5e:ca:69:7e:66:d1:d0:
63:b1:28:eb:48:82:94:c2:94:8d:95:19:47:3c:ec:
08:43:e9:4e:36:b5:31:5e:a6:5c:b9:92:e9:ef:a5:
3a:5d:aa:78:f1:44:4b:53:78:27:85:9b:09:19:ee:
7d:d7:ec:bb:73:a8:02:e6:3d:01:71:c0:c1:07:ba:
2a:f3:11:b3:c2:52:f6:aa:f6:08:2e:14:8a:b2:25:
df:bb:d9:a4:3b:90:2f:0e:ec:37:cf:0b:6f:cc:23:
ad:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
EC:45:15:E6:92:4D:CA:CA:4E:6B:7D:D3:52:18:00:A5:92:69:24:1E
X509v3 Authority Key Identifier:
keyid:5F:DD:9B:C8:1E:20:6B:2D:AA:C9:B2:27:FB:7C:EB:FE:DF:5F:35:7B
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
serial:C9:54:AE:D1:38:24:A9:15
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:gw-ckubu
Signature Algorithm: sha256WithRSAEncryption
8e:58:7f:4f:ff:32:4f:22:e6:98:95:bf:2c:a8:d0:c9:54:1a:
0c:58:4a:d5:11:b6:3d:d7:8e:c2:84:36:9b:4f:c3:0c:e5:b9:
f2:40:7e:e1:93:7f:28:b6:61:c6:f4:96:f3:82:f3:be:22:e5:
7f:b7:ea:3c:09:b7:ad:db:28:0e:79:ab:03:c0:38:c3:ae:cf:
85:91:d1:6d:6f:b5:c5:97:c5:72:5e:87:7a:f1:bc:9a:39:4c:
ae:38:e7:9a:6f:8c:ad:7f:37:12:e3:4e:38:63:04:da:20:dd:
d0:77:7e:66:93:8f:a3:0d:a0:1d:67:69:7f:3a:a0:b8:47:56:
f3:a6:e6:9e:5d:5f:ac:6e:3b:fc:df:2b:9d:31:d2:11:0b:a9:
3f:17:ef:9a:2b:9c:af:dc:b7:ba:46:5e:d3:77:dc:52:f3:25:
b6:52:c8:ae:ab:48:8b:4d:8b:a2:25:d3:80:f4:76:88:31:18:
4a:f1:03:39:1c:30:d1:1b:ee:ec:6d:c8:2e:42:98:56:10:a2:
a8:94:16:fa:c7:eb:84:6d:4b:d9:63:43:3d:cb:66:7e:81:47:
80:90:4e:d6:ae:a3:66:b6:08:6f:dc:46:81:1f:33:c3:89:23:
2e:f8:54:a9:0f:16:23:6c:e9:b5:49:88:34:bf:1e:42:39:42:
7f:f8:d6:89
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD1ZQTi1SZWFj
aE91dC1jYTEVMBMGA1UEKRMMVlBOIFJlYWNoT3V0MSEwHwYJKoZIhvcNAQkBFhJj
a3VidS1hZG1Ab29wZW4uZGUwHhcNMTYxMjEyMTk1MDU5WhcNMzYxMjEyMTk1MDU5
WjCBtTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
bGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMx
HjAcBgNVBAMTFVZQTi1SZWFjaE91dC1ndy1ja3VidTEVMBMGA1UEKRMMVlBOIFJl
YWNoT3V0MSEwHwYJKoZIhvcNAQkBFhJja3VidS1hZG1Ab29wZW4uZGUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWN6cRW7V8BHfToW38iLrgsYMyCymG
fn1AXnnMXzUJ+40/fSJPfe3JS3P7zeLrFMuVKWfGU8SBAXLinJZroqc6CNwpfo/6
N3Mhtkl+HMAx9jQMlGL1V6gAirEogvZOqcFk06qBV9Sca12eFcy3uKCoAGjF+CLD
JtsY39qRljQ3cYvRy+IbUifbIlcj++xGeV5n68UFjV/dsLm432/AXsppfmbR0GOx
KOtIgpTClI2VGUc87AhD6U42tTFeply5kunvpTpdqnjxREtTeCeFmwkZ7n3X7Ltz
qALmPQFxwMEHuirzEbPCUvaq9gguFIqyJd+72aQ7kC8O7DfPC2/MI61LAgMBAAGj
ggF7MIIBdzAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5l
cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFOxFFeaSTcrKTmt901IYAKWSaSQe
MIHkBgNVHSMEgdwwgdmAFF/dm8geIGstqsmyJ/t86/7fXzV7oYG1pIGyMIGvMQsw
CQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzAN
BgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UE
AxMPVlBOLVJlYWNoT3V0LWNhMRUwEwYDVQQpEwxWUE4gUmVhY2hPdXQxITAfBgkq
hkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5kZYIJAMlUrtE4JKkVMBMGA1UdJQQM
MAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDATBgNVHREEDDAKgghndy1ja3VidTAN
BgkqhkiG9w0BAQsFAAOCAQEAjlh/T/8yTyLmmJW/LKjQyVQaDFhK1RG2PdeOwoQ2
m0/DDOW58kB+4ZN/KLZhxvSW84LzviLlf7fqPAm3rdsoDnmrA8A4w67PhZHRbW+1
xZfFcl6HevG8mjlMrjjnmm+MrX83EuNOOGME2iDd0Hd+ZpOPow2gHWdpfzqguEdW
86bmnl1frG47/N8rnTHSEQupPxfvmiucr9y3ukZe03fcUvMltlLIrqtIi02LoiXT
gPR2iDEYSvEDORww0Rvu7G3ILkKYVhCiqJQW+sfrhG1L2WNDPctmfoFHgJBO1q6j
ZrYIb9xGgR8zw4kjLvhUqQ8WI2zptUmINL8eQjlCf/jWiQ==
-----END CERTIFICATE-----

18
ReachOut/openvpn/keys/gw-ckubu.csr Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC+zCCAeMCAQAwgbUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMR4wHAYDVQQDExVWUE4tUmVhY2hPdXQtZ3ctY2t1YnUxFTATBgNV
BCkTDFZQTiBSZWFjaE91dDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVu
LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAljenEVu1fAR306Ft
/Ii64LGDMgsphn59QF55zF81CfuNP30iT33tyUtz+83i6xTLlSlnxlPEgQFy4pyW
a6KnOgjcKX6P+jdzIbZJfhzAMfY0DJRi9VeoAIqxKIL2TqnBZNOqgVfUnGtdnhXM
t7igqABoxfgiwybbGN/akZY0N3GL0cviG1In2yJXI/vsRnleZ+vFBY1f3bC5uN9v
wF7KaX5m0dBjsSjrSIKUwpSNlRlHPOwIQ+lONrUxXqZcuZLp76U6Xap48URLU3gn
hZsJGe591+y7c6gC5j0BccDBB7oq8xGzwlL2qvYILhSKsiXfu9mkO5AvDuw3zwtv
zCOtSwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBACQRt4I4ftEma0p9WWYi98HX
vI3QaEK8Isr+o5gAJyd73BDv3OONCHVp98RJvQXuPiWv0bZoQYBq9m5Y0MBD5PU1
fUj1iLKzISABnpyhFNWjEXkuvgNQiDeWi08RRMKlfsIMlo2534HYMcre+ydXFg9a
oHle5NEiGc3wiCwvetJTsqoxL6XE+KH6a6ntcBLrCtYh8ja08i7UURdgX/3EDzY6
D6vdWb/y9k+djIeNXWQib6YlhsKgQaiMnhFky2qjuPcoklMuXo7jYlunED4P9Hux
TSiJMVaVia8ff1J9eq2UWh1EZJtPzFr3RkKTYjmVTVhj1ule+VY5PzOYQPbBigA=
-----END CERTIFICATE REQUEST-----

30
ReachOut/openvpn/keys/gw-ckubu.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIX1f/p8SfdJ4CAggA
MBQGCCqGSIb3DQMHBAi+ldSjE0eLdwSCBMi3tzjN920KGtkWzX8EqiUpOrNj+HzD
i/AX1NgTAqOmLatuowdCBuezyBcNTE4YXqqbFZ5LMPi4/4cXP3LjfH3E5D1TMNT4
QcFzSYbgHkFVTq2ghxCIyWG06J5Z8dx30G+ANfcKt2t/chyCoFf7jaGVqjQaL4cv
AfKHgPpaVpGvbfW7st/ZzCwkma5M9OskuI716dmjLhhPpXry3HaFXOc0kGQk9UHP
rn2kM3tPSLnX/0fwMKedb433V6h5+w+H4tiiKMhfSY34XT11NGeZ/WYvV2Ew17yf
kNHGxewn0ad+dYcdPJVoW/8m64dOTy0opOa0eZyO1WByCqqtGnv5pkXM9tU2vEFq
87SD50oWQ2lM4Z5jYAyrHRrb0A5ErTTa7ZWSvq+GNid6G71kR8STYnH3PgFzufQA
14i/WqJ7UJXfv2/0xDsCr+1W0LIF6tnTK1B+08rDVTFatrLpTuVMD3vdYFBMCoF2
RQ0P8b45Ud9zbKYEr2tVIDH06OP/qW57IQu5yjGBelnUUQhz/cdfSCJOAKqxABfH
5PoYV01N+NISPMrToGiwl1v75WT/nTzFNwuD+Bj7jylQhXbkPa/1+LOFAoNAm3SK
U9O8wOm2gOwVMr4FrEfPIG6JjfIuXdSgEMDUnSnSqo/vBT4O7VcHFjAACkJQ1iQU
ZqE3LaojZrSyFRFGbTeQZd0nRTBqD/i91UwZdAZmMhFHFtbjz5b43WLIsYhIUL9s
0r8b6CuUS7BGvBGiLFsUhcSKc3cEWChjbQlaamViykk+dp8RluI+N9G97NCEnv29
HHjoH/1ixQlFGYlU7fnWZkKc1A/U9wog7J2Hw1DJPo1O35p7qkPlDhGJ/5d773U1
V/dAn59liYGB/u5m33Tig/SXULXgYxPFqB0lQGk3P3J+5BEHbsuaaj0BJpVFDgxH
1zCX01ctyGbRx/pSNQw6FmpgMRHZgnW2vnAM3LOiDlxf7tSwvD5AqWUZXOzj/uQf
hWPENVARorjj8aBhVdbeCerHrxhBvt96FZ4xG7460hgu9ZyXTV52fbCVJqcNo7dx
zFvXQ5KwLEv+nwATD40d4VV7pewIE3kokQ2FFb+3t2SJ9Cjd4sBU9duhrgpVNmjg
ODA/v+VCr1KNE52JYIZOFiiueyOq93r+Vlo/TRznqcrjB2nMbfTJRJt+Cl8+IRNm
3GjsZzHAGEg4i91YyKouFXm4pDl8z6oMa9jY7icq79uQMWCJp0SXLyyo528uKf4Q
MHQQrti/+/41yqNNdnw8XcQFL9FLh8YLCn9Kn7Er0C0XGrmFlcgC78ROi7XxClFO
a9dwJSlRgsDq5nN9oYRJI+gECHXOLoBtHiXNd8LXyjrO7IxhCcpq/xyF9QA5zxot
7QsXm9zfhGXp3kE3bJN7qO8yJgwUpcKRb8dL7LUcAJZEP5HkLyL0Aw4FSRfKUJ2f
Dq92Zee+yyvKxamIpVLZDCLhSHghMOqip1/r4Z50UrFhy+0yyjkzF+0Z8S5Rew9f
o/oNdZV8acDqYbzY1fDZN1ZHVIc+hf7vyVSxp4nyDvTusa6MxPw0C3fn8/qcv8qN
Ez2+K15DBtdzkOJXPUFaCPn/HHpl5++WI314o+8eci8E8Q8y36a1btFlr9vMw8hR
998=
-----END ENCRYPTED PRIVATE KEY-----

3
ReachOut/openvpn/keys/index.txt Normal file
View File

@ -0,0 +1,3 @@
V 361202133949Z 01 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-server/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
V 361202134122Z 02 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-chris/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
V 361212195059Z 03 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-gw-ckubu/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de

1
ReachOut/openvpn/keys/index.txt.attr Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

1
ReachOut/openvpn/keys/index.txt.attr.old Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

2
ReachOut/openvpn/keys/index.txt.old Normal file
View File

@ -0,0 +1,2 @@
V 361202133949Z 01 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-server/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
V 361202134122Z 02 unknown /C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-chris/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de

1
ReachOut/openvpn/keys/serial Normal file
View File

@ -0,0 +1 @@
04

1
ReachOut/openvpn/keys/serial.old Normal file
View File

@ -0,0 +1 @@
03

101
ReachOut/openvpn/keys/server.crt Normal file
View File

@ -0,0 +1,101 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Validity
Not Before: Dec 2 13:39:49 2016 GMT
Not After : Dec 2 13:39:49 2036 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=O.OPEN, OU=Network Services, CN=VPN-ReachOut-server/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:5b:fd:e8:c8:ed:ad:6c:e5:f3:0c:3d:cf:bf:
1a:33:c1:f8:9b:f6:47:b2:ef:55:72:9d:68:76:de:
55:e5:82:42:cd:ae:b0:63:ea:94:a2:61:28:bf:b6:
5f:35:b5:6c:53:61:e0:82:f7:8b:4c:fd:34:ae:ea:
5d:2c:5c:84:eb:51:97:20:d6:ec:5f:b9:25:ae:60:
e3:69:66:7d:1f:d8:11:d3:97:da:4e:dc:5c:21:54:
cd:5d:79:08:91:13:e2:08:f0:ba:23:51:23:99:fd:
d2:e6:42:1f:66:1d:dd:9e:f3:c8:eb:51:42:a7:7c:
5c:fb:81:95:1b:9a:73:5b:48:fe:66:d7:02:fd:16:
94:24:dc:94:b1:5b:6e:bc:d1:89:b7:90:1a:93:ee:
49:14:2c:4d:a7:f5:89:03:ec:6c:02:cf:75:5e:87:
ff:76:f1:27:b6:93:5d:7e:cd:2a:51:dd:58:75:f7:
12:a0:9b:64:60:36:07:bc:cd:c4:88:b3:6f:c7:43:
a8:35:6f:54:ea:df:48:e2:cf:39:d4:84:d7:9b:96:
4c:63:18:4d:73:9f:de:5b:a0:ac:4c:19:74:02:4f:
b4:dd:20:bd:97:ad:1f:f5:ec:df:01:98:21:c1:4c:
9a:7f:74:31:e3:6c:d9:f1:61:f5:55:2f:25:6d:ae:
93:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
12:3B:C5:E0:5F:D0:39:99:F5:9E:1D:28:27:BD:98:6D:47:BE:C6:33
X509v3 Authority Key Identifier:
keyid:5F:DD:9B:C8:1E:20:6B:2D:AA:C9:B2:27:FB:7C:EB:FE:DF:5F:35:7B
DirName:/C=DE/ST=Berlin/L=Berlin/O=O.OPEN/OU=Network Services/CN=VPN-ReachOut-ca/name=VPN ReachOut/emailAddress=ckubu-adm@oopen.de
serial:C9:54:AE:D1:38:24:A9:15
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
49:dc:84:e4:5e:d0:2e:a7:92:bf:9b:25:7f:5d:cf:fd:c2:e8:
69:15:d7:44:20:18:d0:70:8e:f9:c5:25:b5:7d:50:03:ee:45:
99:ec:31:46:6d:0d:98:a4:56:0d:5b:b5:b7:fc:09:9e:d2:55:
10:e6:21:67:f9:e7:44:c8:c8:77:80:88:c1:f3:a6:51:8a:f0:
38:11:59:5d:c7:fc:d1:dc:c9:e3:56:b0:83:40:06:e0:e6:24:
ab:b2:92:9a:cc:77:dc:2c:e4:4f:77:2a:e0:cc:1e:3d:61:59:
70:ee:9a:ab:7f:a0:46:e5:54:68:bf:22:47:44:16:c2:bf:a0:
f2:2c:71:d6:2e:fa:c2:c6:c2:4b:f9:55:34:f5:2f:b4:f4:ad:
b2:bb:c7:d2:93:27:05:4d:0a:2d:76:31:1a:84:39:bb:59:5d:
b9:0f:c7:cd:6a:55:c9:9a:92:bc:90:a7:bb:c6:c9:7b:b7:56:
82:ef:0f:19:69:7f:68:03:7f:7f:ab:5c:f1:1e:ad:d4:50:7e:
02:52:59:67:f4:a7:d9:a9:b6:bf:0f:62:2f:55:fc:b6:46:bf:
f6:d5:11:3b:a0:7e:4b:04:83:72:77:ae:88:e4:2d:5e:c7:2f:
26:c6:02:52:50:f7:07:f7:35:e8:45:37:32:dc:99:0f:42:17:
7b:19:73:55
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBrzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZPLk9Q
RU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxGDAWBgNVBAMTD1ZQTi1SZWFj
aE91dC1jYTEVMBMGA1UEKRMMVlBOIFJlYWNoT3V0MSEwHwYJKoZIhvcNAQkBFhJj
a3VidS1hZG1Ab29wZW4uZGUwHhcNMTYxMjAyMTMzOTQ5WhcNMzYxMjAyMTMzOTQ5
WjCBszELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
bGluMQ8wDQYDVQQKEwZPLk9QRU4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMx
HDAaBgNVBAMTE1ZQTi1SZWFjaE91dC1zZXJ2ZXIxFTATBgNVBCkTDFZQTiBSZWFj
aE91dDEhMB8GCSqGSIb3DQEJARYSY2t1YnUtYWRtQG9vcGVuLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuVv96MjtrWzl8ww9z78aM8H4m/ZHsu9V
cp1odt5V5YJCza6wY+qUomEov7ZfNbVsU2HggveLTP00rupdLFyE61GXINbsX7kl
rmDjaWZ9H9gR05faTtxcIVTNXXkIkRPiCPC6I1Ejmf3S5kIfZh3dnvPI61FCp3xc
+4GVG5pzW0j+ZtcC/RaUJNyUsVtuvNGJt5Aak+5JFCxNp/WJA+xsAs91Xof/dvEn
tpNdfs0qUd1YdfcSoJtkYDYHvM3EiLNvx0OoNW9U6t9I4s851ITXm5ZMYxhNc5/e
W6CsTBl0Ak+03SC9l60f9ezfAZghwUyaf3Qx42zZ8WH1VS8lba6TLQIDAQABo4IB
kzCCAY8wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgEN
BCcWJUVhc3ktUlNBIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFBI7xeBf0DmZ9Z4dKCe9mG1HvsYzMIHkBgNVHSMEgdwwgdmAFF/dm8geIGst
qsmyJ/t86/7fXzV7oYG1pIGyMIGvMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBk8uT1BFTjEZMBcGA1UECxMQ
TmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLVJlYWNoT3V0LWNhMRUwEwYD
VQQpEwxWUE4gUmVhY2hPdXQxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Bl
bi5kZYIJAMlUrtE4JKkVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIF
oDARBgNVHREECjAIggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEBAEnchORe0C6n
kr+bJX9dz/3C6GkV10QgGNBwjvnFJbV9UAPuRZnsMUZtDZikVg1btbf8CZ7SVRDm
IWf550TIyHeAiMHzplGK8DgRWV3H/NHcyeNWsINABuDmJKuykprMd9ws5E93KuDM
Hj1hWXDumqt/oEblVGi/IkdEFsK/oPIscdYu+sLGwkv5VTT1L7T0rbK7x9KTJwVN
Ci12MRqEObtZXbkPx81qVcmakryQp7vGyXu3VoLvDxlpf2gDf3+rXPEerdRQfgJS
WWf0p9mptr8PYi9V/LZGv/bVETugfksEg3J3rojkLV7HLybGAlJQ9wf3NehFNzLc
mQ9CF3sZc1U=
-----END CERTIFICATE-----

18
ReachOut/openvpn/keys/server.csr Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC+TCCAeECAQAwgbMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGTy5PUEVOMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRwwGgYDVQQDExNWUE4tUmVhY2hPdXQtc2VydmVyMRUwEwYDVQQp
EwxWUE4gUmVhY2hPdXQxITAfBgkqhkiG9w0BCQEWEmNrdWJ1LWFkbUBvb3Blbi5k
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALlb/ejI7a1s5fMMPc+/
GjPB+Jv2R7LvVXKdaHbeVeWCQs2usGPqlKJhKL+2XzW1bFNh4IL3i0z9NK7qXSxc
hOtRlyDW7F+5Ja5g42lmfR/YEdOX2k7cXCFUzV15CJET4gjwuiNRI5n90uZCH2Yd
3Z7zyOtRQqd8XPuBlRuac1tI/mbXAv0WlCTclLFbbrzRibeQGpPuSRQsTaf1iQPs
bALPdV6H/3bxJ7aTXX7NKlHdWHX3EqCbZGA2B7zNxIizb8dDqDVvVOrfSOLPOdSE
15uWTGMYTXOf3lugrEwZdAJPtN0gvZetH/Xs3wGYIcFMmn90MeNs2fFh9VUvJW2u
ky0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAqhWGbGa/v4HbXNspzIyfxNqju
ARkbUngOFtgW+vAknEO180OgFC+zoH1P+Dg0s5GjInqjSsQinsbLPKL7rzSeb/kc
86TPywyNjCMXAI1e3h0c91Qe/DCQHjK6mRGdWBRruqEQ7y+7iBXAXwYhGjE6GDGa
gEiNv3wO54dT/f+H9uFZ+znLOOOxCSPweIlX/HVYYUP2qRPYA0aaU8p9qiANzfv8
LxWneYPoFZBj8m5o+h5jJiV47yD1tMY/TkyW7/w3qj1NsDqO2z1h/cPGSlqyunts
N0S8CxQ9nUyTLo/plnaocXnx1P4tpL4rZf/Yp9hpEzVUCLJDR22qSoQojsS9
-----END CERTIFICATE REQUEST-----

28
ReachOut/openvpn/keys/server.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5W/3oyO2tbOXz
DD3Pvxozwfib9key71VynWh23lXlgkLNrrBj6pSiYSi/tl81tWxTYeCC94tM/TSu
6l0sXITrUZcg1uxfuSWuYONpZn0f2BHTl9pO3FwhVM1deQiRE+II8LojUSOZ/dLm
Qh9mHd2e88jrUUKnfFz7gZUbmnNbSP5m1wL9FpQk3JSxW2680Ym3kBqT7kkULE2n
9YkD7GwCz3Veh/928Se2k11+zSpR3Vh19xKgm2RgNge8zcSIs2/HQ6g1b1Tq30ji
zznUhNeblkxjGE1zn95boKxMGXQCT7TdIL2XrR/17N8BmCHBTJp/dDHjbNnxYfVV
LyVtrpMtAgMBAAECggEBAJ4RpOXu80EBrNcniU6wWVfqAmh+DYa6MtQbCArWb8nY
278rSaDrWvVehbF3hJn4rPgub5dAIrr08wh3NB2wiGlkmsyWe9zltwyN82De1bVi
PVGEHddCdA64kqkzneqaWhflsdaMSx/3JPLXUI90yJnUq3KBSaYql+CjENUJUXZ1
xW9yoid8SvYqc6+MiSU3/Fu4X4i+cvG55TZ+bgN48gZeaMazkTbHJP8DJ2I3VMEC
ZsH67kF3gtibKBc05Gxr5AhOYlKTMRhOaG38z37v6M8hsLtXOz8l+NJ7nxV1dO3S
8AMEQz8idd3NaUr/bvGdMSofRoyKosxwQKrQ0ewOisECgYEA3D4AJlolveYuF8kc
AeAnpf4QiDbmmspig55Fa/wcoaPKlkEKqzFuBf+v03OeVqJX6LR6LaPfJr7Qxjv1
qjefQvcNHD7EBV4YLUTxMehG+4ayHIEiROD+qb9yoKUrJSfOrW+FrUU87hQwLiVV
Jjvwij7IY8lmBA+jx3nVH9Hz3/cCgYEA13Qk1aCtCG/VgY1LZ6Z/X9wkfqS3YBZt
RCLiALtphs0rysplZovntEPcQRiZzCwB2K+rubCPqTgDtFZG3PeqDMRBfdB1yuqp
73CM6Tvo9H3LMisRRFkExPOYA84etGrr5Rn2gBKmerrzst+9VJAT3FSH0SAtdkes
rRwh+G425PsCgYBtVGXUpAl6REp7Sj0Z/UERWJayV7aP/ol61tWVblh0MQ+/GNiH
9Qit96g7qnhef0ZuYTEJeQCshiqzTU59ShFIN8WNUOcT1wrfZgrpgGnEMLA4EC6H
zLz+XOg1MOjDEAi79dGBGw7NDL6CGcw0J6sXpWTqjC6VM4JU4njWy+1pLwKBgCKh
coI771QZ1bGbKnGgm3ym/96zTx5MvIdlK/p+JTobpFxWJ/JRro6VEcQM1juxHyLb
KbkRHiZO8Jl9/KnrzRN8QCKe7TAOg/4Okzex/4G87npD3eSkglW96cNC0ECjpwMO
J0byuHulrSIlQGNlPSv/Ek2U5HnMj37LtNIftQcdAoGBAJciB/qFtf1LWYdFe/f8
fgZBCyb4gDO9CFKFKUAzOxyCmjPmrgMqHHX8flmR4tPl672NbKdKRb0PrmjJ7mfI
LQ5xAtPY35DcT48C9bRXVCTq3xWqrGzVGYeg3Eu0EUR3YxgmAo+BlA8XgSSdpYME
pXypj6d3NWQHS8ERR6XSGCVK
-----END PRIVATE KEY-----

21
ReachOut/openvpn/keys/ta.key Normal file
View File

@ -0,0 +1,21 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
0d93f89ecf24cf310bd30e8319a142e1
4ebf7508a293db1392c69e7cd4079271
a27f9e64288772ffc7d6645cd7c7f5d5
0681237cff1fe4ef520d9b90609f053f
e4980b81c1cf14015ea0510114c4a71d
b0fac8f22a02fa4bb63dbfb90b094842
9ae86a022ee4f8ea344cfb89cb787fa8
79b5ac1178bcba8cc27619cdd5ba7a0f
46d11ea63d7a9fe1f1ff84d631124ce7
04ea9fd27add0e4462cc5a404227f0bc
533647d8412d6399010729d4dd4dbd6f
70d667a64ef8183d9db91ee13c5efe2d
3f559bf3c5bb0fce0010522dd61ee765
1b078eb55aea89a0c89f23ba7a6d2c39
b5ca2616e27001dfbf7e58065a31ad61
1d236dc8bff5873f97d0790df1de11db
-----END OpenVPN Static key V1-----

300
ReachOut/openvpn/server-gw-ckubu.conf Normal file
View File

@ -0,0 +1,300 @@
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1195
# TCP or UDP server?
;proto tcp
proto udp
topology subnet
route 192.168.63.0 255.255.255.0 10.1.72.1
route 192.168.64.0 255.255.255.0 10.1.72.1
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh keys/dh2048.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.1.72.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /etc/openvpn/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.23.0 255.255.255.0"
;push "route 192.168.72.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /etc/openvpn/ccd/server-gw-ckubu
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;push "dhcp-option DNS 192.168.72.53"
;push "dhcp-option DOMAIN ro.netz"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
tls-auth keys/ta.key 0
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
persist-local-ip
persist-remote-ip
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/status-server-gw-ckubu.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn/server-gw-ckubu.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
#crl-verify /etc/openvpn/keys/crl.pem

300
ReachOut/openvpn/server-home.conf Normal file
View File

@ -0,0 +1,300 @@
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
topology subnet
#route 192.168.63.0 255.255.255.0 10.1.72.1
#route 192.168.64.0 255.255.255.0 10.1.72.1
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh keys/dh2048.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.72.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /etc/openvpn/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.23.0 255.255.255.0"
push "route 192.168.72.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /etc/openvpn/ccd/server-home
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
push "dhcp-option DNS 192.168.72.1"
push "dhcp-option DOMAIN ro.netz"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
tls-auth keys/ta.key 0
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
persist-local-ip
persist-remote-ip
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/status-server-home.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn/server-home.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
#crl-verify /etc/openvpn/keys/crl.pem

58
ReachOut/openvpn/update-resolv-conf Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac