Initial commit

SPR-BE/openvpn/gw-ckubu/ccd/server-gw-ckubu/VPN-SPR-gw-ckubu

@@ -0,0 +1,7 @@
+ifconfig-push 10.1.92.2 255.255.255.0
+push "route 192.168.92.0 255.255.255.0 10.1.92.1"
+push "route 192.168.93.0 255.255.255.0 10.1.92.1"
+push "route 192.168.150.0 255.255.255.0 10.1.92.1"
+push "route 172.16.92.0 255.255.255.0 10.1.92.1"
+iroute 192.168.63.0 255.255.255.0
+iroute 192.168.64.0 255.255.255.0

SPR-BE/openvpn/gw-ckubu/client-configs/gw-ckubu.conf

@@ -0,0 +1,270 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote gw-spr.oopen.de 1195
+
+topology subnet
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Server CA
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIGzDCCBLSgAwIBAgIJAMzhic2M9z96MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMH
+VlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwIBcNMTgwMzE4MTM1NDAzWhgPMjA1MDAzMTgxMzU0MDNaMIGeMQsw
+CQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzAN
+BgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UE
+AxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJn
+dXNAb29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDU3Y3K
+UW+th51pqc+MttFyQNVQ+TwGUFptpoES5KIDqXifbqQfTLNUch1us+C0e6qt6B/t
+ZSotqwAqBgA9bT4ws02sMP2U7U0+sn+rxvb9H/6Q0H4KixfsyTTxqrstEphEE2aF
+eC9L3Z4QlJuafsuUWIxT9LW1KnaPV5CIDz/cJZIO/Xc7/TRyiO0ylgf6+br2zAFH
+Rm8Tnr1TDUm2ftB0ukG2wsmGhd/+lXPBrXWwC83NBYjFi0o9OZZmAUekyNWUTHQY
+UJ1fLJAPLdpoVuxbV0BK6HQdpRvj4KyMBt/kEcGMXSLuAr1/848wI1EI8AuFyaZV
+RQdnS6yHxZ4+Mi8YSdXEj+nb/SwBGxz9kmmVUQCTlPm/B4Y5I+3ivS9PxihpSwHo
+zJkr8tr+xwfnFXSXB3wPdYu9rD8KmY3/uDYy9iWLg0/xW6keL4luDCVNjltMjc0x
+03MOpv9cjN2eBwGyU2dHyyfDPSqSsQi9FZeWmgCzwJ0rL4WywDRc5paXbaWtzdqQ
+98gVox7lFbmQIE5VoFc4VTKEIY9D/cLdmZpWzPHOn3vPEc5eAFKb5qZv2IlN420Q
+CSCFJAb5orrIj9ALAIvFXfvTv5o7G+ZEvk4eMP39nK1ZXc6/cL7/IapPfy3/vUs0
+tEph6pRHP39bcH9pxVAA7WkTS5ZEUshA7NrUEwIDAQABo4IBBzCCAQMwHQYDVR0O
+BBYEFHHdskSE3v+RJciX4ZEOWD5SJZ+qMIHTBgNVHSMEgcswgciAFHHdskSE3v+R
+JciX4ZEOWD5SJZ+qoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBO
+IFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDM4YnNjPc/ejAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQB1cA8o2Fo78xQ8jRdyfbvK
+GFH8+SMoOh/8qxj9prk0kLYAro5QnzEBmftHhf3sXevEAUWpr77VL1FxhTXgKUp2
+S06S/meC24M/KclxM+W/7AuG9yrJuW122l61OuWUcDWA24oj0KG896Mbw13ieeWS
+7XmC1YU5Lix3wiWnjD7QZ+E4dg09z722+zwUi1UwRekzJZmB8pTHHmbX4Yig/K27
+STnxQEiVZzlzcvjY6QvC3Sj/aA3YCSNl0bsSwH6GwXXJZ3BEKmm6w+ZRQMTz7+72
+q0ybGf43XH4sj2OBm1YvCD8LehygPy2uJYlDxG8zRq2kxYxiWLbncs1x9Acusd7l
+Te+k8YArRTqsWLN5Q47sGO4H1clz4ay80TTuz4Vc6JQ3banHDmMFV2nMsR2YtKX6
+lKD3lXvMU04ZvZe2SolP1uTto3Jw3cNarigj/nHjn5s16uvy6Q3x4TyVUqyAOqrG
+cuGrbYAEqtVnMrrovGZTj73HSwAx2PD+3jJKZH+suwBIijNL90wbkNlsNHlNcQeQ
+zQAlYRBdCYWFU+7d86kUWYYrActGZc2MJmBZzZ/Tt7YoOIw6NMnWcpMMTUV+zToP
+WWrD5OMDc7EX9BmMg7uif46UF6ol2puGXpQIF/yVRbFk1IiPwhc1ZyCuh+1ugh5+
+CZSTeKgLDVjfXlqH1ErAvQ==
+-----END CERTIFICATE-----
+</ca>
+
+# Client Certificate
+<cert>
+-----BEGIN CERTIFICATE-----
+MIIHLjCCBRagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODIyMTMwNloXDTM4MDMxODIyMTMwNlowgacxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRkwFwYDVQQDExBWUE4tU1BS
+LWd3LWNrdWJ1MRAwDgYDVQQpEwdWUE4gU1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1
+c0Bvb3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANmowNDa
+f1Pz+ACS/w8DzUiRIu7i6yfteeWBnVTh4pF0wmmbIV6sq7nFXHefINYYju/szU5D
+jqm1750YUPKVmJi7c+CNKkQt2kNa80qPENaZ50TuQAWjHgIgVC1IPpkjk/+2dIk4
+rVKPwC0B2qolvH8lj1VXgt6ieRU6CwLCuB5JtvKbOEz0wCS2sCKPscz0R+/9jf+9
+DAB6Cr1t4MkawJ7h3mn17N3tmfDUqyGr3hf8nvJgMFBTJsRLKcgdNEfDUGYT1cJ5
+8rqNlBjssx24T2Kv/V72tvgv0Y88jDQLJIAO/swqWcYaqKHQAvvmg3zYfri10V9M
+sExKswfEvGLgly+3EkMhPuEU9Jqi+c5m4awKGx6Ww0YgJJkhgHw+D8/7/EjiaXM2
+sVwSWijStYRmf/LmYlS2Ts38MHAC0WjTd2j8iOB1a4djDv2jGSv0iq3zpv63I0FC
+DqVqTWhzJGkMsUowk4AyWrnKNsMfC4ZHG2c8DThAAuKW/OOu+hamGAkUuNC6SYMh
+GZus/VoPJudF5vp+5AkthAo/N5wPxIm/nWJXV8Nr9Cd24TIb7TeX6ESWCkZMs/O3
+1BWxJZ93n5Pv6uEPlBp1bh5oj69F2vVm9kal8YmpO8jkuwzuwJgs7f300aiG+JJF
++Pz68w/5B170pguuybyq8UQNJJhYMyo9L9nBAgMBAAGjggFqMIIBZjAJBgNVHRME
+AjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNh
+dGUwHQYDVR0OBBYEFBNSxrpHA9HfrvuHjvuKZnTXkdN2MIHTBgNVHSMEgcswgciA
+FHHdskSE3v+RJciX4ZEOWD5SJZ+qoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0G
+A1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZ
+MBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4G
+A1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDM
+4YnNjPc/ejATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0R
+BAwwCoIIZ3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAEDGKiwnx2nlVB4VpK+H
+4fE6KYLjqGCpZLliRxXD2V/zLwXt63hYGMPUxUmqq+nnQAIzbReOf4/3avwuaoMc
+h8PGmbTdoZic5Qxu0FwN7f24eemYuEtC8R6jrLVHffuCmNX+n94T9Fw8dh5Z4BY9
+W3JHr62y5CkRE03VTWgiu4nRluknwyJFYFcj8p8h6kt9qIoSpcaOTfyrhUUgxu4n
+jECCw7ZjZbLvaWq4k5Sea9zBL/5p9phJVvgmZBfioMXKbYrg9MUunWxMDJ2+DRdL
+vV7wWwByHrMhfbZ71KPAeJF8MsXR6WHaHTzckqOh0l8O5BPzU07IJxhKh2HI2joa
+ZfEf5df99ARtH7yUi9qb2/OgqUe2uF/Z6MDUuuipoK95PACf8yvGGEprzqAEusoS
+kvXJAkTHBajNPZf3M909Wqy0C8rRVC06+y9AT1Toba3yTb2wUEOFQ4vwJK+Iwi3d
+16za6vzZArEgpij2me5RVblwVoSDlqbTTKN/obTOm3Vr2tBX1NCdVaQuwwWTcAmj
+zuMd+bluEOOnlBfATuLdnRdgZAA0LbtQAxOcpdUsxR6KxyXFqlo7wPefx7GJKeTa
+At0U50Jw76gTAwxTgdgyBuol998pZheyuFavjH9KmWY/q1N+WyOtPgF30VjbpDNf
+GXH8zFh56LyFtBxdpjuVSUEj
+-----END CERTIFICATE-----
+</cert>
+
+# Client Key
+<key>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJpDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIsMy/MytYtzsCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECM8bcaVcNffeBIIJUNOSqKmf153a
+NBjm25drvNrgo+bEd2kxywgcjqIyl/csUjkbx3WWANZZAdRIFgtM2mN6xiGPAzpB
+AMU+0FhbMeSC4aaoE6kbu0QREcHxgLemoA1+3c/VMfzTXJQ5xtr84pyBfj7lwYTh
+uOC8k5WYV0VCWWwj39TAAfF/eqIzfuN4L2ybSgQyHHyWQPvCgfEPMZi5lBcPtZT5
+OQgS30tFTgNOmz+wTex6uOJi0Qqo6MvH3rWv5rRwO17FZU6v+SLXcopvZfrO4WLN
+AMHzjIvvfwmO+7/ypLnVdBYCd+CpvBUwcEbPVqrddWhNgidlOkoQzVnK34wexRvm
+eDjmm8JbTHFQP8+DMEAODlMPNxMD1vCC/vM7bKMjCNYGjRwrxtL9Z8drp1wgzULJ
+8AY3J72+lL1yMQNoch0Niuda3RDBs68FeVvGaFmGCPlzDdfTlex0Pi+BFeuTao0Q
+7Y9zfcjyv+p4HxMg6YoIIQYOEogWO58GF1UL0zOJD81j4ihkT7HTWtOskw5E6Kfq
+WEWyW5Oe4xR0PZpHNrYVURNg6kIxEBwRFfskFofGac36tKJ2fJseESkuqvXLenNt
+Y0Epi/AxwEZa0E+G2ewNPNoBAIvRlOx0CBWWQKeCVaOgsOD0zyqYPsCGFWDl+2d5
+i8afGhTw/8oqhwNwr25tWhW1xKbMEGchycywGGQloGvquv7kchJb6lDADZtF1++v
+4wgRwtiBYOvkqXSLOpFiZinvmUMmqXD7PqG9yWF7XlnRV8JJ61RP2cuKCTXXCGfI
+dtzLnet/4lUV7S0Wd3g1US2iPz6LJ+ngOBQEbAqFvInBiZFyduPwQJo0yswDyJYd
+WNhmHumuFSSCdnAF6qVjuKhsNhftY5w+xww6RhAqst1idoVqYSt1LLODwKVQfIPs
+uctF108LBYPBGf5tEC5Z1KRpDQO41q3F91eTZTVEH8Su1pW7IbMGt8XTUVRJESbQ
+SYH5ELMdd+tb1ccD2fZZV3R6V7vI7ejAzOWdmjqaITtPGsFcMevc36YmJ18OQVBe
+mTZJjdx28sGrsoqCSvgc7ii0DFLWZrRs4WRrgoxQq/G0zKLuuGXhlEgVw9QhIfeo
+fMj1ebR0oElSimcqwPJYI/DDfhYZUA5Mx2Ewnfs1NS+CGoo+UcDKNHQRR3uEmP7T
+1Mhg+MQ3b6ssZ8uZQut1E6bALf9ipH5xkN6rgniJsBL3lzvkN+/5XiE5qz16bmkN
+gpF1+8G0/pjDi7a0Fw602ffdD1XAfcV6SMobDgTyMmjybgZHzf6cFy9gKrRa6WV0
+do4Oc+uv0Nmj6wrAYO4s/nuJnpeTY0wbuHJgcYnTmUX15kIw+bPJ2UIGjyS8QpkF
+evX8XeN48U9mknoQv1OfC6+kE6jgqQiDzigy9nSHFc4kIQWsihO6NKDEia11RWCn
+QN3t8sHDNZdFY3dy7nnQRIhFNEy6InjLnUbfhuzgZVaVoaqULH8EmoE78z25zi0H
+Xt6P+hkW8zZthYHsucVvyiNqZmIb50MK/5VHuORXsepWD9hX/rEyFxsv71AyBl9x
+TSHjk4cgBqVh3uRH8NxNNvWnx7Th03Zk4/2dzNUc5taj3WX2jCH1vaKBMI1BBHJD
+QWNIrwCExUOIAbYJLGkyihnTv4PCRlZrYQtMyx0laxYRdWR6lsIk83jcMWkWfhPf
+YbYd/XIIR+hOFrUIM28Y2TTPHpJhbuORP7z18o2heUV0ZD3LdMi27/JtsSZHlbOu
+nqdP9reWG8Kx6mjEdSFe5hTD0VmZ3Yks1jGp3QBcxQivAbLoXsP5VOMOPr7zXmb1
+m9uWqtC+/1L6lAg5iH0YNyvrmRL02uzMiEXBQQDx0CYqcWJY+hwaXU6MnSyUMH7F
+H7wAW2cqq1XCBVFWUIPI6P63LUlgewzmseaAGgD7tfbGSsx7BwseMXUwtdOYt+Rp
+H8/3QeLLAfgD2Kl7Mv8F8l+KsBRNpaSJVYCqYH5ogzjRiuwDwsOmRdHKRh+r825g
+fAJsI3grgZOd7poDQSisRZKOAF/ytTclreostJGfwLEE7IpUA/R7yLPCTI/mdPwT
+4zRZ2N0fovkApA6hvhIpnhaA5XXuY7gmN8E0tgokZ7NsiL0JgFUFevEwzvZhlCJI
+7edh2kPl379+bT1lgy37Z0V8ntU0S3I/g+6RsepDuWtCGsW434Z+iAAv7aKPJz0H
+UqNHS4vElG8tQKBkO+qWRdC19hmM5itQoy/nD935hyZgRBZKFTmO3kNPPyvHVTdJ
+hYTN/WAuXAMrP5HvkMv4AXZLQSk/YJCcJsPN5p8Kd40oEuwMumI8HCwXlSnpHnro
+prdZrrCCUQ2232zCw5qQ4KZl7i5LB8AkLmNXtMUscHf6Nge3GSTILFaKoFYrDPF5
+P6u21fO1R2HcA+b7xKzK6ecpPZA25ggxPMqvRwCnT/gueVSXjOIhd3f2pEs3yVWM
+W0HenWuiWcbryuzcPAJytianU1KqtrEYhqFTxcdJAYa4xvFbCtGrmVuJ8NRomSg3
+BdL8lOfdYxE5R8VYfVxw2jcLiK4o2Bqjt17kHTzzP95E8Eybkzgo5vycmMedOBsn
+rBOUJXYFSo6hONNiMR1vlIxNi2Tdo9w5wKHUerVdXhVSLgvC7SeJeArN6+To+MVR
+n73jBAA48VcA8d5miDNnfwEDguP/Fg3+vo9VAWccR3lq9tHT1GkNyz0gyYLxmwoV
+2w+QkNYM2SzbrsDJ0GEN7s8gEkeQHuwcXHsdyJnLJQJsTrZaaHDd65BMXseE9dwu
+Lgf0zuiq2DCDTJEvabd9siS7wDOxJAKzd3atP1O4ylnzSHgvi7DNQJ8Xeu8FF43L
+Sn6KmWhdtfIhL3uNAvI2/6434qWKU4WE5Ro/TjI4uMxmfkTTQPmffJTGnH9nYJjJ
+aURTTNSKQGbeyBS9KEUjSyQAAXBaDka4zP93eOi66aeUNaMcod1aKLo9r1LpjVqe
+3qLBy7cCP56qaMTJChhwhYWtwyu5AqX2fk4LRAOrm7olFNlbJ/QMYEahztZzFuiO
+hCCGNebRqk7IYmXnvoA1gJ7VJEov1QYeLX9xnZqF+qwHzs29pNZwADtvBlWn+MT4
+yCy2JxLwIwfVuMsJWRzvHcpeOzmgtDIgUkqGzpjPB5bdtbr7GFbFkpms29DmGLtT
+Ujfylfy4W1TZtS1ryCsskAiOrTpXH0G7
+-----END ENCRYPTED PRIVATE KEY-----
+</key>
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-server
+# script in the easy-rsa folder will do this.
+#
+# Note!
+# The option "ns-cert-type" has been deprecated since 
+# version 2.4 and will be removed from later distributions.
+#
+# Use the modern equivalent "remote-cert-tls"
+# 
+;ns-cert-type server
+remote-cert-tls server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+#
+# Don't forget to set the 'key-direction' Parameter if using
+# Inline Key. Usualy , sever has key direction '0', while client
+# has ke direction '1'.
+#
+key-direction 1
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+50c09d4cd2d32cbfadcc9ebff8e624d2
+f7a5730ff6b708aad8a6bb14b3a7619d
+e32764bbe875f11ce46213a35500cc2c
+fd0b6bf2e7b8cc2392a478ad7f4e7c7a
+3fbe2e50a781ea9a4fd83cfaf64725db
+98b4740b145e2d948b3b09975866c03b
+a268f82e767fa2517b469ec3e563d321
+8156f8f192f75bf8385697aeed6b9f33
+fd74e02426437c42dc7a85afd828012a
+911e7d8e837249d33a4209dbd0a2c017
+c0ee31207a0e5ba05e736fa1c9af1cbb
+0b39dab31939eb37df367d1eccf61ff3
+28135f42ba70344179186cdd0cac5058
+9cb4bac7dd08436d1efbd452b72416e8
+59bc9118c2c6aba6107faca0604d947f
+ff8569318b234e4ddbb68189b1504969
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+cipher AES-256-CBC
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+;comp-lzo
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 1
+
+# Setting 'pull' on the client takes care to get the 'push' durectives
+# from the server
+pull

SPR-BE/openvpn/gw-ckubu/crl.pem

@@ -0,0 +1,18 @@
+-----BEGIN X509 CRL-----
+MIIC5zCB0DANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUxDzANBgNVBAgT
+BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4xGTAXBgNV
+BAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIxEDAOBgNVBCkT
+B1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlFw0xODAzMTgx
+NTU5NTZaGA8yMDUwMDMxODE1NTk1NlowDQYJKoZIhvcNAQELBQADggIBAHiAKVWa
+aJxRcohJGD6hfhXEOhBqV1GxWWuoEP1ONgdgsXTEfEDdK+lTS4P0PNyxEkbFS8OH
+TuRfg5OhmONezKAi6C3rGZHeM/jYwlCaoD1mNABgwkBKiU7BeXfdho1j3dhjgZ6f
+IYVEcWFM+0UDJsnZHeA6zkpjRTL1AlB0I+mYg5f8fb85SVoxNIk3C8Hh22X19wVd
+MHYb4/F/k6AAcetLwuptdgS7nsWQama8BkJ1d9nBLV+aKdx39ZSOWKy4TuExicN3
+B41kh1qOqOnTYGkKjLLxn8AGdk4cqvZprraO6UEL4xV7WWRk3n6eaWsp0WLUnpTq
+5y3QhdSwne/nT/WAsUVE0qoKz/0LIHwL3YyEFNPpfdKn+0ulp1loqlPfZiGDEZ9s
+qs1lPAb8hSj8Gtoh6Ehb9rjH3ia78EVhzG/Npnzcq8IkJW9U9KjvJkjLUYQB0cE9
+gAKjMtJ1XWf1G/H6jYHSt85FM/fq8gnQX/yBVJzXlVdYWL4giS1K3kATJ9OjH3TL
+xyB0Evi15vG4a5HlbNT6g/a6GvEEfS6ANaBC82uRFK1AjELRCiKvjnOT5AndB/uV
+Q/tgplEqJJX2CQrH+BRUe0PWtOl0UYC84fGNr1lySHeWaI3Z3UUYeBIgJ+Y3d7/4
+5u5CE+zRVhxqCD1bxxZdJq8F8zQe4fOlWR3L
+-----END X509 CRL-----

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-ca

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-ca

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-dh

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-dh

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-inter

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-key

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-key-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pass

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-key-pkcs12

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pkcs12

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-key-server

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-server

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req

SPR-BE/openvpn/gw-ckubu/easy-rsa/build-req-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req-pass

SPR-BE/openvpn/gw-ckubu/easy-rsa/clean-all

@@ -0,0 +1 @@
+/usr/share/easy-rsa/clean-all

SPR-BE/openvpn/gw-ckubu/easy-rsa/inherit-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/inherit-inter

SPR-BE/openvpn/gw-ckubu/easy-rsa/list-crl

@@ -0,0 +1 @@
+/usr/share/easy-rsa/list-crl

SPR-BE/openvpn/gw-ckubu/easy-rsa/openssl-0.9.6.cnf

@@ -0,0 +1,268 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

SPR-BE/openvpn/gw-ckubu/easy-rsa/openssl-0.9.8.cnf

@@ -0,0 +1,293 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

SPR-BE/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf

@@ -0,0 +1,290 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+#default_days	= 3650			# how long to certify for
+default_days   = 11688
+#default_crl_days= 30			# how long before next CRL
+default_crl_days   = 11688
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

SPR-BE/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf.ORIG

@@ -0,0 +1,288 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

SPR-BE/openvpn/gw-ckubu/easy-rsa/openssl.cnf

@@ -0,0 +1 @@
+/etc/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf

SPR-BE/openvpn/gw-ckubu/easy-rsa/pkitool

@@ -0,0 +1 @@
+/usr/share/easy-rsa/pkitool

SPR-BE/openvpn/gw-ckubu/easy-rsa/revoke-full

@@ -0,0 +1 @@
+/usr/share/easy-rsa/revoke-full

SPR-BE/openvpn/gw-ckubu/easy-rsa/sign-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/sign-req

SPR-BE/openvpn/gw-ckubu/easy-rsa/vars

@@ -0,0 +1,96 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+export BASE_DIR="/etc/openvpn/gw-ckubu"
+export EASY_RSA="$BASE_DIR/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="$BASE_DIR/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+##export KEY_SIZE=2048
+export KEY_SIZE=4096
+
+# In how many days should the root CA key expire?
+##export CA_EXPIRE=3650
+export CA_EXPIRE=11688
+
+# In how many days should certificates expire?
+##export KEY_EXPIRE=3650
+export KEY_EXPIRE=7305
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+export KEY_COUNTRY="DE"
+##export KEY_PROVINCE="CA"
+export KEY_PROVINCE="Berlin"
+##export KEY_CITY="SanFrancisco"
+export KEY_CITY="Berlin"
+##export KEY_ORG="Fort-Funston"
+export KEY_ORG="o.open"
+##export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL="argus@oopen.de"
+##export KEY_OU="MyOrganizationalUnit"
+export KEY_OU="Network Services"
+
+# X509 Subject Field
+##export KEY_NAME="EasyRSA"
+export KEY_NAME="VPN SPR"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+## export KEY_CN="CommonName"
+export KEY_CN="VPN-SPR"
+
+export KEY_ALTNAMES="VPN-SPR"

SPR-BE/openvpn/gw-ckubu/easy-rsa/vars.2018-03-18-1452

@@ -0,0 +1,80 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
+export KEY_EMAIL="me@myhost.mydomain"
+export KEY_OU="MyOrganizationalUnit"
+
+# X509 Subject Field
+export KEY_NAME="EasyRSA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"

SPR-BE/openvpn/gw-ckubu/easy-rsa/whichopensslcnf

@@ -0,0 +1 @@
+/usr/share/easy-rsa/whichopensslcnf

SPR-BE/openvpn/gw-ckubu/keys-created.txt

@@ -0,0 +1,4 @@
+
+key...............: gw-ckubu.key
+common name.......: VPN-SPR-gw-ckubu
+password..........: uoziengeeyiephu5voh7eothu1Aex8ar

SPR-BE/openvpn/gw-ckubu/keys/01.pem

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 15:59:51 2018 GMT
+            Not After : Mar 18 15:59:51 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:a3:49:18:ae:69:4f:5c:4a:34:b1:85:9a:4d:a5:
+                    ce:f6:2d:b5:6a:9e:40:27:02:3b:57:e0:75:ee:1c:
+                    fd:eb:20:56:eb:ed:24:f1:57:a5:cb:ad:0d:09:af:
+                    15:f3:9d:a4:67:8d:e5:a8:67:d5:1b:b8:36:f6:e6:
+                    9c:d3:e8:29:08:d6:8f:a3:5e:e1:e5:30:eb:07:bc:
+                    03:c2:95:a4:93:cc:19:86:c1:89:fb:9d:f5:38:9b:
+                    10:01:6b:74:d2:20:8e:4a:65:34:17:1a:85:39:d4:
+                    35:2b:04:f3:37:4f:f5:93:12:06:fa:c5:04:c3:73:
+                    30:30:1f:33:69:86:bc:60:cf:fb:38:ae:6f:8a:21:
+                    0e:76:35:7e:ba:0d:ad:ae:4c:6b:d0:cf:3b:73:a9:
+                    1e:58:cf:ce:bf:45:8c:52:75:ee:da:a3:f4:6c:24:
+                    8b:bd:b6:f2:db:59:fe:b7:7b:ef:8e:b8:30:ad:67:
+                    dc:bf:3d:ca:d6:e4:b3:86:bc:60:fc:f9:a5:ba:5a:
+                    0c:9d:c9:72:ec:ab:73:6d:2b:f5:9b:f0:a6:a5:c2:
+                    31:6c:5c:a6:54:47:1e:65:73:2b:47:80:bc:27:29:
+                    28:be:45:12:77:5c:44:51:cc:91:55:d3:36:5d:dd:
+                    f1:01:18:68:c5:08:de:ee:06:9b:0c:d3:a7:94:c7:
+                    99:75:c2:bb:f8:2e:19:46:db:d8:13:70:7d:a1:96:
+                    6e:21:8b:32:1b:d6:8d:74:4b:a9:1d:43:53:d2:11:
+                    3b:d9:63:b0:6a:ac:a8:e2:70:15:62:aa:c2:15:d2:
+                    1e:df:34:1e:45:3a:30:b7:54:1a:25:2f:73:c0:d8:
+                    1a:6d:8f:80:aa:7e:86:1a:84:e3:0a:c0:89:61:3f:
+                    fd:bd:19:40:b3:cb:de:2d:aa:97:af:dd:cd:a2:28:
+                    33:17:ae:50:bb:2b:00:d1:01:8a:25:32:56:d8:09:
+                    fd:58:22:fe:33:a1:f3:b5:16:cc:59:ca:d8:d3:8e:
+                    dc:62:13:25:05:c6:6a:02:fb:82:83:35:7b:e4:33:
+                    84:71:18:fa:bb:6e:48:3f:ec:be:72:a2:dd:38:bd:
+                    7a:69:89:28:6c:46:79:bf:34:30:39:5a:9f:a7:e3:
+                    9d:15:73:29:f3:24:f0:84:51:27:38:8a:20:5d:cd:
+                    d6:47:e8:2e:7c:6c:e1:8c:10:29:0a:79:96:24:fa:
+                    94:29:a1:6f:dc:d8:94:fd:d6:f7:62:24:6d:a5:cc:
+                    42:89:94:ee:8c:c4:19:31:0a:49:9d:e2:87:0a:29:
+                    cc:f0:b1:ab:8f:d8:11:71:46:de:2c:d3:a7:5b:2e:
+                    5c:f7:54:92:97:f8:1f:7b:42:23:b9:1e:47:0d:57:
+                    2a:24:bb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                BD:B0:0D:2A:D9:8E:FF:E1:91:B4:A5:26:9C:C4:D3:E8:44:B2:BB:D5
+            X509v3 Authority Key Identifier: 
+                keyid:71:DD:B2:44:84:DE:FF:91:25:C8:97:E1:91:0E:58:3E:52:25:9F:AA
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:CC:E1:89:CD:8C:F7:3F:7A
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         5a:36:4b:aa:dc:7c:3a:1d:93:f5:e3:d3:b4:cd:45:e9:ff:64:
+         9a:61:36:57:06:91:e7:39:24:cf:3c:4d:4a:3a:48:97:49:dc:
+         90:96:d4:4b:0c:35:a2:88:01:47:f6:a0:5a:74:71:cb:7d:08:
+         60:2f:4e:ba:de:99:20:e1:8e:75:d1:f6:96:69:9f:53:ed:e6:
+         7a:31:4a:e2:2a:10:10:94:1b:61:ac:e7:ee:f9:6a:37:ff:80:
+         49:12:35:f8:65:3e:1e:7d:9f:8a:31:cf:0b:31:cb:a2:37:d3:
+         7d:1c:41:cd:c9:0c:34:da:bf:5a:d5:52:da:6d:71:fa:37:10:
+         f1:73:02:5e:0d:01:34:ab:fb:88:5f:ea:ee:9e:e0:1a:e5:58:
+         e1:b7:f2:a6:01:62:bc:80:2c:42:c0:7a:b9:1d:9e:00:0a:bd:
+         87:d6:e4:a5:19:ba:65:c5:24:ba:e5:b7:a5:81:3d:34:b2:20:
+         1c:29:93:98:02:7f:1c:49:53:eb:c9:ef:73:35:cf:31:61:f8:
+         34:1f:cb:76:58:22:fe:4b:ab:93:b3:83:71:93:1a:5d:78:66:
+         29:3f:f4:f6:d5:4b:d5:ff:ff:f4:83:2d:f3:73:c3:d9:33:f2:
+         af:97:4f:f2:f3:f7:54:80:32:30:5b:b3:db:cb:a9:23:e0:df:
+         e1:d6:bd:db:3a:36:55:52:19:e7:1e:6e:72:0c:25:43:31:c3:
+         b5:01:27:af:72:85:e9:ab:ce:5a:62:8b:c0:73:be:67:52:56:
+         a2:6c:04:74:66:46:ab:fb:03:d3:3a:89:e9:7c:8a:0b:e5:d1:
+         01:52:00:41:f1:aa:fe:48:8b:ab:af:e1:4b:40:16:2e:f0:3e:
+         50:cb:6d:d9:bb:95:1f:f3:56:17:6e:67:aa:00:bd:da:9b:2c:
+         8c:b5:dc:3c:41:0d:87:7b:05:5a:6f:a5:a2:d2:cf:bb:a0:7e:
+         d5:aa:d1:cc:d8:57:9a:81:cb:ef:7f:ad:76:95:eb:65:6f:c0:
+         2e:21:61:fa:9c:6a:ee:f3:f9:d3:7a:9c:e1:5a:37:83:1d:61:
+         85:01:70:26:54:29:bf:52:50:7c:ff:5c:24:94:0a:5e:f5:37:
+         a8:36:2a:83:c8:d1:1a:ae:bb:19:b3:1b:a1:68:14:ef:33:a5:
+         7a:d1:b7:ff:74:d5:69:08:91:f7:f2:d6:e1:12:c2:17:70:e2:
+         13:f8:17:92:31:19:46:35:a9:13:79:f9:cf:2a:b9:8b:7a:2b:
+         b4:76:d0:0f:3b:75:0c:99:99:a7:dd:26:f1:da:82:7b:f7:d7:
+         67:8c:cc:c8:16:63:c9:c2:23:47:71:a1:cd:34:88:a9:8a:fa:
+         59:f3:1f:08:ab:e1:33:a6
+-----BEGIN CERTIFICATE-----
+MIIHRDCCBSygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODE1NTk1MVoXDTM4MDMxODE1NTk1MVowgaUxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRcwFQYDVQQDEw5WUE4tU1BS
+LXNlcnZlcjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCjSRiuaU9c
+SjSxhZpNpc72LbVqnkAnAjtX4HXuHP3rIFbr7STxV6XLrQ0JrxXznaRnjeWoZ9Ub
+uDb25pzT6CkI1o+jXuHlMOsHvAPClaSTzBmGwYn7nfU4mxABa3TSII5KZTQXGoU5
+1DUrBPM3T/WTEgb6xQTDczAwHzNphrxgz/s4rm+KIQ52NX66Da2uTGvQzztzqR5Y
+z86/RYxSde7ao/RsJIu9tvLbWf63e++OuDCtZ9y/PcrW5LOGvGD8+aW6WgydyXLs
+q3NtK/Wb8KalwjFsXKZURx5lcytHgLwnKSi+RRJ3XERRzJFV0zZd3fEBGGjFCN7u
+BpsM06eUx5l1wrv4LhlG29gTcH2hlm4hizIb1o10S6kdQ1PSETvZY7BqrKjicBVi
+qsIV0h7fNB5FOjC3VBolL3PA2Bptj4CqfoYahOMKwIlhP/29GUCzy94tqpev3c2i
+KDMXrlC7KwDRAYolMlbYCf1YIv4zofO1FsxZytjTjtxiEyUFxmoC+4KDNXvkM4Rx
+GPq7bkg/7L5yot04vXppiShsRnm/NDA5Wp+n450VcynzJPCEUSc4iiBdzdZH6C58
+bOGMECkKeZYk+pQpoW/c2JT91vdiJG2lzEKJlO6MxBkxCkmd4ocKKczwsauP2BFx
+Rt4s06dbLlz3VJKX+B97QiO5HkcNVyokuwIDAQABo4IBgjCCAX4wCQYDVR0TBAIw
+ADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdl
+bmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFL2wDSrZjv/hkbSl
+JpzE0+hEsrvVMIHTBgNVHSMEgcswgciAFHHdskSE3v+RJciX4ZEOWD5SJZ+qoYGk
+pIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
+ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
+czEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGWCCQDM4YnNjPc/ejATBgNVHSUEDDAKBggrBgEF
+BQcDATALBgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEB
+CwUAA4ICAQBaNkuq3Hw6HZP149O0zUXp/2SaYTZXBpHnOSTPPE1KOkiXSdyQltRL
+DDWiiAFH9qBadHHLfQhgL0663pkg4Y510faWaZ9T7eZ6MUriKhAQlBthrOfu+Wo3
+/4BJEjX4ZT4efZ+KMc8LMcuiN9N9HEHNyQw02r9a1VLabXH6NxDxcwJeDQE0q/uI
+X+runuAa5Vjht/KmAWK8gCxCwHq5HZ4ACr2H1uSlGbplxSS65belgT00siAcKZOY
+An8cSVPrye9zNc8xYfg0H8t2WCL+S6uTs4NxkxpdeGYpP/T21UvV///0gy3zc8PZ
+M/Kvl0/y8/dUgDIwW7Pby6kj4N/h1r3bOjZVUhnnHm5yDCVDMcO1ASevcoXpq85a
+YovAc75nUlaibAR0Zkar+wPTOonpfIoL5dEBUgBB8ar+SIurr+FLQBYu8D5Qy23Z
+u5Uf81YXbmeqAL3amyyMtdw8QQ2HewVab6Wi0s+7oH7VqtHM2Feagcvvf612letl
+b8AuIWH6nGru8/nTepzhWjeDHWGFAXAmVCm/UlB8/1wklApe9TeoNiqDyNEarrsZ
+sxuhaBTvM6V60bf/dNVpCJH38tbhEsIXcOIT+BeSMRlGNakTefnPKrmLeiu0dtAP
+O3UMmZmn3Sbx2oJ799dnjMzIFmPJwiNHcaHNNIipivpZ8x8Iq+Ezpg==
+-----END CERTIFICATE-----

SPR-BE/openvpn/gw-ckubu/keys/02.pem

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 22:13:06 2018 GMT
+            Not After : Mar 18 22:13:06 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-gw-ckubu/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:d9:a8:c0:d0:da:7f:53:f3:f8:00:92:ff:0f:03:
+                    cd:48:91:22:ee:e2:eb:27:ed:79:e5:81:9d:54:e1:
+                    e2:91:74:c2:69:9b:21:5e:ac:ab:b9:c5:5c:77:9f:
+                    20:d6:18:8e:ef:ec:cd:4e:43:8e:a9:b5:ef:9d:18:
+                    50:f2:95:98:98:bb:73:e0:8d:2a:44:2d:da:43:5a:
+                    f3:4a:8f:10:d6:99:e7:44:ee:40:05:a3:1e:02:20:
+                    54:2d:48:3e:99:23:93:ff:b6:74:89:38:ad:52:8f:
+                    c0:2d:01:da:aa:25:bc:7f:25:8f:55:57:82:de:a2:
+                    79:15:3a:0b:02:c2:b8:1e:49:b6:f2:9b:38:4c:f4:
+                    c0:24:b6:b0:22:8f:b1:cc:f4:47:ef:fd:8d:ff:bd:
+                    0c:00:7a:0a:bd:6d:e0:c9:1a:c0:9e:e1:de:69:f5:
+                    ec:dd:ed:99:f0:d4:ab:21:ab:de:17:fc:9e:f2:60:
+                    30:50:53:26:c4:4b:29:c8:1d:34:47:c3:50:66:13:
+                    d5:c2:79:f2:ba:8d:94:18:ec:b3:1d:b8:4f:62:af:
+                    fd:5e:f6:b6:f8:2f:d1:8f:3c:8c:34:0b:24:80:0e:
+                    fe:cc:2a:59:c6:1a:a8:a1:d0:02:fb:e6:83:7c:d8:
+                    7e:b8:b5:d1:5f:4c:b0:4c:4a:b3:07:c4:bc:62:e0:
+                    97:2f:b7:12:43:21:3e:e1:14:f4:9a:a2:f9:ce:66:
+                    e1:ac:0a:1b:1e:96:c3:46:20:24:99:21:80:7c:3e:
+                    0f:cf:fb:fc:48:e2:69:73:36:b1:5c:12:5a:28:d2:
+                    b5:84:66:7f:f2:e6:62:54:b6:4e:cd:fc:30:70:02:
+                    d1:68:d3:77:68:fc:88:e0:75:6b:87:63:0e:fd:a3:
+                    19:2b:f4:8a:ad:f3:a6:fe:b7:23:41:42:0e:a5:6a:
+                    4d:68:73:24:69:0c:b1:4a:30:93:80:32:5a:b9:ca:
+                    36:c3:1f:0b:86:47:1b:67:3c:0d:38:40:02:e2:96:
+                    fc:e3:ae:fa:16:a6:18:09:14:b8:d0:ba:49:83:21:
+                    19:9b:ac:fd:5a:0f:26:e7:45:e6:fa:7e:e4:09:2d:
+                    84:0a:3f:37:9c:0f:c4:89:bf:9d:62:57:57:c3:6b:
+                    f4:27:76:e1:32:1b:ed:37:97:e8:44:96:0a:46:4c:
+                    b3:f3:b7:d4:15:b1:25:9f:77:9f:93:ef:ea:e1:0f:
+                    94:1a:75:6e:1e:68:8f:af:45:da:f5:66:f6:46:a5:
+                    f1:89:a9:3b:c8:e4:bb:0c:ee:c0:98:2c:ed:fd:f4:
+                    d1:a8:86:f8:92:45:f8:fc:fa:f3:0f:f9:07:5e:f4:
+                    a6:0b:ae:c9:bc:aa:f1:44:0d:24:98:58:33:2a:3d:
+                    2f:d9:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                13:52:C6:BA:47:03:D1:DF:AE:FB:87:8E:FB:8A:66:74:D7:91:D3:76
+            X509v3 Authority Key Identifier: 
+                keyid:71:DD:B2:44:84:DE:FF:91:25:C8:97:E1:91:0E:58:3E:52:25:9F:AA
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:CC:E1:89:CD:8C:F7:3F:7A
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         40:c6:2a:2c:27:c7:69:e5:54:1e:15:a4:af:87:e1:f1:3a:29:
+         82:e3:a8:60:a9:64:b9:62:47:15:c3:d9:5f:f3:2f:05:ed:eb:
+         78:58:18:c3:d4:c5:49:aa:ab:e9:e7:40:02:33:6d:17:8e:7f:
+         8f:f7:6a:fc:2e:6a:83:1c:87:c3:c6:99:b4:dd:a1:98:9c:e5:
+         0c:6e:d0:5c:0d:ed:fd:b8:79:e9:98:b8:4b:42:f1:1e:a3:ac:
+         b5:47:7d:fb:82:98:d5:fe:9f:de:13:f4:5c:3c:76:1e:59:e0:
+         16:3d:5b:72:47:af:ad:b2:e4:29:11:13:4d:d5:4d:68:22:bb:
+         89:d1:96:e9:27:c3:22:45:60:57:23:f2:9f:21:ea:4b:7d:a8:
+         8a:12:a5:c6:8e:4d:fc:ab:85:45:20:c6:ee:27:8c:40:82:c3:
+         b6:63:65:b2:ef:69:6a:b8:93:94:9e:6b:dc:c1:2f:fe:69:f6:
+         98:49:56:f8:26:64:17:e2:a0:c5:ca:6d:8a:e0:f4:c5:2e:9d:
+         6c:4c:0c:9d:be:0d:17:4b:bd:5e:f0:5b:00:72:1e:b3:21:7d:
+         b6:7b:d4:a3:c0:78:91:7c:32:c5:d1:e9:61:da:1d:3c:dc:92:
+         a3:a1:d2:5f:0e:e4:13:f3:53:4e:c8:27:18:4a:87:61:c8:da:
+         3a:1a:65:f1:1f:e5:d7:fd:f4:04:6d:1f:bc:94:8b:da:9b:db:
+         f3:a0:a9:47:b6:b8:5f:d9:e8:c0:d4:ba:e8:a9:a0:af:79:3c:
+         00:9f:f3:2b:c6:18:4a:6b:ce:a0:04:ba:ca:12:92:f5:c9:02:
+         44:c7:05:a8:cd:3d:97:f7:33:dd:3d:5a:ac:b4:0b:ca:d1:54:
+         2d:3a:fb:2f:40:4f:54:e8:6d:ad:f2:4d:bd:b0:50:43:85:43:
+         8b:f0:24:af:88:c2:2d:dd:d7:ac:da:ea:fc:d9:02:b1:20:a6:
+         28:f6:99:ee:51:55:b9:70:56:84:83:96:a6:d3:4c:a3:7f:a1:
+         b4:ce:9b:75:6b:da:d0:57:d4:d0:9d:55:a4:2e:c3:05:93:70:
+         09:a3:ce:e3:1d:f9:b9:6e:10:e3:a7:94:17:c0:4e:e2:dd:9d:
+         17:60:64:00:34:2d:bb:50:03:13:9c:a5:d5:2c:c5:1e:8a:c7:
+         25:c5:aa:5a:3b:c0:f7:9f:c7:b1:89:29:e4:da:02:dd:14:e7:
+         42:70:ef:a8:13:03:0c:53:81:d8:32:06:ea:25:f7:df:29:66:
+         17:b2:b8:56:af:8c:7f:4a:99:66:3f:ab:53:7e:5b:23:ad:3e:
+         01:77:d1:58:db:a4:33:5f:19:71:fc:cc:58:79:e8:bc:85:b4:
+         1c:5d:a6:3b:95:49:41:23
+-----BEGIN CERTIFICATE-----
+MIIHLjCCBRagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODIyMTMwNloXDTM4MDMxODIyMTMwNlowgacxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRkwFwYDVQQDExBWUE4tU1BS
+LWd3LWNrdWJ1MRAwDgYDVQQpEwdWUE4gU1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1
+c0Bvb3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANmowNDa
+f1Pz+ACS/w8DzUiRIu7i6yfteeWBnVTh4pF0wmmbIV6sq7nFXHefINYYju/szU5D
+jqm1750YUPKVmJi7c+CNKkQt2kNa80qPENaZ50TuQAWjHgIgVC1IPpkjk/+2dIk4
+rVKPwC0B2qolvH8lj1VXgt6ieRU6CwLCuB5JtvKbOEz0wCS2sCKPscz0R+/9jf+9
+DAB6Cr1t4MkawJ7h3mn17N3tmfDUqyGr3hf8nvJgMFBTJsRLKcgdNEfDUGYT1cJ5
+8rqNlBjssx24T2Kv/V72tvgv0Y88jDQLJIAO/swqWcYaqKHQAvvmg3zYfri10V9M
+sExKswfEvGLgly+3EkMhPuEU9Jqi+c5m4awKGx6Ww0YgJJkhgHw+D8/7/EjiaXM2
+sVwSWijStYRmf/LmYlS2Ts38MHAC0WjTd2j8iOB1a4djDv2jGSv0iq3zpv63I0FC
+DqVqTWhzJGkMsUowk4AyWrnKNsMfC4ZHG2c8DThAAuKW/OOu+hamGAkUuNC6SYMh
+GZus/VoPJudF5vp+5AkthAo/N5wPxIm/nWJXV8Nr9Cd24TIb7TeX6ESWCkZMs/O3
+1BWxJZ93n5Pv6uEPlBp1bh5oj69F2vVm9kal8YmpO8jkuwzuwJgs7f300aiG+JJF
++Pz68w/5B170pguuybyq8UQNJJhYMyo9L9nBAgMBAAGjggFqMIIBZjAJBgNVHRME
+AjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNh
+dGUwHQYDVR0OBBYEFBNSxrpHA9HfrvuHjvuKZnTXkdN2MIHTBgNVHSMEgcswgciA
+FHHdskSE3v+RJciX4ZEOWD5SJZ+qoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0G
+A1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZ
+MBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4G
+A1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDM
+4YnNjPc/ejATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0R
+BAwwCoIIZ3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAEDGKiwnx2nlVB4VpK+H
+4fE6KYLjqGCpZLliRxXD2V/zLwXt63hYGMPUxUmqq+nnQAIzbReOf4/3avwuaoMc
+h8PGmbTdoZic5Qxu0FwN7f24eemYuEtC8R6jrLVHffuCmNX+n94T9Fw8dh5Z4BY9
+W3JHr62y5CkRE03VTWgiu4nRluknwyJFYFcj8p8h6kt9qIoSpcaOTfyrhUUgxu4n
+jECCw7ZjZbLvaWq4k5Sea9zBL/5p9phJVvgmZBfioMXKbYrg9MUunWxMDJ2+DRdL
+vV7wWwByHrMhfbZ71KPAeJF8MsXR6WHaHTzckqOh0l8O5BPzU07IJxhKh2HI2joa
+ZfEf5df99ARtH7yUi9qb2/OgqUe2uF/Z6MDUuuipoK95PACf8yvGGEprzqAEusoS
+kvXJAkTHBajNPZf3M909Wqy0C8rRVC06+y9AT1Toba3yTb2wUEOFQ4vwJK+Iwi3d
+16za6vzZArEgpij2me5RVblwVoSDlqbTTKN/obTOm3Vr2tBX1NCdVaQuwwWTcAmj
+zuMd+bluEOOnlBfATuLdnRdgZAA0LbtQAxOcpdUsxR6KxyXFqlo7wPefx7GJKeTa
+At0U50Jw76gTAwxTgdgyBuol998pZheyuFavjH9KmWY/q1N+WyOtPgF30VjbpDNf
+GXH8zFh56LyFtBxdpjuVSUEj
+-----END CERTIFICATE-----

SPR-BE/openvpn/gw-ckubu/keys/ca.crt

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGzDCCBLSgAwIBAgIJAMzhic2M9z96MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMH
+VlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwIBcNMTgwMzE4MTM1NDAzWhgPMjA1MDAzMTgxMzU0MDNaMIGeMQsw
+CQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzAN
+BgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UE
+AxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJn
+dXNAb29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDU3Y3K
+UW+th51pqc+MttFyQNVQ+TwGUFptpoES5KIDqXifbqQfTLNUch1us+C0e6qt6B/t
+ZSotqwAqBgA9bT4ws02sMP2U7U0+sn+rxvb9H/6Q0H4KixfsyTTxqrstEphEE2aF
+eC9L3Z4QlJuafsuUWIxT9LW1KnaPV5CIDz/cJZIO/Xc7/TRyiO0ylgf6+br2zAFH
+Rm8Tnr1TDUm2ftB0ukG2wsmGhd/+lXPBrXWwC83NBYjFi0o9OZZmAUekyNWUTHQY
+UJ1fLJAPLdpoVuxbV0BK6HQdpRvj4KyMBt/kEcGMXSLuAr1/848wI1EI8AuFyaZV
+RQdnS6yHxZ4+Mi8YSdXEj+nb/SwBGxz9kmmVUQCTlPm/B4Y5I+3ivS9PxihpSwHo
+zJkr8tr+xwfnFXSXB3wPdYu9rD8KmY3/uDYy9iWLg0/xW6keL4luDCVNjltMjc0x
+03MOpv9cjN2eBwGyU2dHyyfDPSqSsQi9FZeWmgCzwJ0rL4WywDRc5paXbaWtzdqQ
+98gVox7lFbmQIE5VoFc4VTKEIY9D/cLdmZpWzPHOn3vPEc5eAFKb5qZv2IlN420Q
+CSCFJAb5orrIj9ALAIvFXfvTv5o7G+ZEvk4eMP39nK1ZXc6/cL7/IapPfy3/vUs0
+tEph6pRHP39bcH9pxVAA7WkTS5ZEUshA7NrUEwIDAQABo4IBBzCCAQMwHQYDVR0O
+BBYEFHHdskSE3v+RJciX4ZEOWD5SJZ+qMIHTBgNVHSMEgcswgciAFHHdskSE3v+R
+JciX4ZEOWD5SJZ+qoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBO
+IFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDM4YnNjPc/ejAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQB1cA8o2Fo78xQ8jRdyfbvK
+GFH8+SMoOh/8qxj9prk0kLYAro5QnzEBmftHhf3sXevEAUWpr77VL1FxhTXgKUp2
+S06S/meC24M/KclxM+W/7AuG9yrJuW122l61OuWUcDWA24oj0KG896Mbw13ieeWS
+7XmC1YU5Lix3wiWnjD7QZ+E4dg09z722+zwUi1UwRekzJZmB8pTHHmbX4Yig/K27
+STnxQEiVZzlzcvjY6QvC3Sj/aA3YCSNl0bsSwH6GwXXJZ3BEKmm6w+ZRQMTz7+72
+q0ybGf43XH4sj2OBm1YvCD8LehygPy2uJYlDxG8zRq2kxYxiWLbncs1x9Acusd7l
+Te+k8YArRTqsWLN5Q47sGO4H1clz4ay80TTuz4Vc6JQ3banHDmMFV2nMsR2YtKX6
+lKD3lXvMU04ZvZe2SolP1uTto3Jw3cNarigj/nHjn5s16uvy6Q3x4TyVUqyAOqrG
+cuGrbYAEqtVnMrrovGZTj73HSwAx2PD+3jJKZH+suwBIijNL90wbkNlsNHlNcQeQ
+zQAlYRBdCYWFU+7d86kUWYYrActGZc2MJmBZzZ/Tt7YoOIw6NMnWcpMMTUV+zToP
+WWrD5OMDc7EX9BmMg7uif46UF6ol2puGXpQIF/yVRbFk1IiPwhc1ZyCuh+1ugh5+
+CZSTeKgLDVjfXlqH1ErAvQ==
+-----END CERTIFICATE-----

SPR-BE/openvpn/gw-ckubu/keys/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDU3Y3KUW+th51p
+qc+MttFyQNVQ+TwGUFptpoES5KIDqXifbqQfTLNUch1us+C0e6qt6B/tZSotqwAq
+BgA9bT4ws02sMP2U7U0+sn+rxvb9H/6Q0H4KixfsyTTxqrstEphEE2aFeC9L3Z4Q
+lJuafsuUWIxT9LW1KnaPV5CIDz/cJZIO/Xc7/TRyiO0ylgf6+br2zAFHRm8Tnr1T
+DUm2ftB0ukG2wsmGhd/+lXPBrXWwC83NBYjFi0o9OZZmAUekyNWUTHQYUJ1fLJAP
+LdpoVuxbV0BK6HQdpRvj4KyMBt/kEcGMXSLuAr1/848wI1EI8AuFyaZVRQdnS6yH
+xZ4+Mi8YSdXEj+nb/SwBGxz9kmmVUQCTlPm/B4Y5I+3ivS9PxihpSwHozJkr8tr+
+xwfnFXSXB3wPdYu9rD8KmY3/uDYy9iWLg0/xW6keL4luDCVNjltMjc0x03MOpv9c
+jN2eBwGyU2dHyyfDPSqSsQi9FZeWmgCzwJ0rL4WywDRc5paXbaWtzdqQ98gVox7l
+FbmQIE5VoFc4VTKEIY9D/cLdmZpWzPHOn3vPEc5eAFKb5qZv2IlN420QCSCFJAb5
+orrIj9ALAIvFXfvTv5o7G+ZEvk4eMP39nK1ZXc6/cL7/IapPfy3/vUs0tEph6pRH
+P39bcH9pxVAA7WkTS5ZEUshA7NrUEwIDAQABAoICAGlmxyXOCzFuvFgsuFOh1rXv
+OnEc6EbsFMrErpbvVPXhPZQcUfIZpZaD5uUA9pwHvCzeiqie9jKkwLEORaIk7K1q
+q2Q+4eGTWzNXaXZiT7xo0kFcq3yHATLDMo8Tjhk0YucagCJIr4quUu082Iu4iw+K
+hPmxayQowYoavrtQabuVcuwvP5IZv5WTDXiF56+zZot72oozax7Y9EAijURrKMcT
+zyQy8VzF/3LtB+N4A5VHUwFY4y+F2B3W3QznR1VmCLOk47uCd1pAE5kgiEwv9lsI
+KhKtZYmkTtoYTvgLE2O4ExFwsLIP80tfC6C3bBGz4tC9V7pTMuZIB0c3aDK94KkL
+geojeQg/D81yRzrIImcQDW+6asJJBdV6fdjeWW7oMG6pvweg5xKG53dUgqrcC4yz
+EC4mMO4MF4oTUnOv2yYnQOA2GIy7myf87rFKonqB6vzlA7KoE7aOvX3ZTiuydBZ+
+StIZ6aJIK7IINa/4QE1TZBLG51GO+u8SE8BMlm96HB//TVp+AmgtrXlqlbREfYHk
+CgUB4aIYsvtcfBoy/T0tWREByIFBTDZMO68Ifcaspvys62y1H879BmKTGiq9XCX/
+PPQduHUBzcS1wUmnRerSOyvhqqsOvJMEXjbQAJP2J8mBWd8TLaQWtftFb7Y4XXjt
+lTsjK5+a+Vux+bugK4rZAoIBAQD5Mvwd9ETTGrW33Gss2u5GswzFIWQymjYHaXlJ
+j9YgqmUMRnClBFRCODmBONjw5A866/adXi5N8ZZAxCQUOnrCLJ0TdMb5JnhcH//G
+dPHO2iiZV+JUsZbOaxD9m2SPogStqSGVt9i1CRyVC/SWGAxgKdHB52kEfDp/PhOH
+dY5iH+kPaPvQd7DSrIjuY9vqlavDAMZ4Wf/Pigeh1/j1LvALZoqb0fAj/qD81U9W
++4BnPBQz/fMhOTu/z+lUC5T4l2WT5zmQ89knkSeUOboCjQ9Int9FH8DFGXY0YKmC
+5y9HBt1xypWesnqGCCESiU8lWXvM5T3V6zXyOHpF/72+p/e9AoIBAQDarLnG24Ef
+SoIQgEgOuTwajsjducGl/YuHtz6fKLD1OtAbQDYmQCUSUraJXFtYVe0sZa1dQPj3
+yGJ0whJW1Po8tIAIfacjJ/gQ6F4xNhqxmbcxGEvMDCWFyyxKOTcmY4tT/Q00Cv4z
+Oz+RGWD1Mnw90fFs+KLe7gAfbZgXZ/CDriSEyBPGLARZYCrpQ74FogUGAVcAhZb9
+l/2vxaMBr4EVkuIrpd7yP8tWEdnta4ACeW6CcX2KIAGi12o6Z35RO4nfo3BZszUy
+pnA4Lau2TmzSqV3/hn2M6tJP9mXaiF7HnvGw2t+/o5nTv2clBm2L2MZOEpNANS3J
+YUVVb5W+XZAPAoIBAQCgZb+/bAWMt6l1YaueYIB0AzVaAUckBvx1wt7tiWZy+ho2
+T3Sb0nCFevkQgs2oJ7Lh4xWGbyNwyepDX7w1RPrU1rB34Hdd0PQxn+sbCxTFZsgx
+A09L4k7GKEX0ZrvQc6F9Qdq7Km2TAP1jtiFFJs94ahJ4M4H2ABwK4KLjUrhF0nJJ
+l/JVWWT4BVPR1XasxI+c4Xfd6VftdtO4yXGWJxMc03CuIO/nyzJF6uq5ewJH8HS0
+jmWa4eLicGmnzhih9ZjNHUyBT2Nbw2NtVcazc6X9wTzGmkyS0POzfPA+sJ1Oo02P
+u6yYTBrvAHaBHt5RlQpJdNhbQ50iflW9joHMIQMlAoIBAQDU/ucZjhcQPoe/wOPv
+C3hCug9nARdhMjylXdSuPHlY9Adec8YKrfIuDcjktMP4oAGbfBJIQg//cfyMk7g/
+QcXYOUx4eMPC15ymA2Az+Oo5UWuBc5Po1W/7CTJDvcU9LDq6/UHODmMZzb0V/S1W
+x+0CXisVpH0oPZR7CEnbio9YA9hoSWYRYjB+SdCiUyyU2gKgnc97n6O5sUEV46Dp
+9GP8eoy4TSGCvqa1WD/4JPyT7Gm6vwaz8ocFcWN0Lfh48VBTOCQoCwlnI30tCzc1
+JOCUtQns6bgC+XsPDgaZvLjtIaFzTU4hoR4lhUrXYpJzZBuMUkWBhgrqG0fodv7Z
+ZNL7AoIBAFiZkq/ccCajhfGw/3XJaGsT9n+X5IZFr4HwK8ucZhVsBidrV7MVT/iU
+gzmicc0vj3gktvUJt4WpwYxkneriS0Pxlf9yPny499TczgVgkqxaLVdFTUNPE4zv
+MIhvqgtyaSBo1sG9zP01hk7sdUroSnn28TOAPnLXCPgRvdK5q78NflsztokHMGnf
+48RE4kEs8x+1u1xHOOe1SwXSeGjQ2HCiEtHjcHuCkeyIMuc3g7ihHAkflKx3jdRd
+KbQNVAvuMy+9lUzUXgXWbbk3sU27WGP87pP5D+BlAEA2ZeJ+CmxV+jy+9MEVFVi0
+liKWQWNz50yAIjjVr0jSOoWfnCLxXb4=
+-----END PRIVATE KEY-----

SPR-BE/openvpn/gw-ckubu/keys/crl.pem

@@ -0,0 +1 @@
+../crl.pem

SPR-BE/openvpn/gw-ckubu/keys/dh4096.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA8AcG6srQW5kZUMnDpQ3FlcyKqlJ4qL10h72+PfKfbXeKwg3a5n0v
+kiUIFNSsPZ9Zei9mpEVvVAfy9y1WeewVzvTN+rp5W5gUfMDZHJLSMZt038iWeEhK
+x2Regp3Bb+2suBrG53YfVmKLjxyrtb5lZc25YJWnholXMaf19dCl7B301vLKS5dA
+RXhHqHWrzZ8Mr6Z1IijOZyOY9tK4zpACS/5qs+lPNam89WdTxdRfwNuxdyDWpWV2
+NL5pIJ3D81gslw68bNqVVO2GGjIJlG33CxgvkyR8/WC5YyhkGhufQzyMxmFHeaVb
+bsgF57LhjDCKz7HmmNnwhJJnfoeYis3BGHJsTO2tDh4bxJeyNqtqvAnh0DnK1KED
+QExIcnCrx7UcaoeFZTtYfRzwPejfB3lhlXckvVHcKiDZvCotCJRXyYQJVQja5mYS
+k8a4Qbxx07h94FeEXErHKsLcLqzKXa+RzX07+yzwgWsphWFtmeBroOUzVr+dCtK4
+YLzYcZYq+LBMtl7d6NXXsFS1P5Rw5iu0G1o7CuiXeez6bsoj622gghhc23d727Nx
+phmv74FINMjJsdraJShpwuYwbwVQCevfvE3FddDf/eR5WMqLx1EdpX3WT+udGQ3l
+2oVss5bY7eMFtNnT1eX7G8C9iUSWC9kJEu5ERA8JS0x6eb3pcAy+lWsCAQI=
+-----END DH PARAMETERS-----

SPR-BE/openvpn/gw-ckubu/keys/gw-ckubu.crt

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 22:13:06 2018 GMT
+            Not After : Mar 18 22:13:06 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-gw-ckubu/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:d9:a8:c0:d0:da:7f:53:f3:f8:00:92:ff:0f:03:
+                    cd:48:91:22:ee:e2:eb:27:ed:79:e5:81:9d:54:e1:
+                    e2:91:74:c2:69:9b:21:5e:ac:ab:b9:c5:5c:77:9f:
+                    20:d6:18:8e:ef:ec:cd:4e:43:8e:a9:b5:ef:9d:18:
+                    50:f2:95:98:98:bb:73:e0:8d:2a:44:2d:da:43:5a:
+                    f3:4a:8f:10:d6:99:e7:44:ee:40:05:a3:1e:02:20:
+                    54:2d:48:3e:99:23:93:ff:b6:74:89:38:ad:52:8f:
+                    c0:2d:01:da:aa:25:bc:7f:25:8f:55:57:82:de:a2:
+                    79:15:3a:0b:02:c2:b8:1e:49:b6:f2:9b:38:4c:f4:
+                    c0:24:b6:b0:22:8f:b1:cc:f4:47:ef:fd:8d:ff:bd:
+                    0c:00:7a:0a:bd:6d:e0:c9:1a:c0:9e:e1:de:69:f5:
+                    ec:dd:ed:99:f0:d4:ab:21:ab:de:17:fc:9e:f2:60:
+                    30:50:53:26:c4:4b:29:c8:1d:34:47:c3:50:66:13:
+                    d5:c2:79:f2:ba:8d:94:18:ec:b3:1d:b8:4f:62:af:
+                    fd:5e:f6:b6:f8:2f:d1:8f:3c:8c:34:0b:24:80:0e:
+                    fe:cc:2a:59:c6:1a:a8:a1:d0:02:fb:e6:83:7c:d8:
+                    7e:b8:b5:d1:5f:4c:b0:4c:4a:b3:07:c4:bc:62:e0:
+                    97:2f:b7:12:43:21:3e:e1:14:f4:9a:a2:f9:ce:66:
+                    e1:ac:0a:1b:1e:96:c3:46:20:24:99:21:80:7c:3e:
+                    0f:cf:fb:fc:48:e2:69:73:36:b1:5c:12:5a:28:d2:
+                    b5:84:66:7f:f2:e6:62:54:b6:4e:cd:fc:30:70:02:
+                    d1:68:d3:77:68:fc:88:e0:75:6b:87:63:0e:fd:a3:
+                    19:2b:f4:8a:ad:f3:a6:fe:b7:23:41:42:0e:a5:6a:
+                    4d:68:73:24:69:0c:b1:4a:30:93:80:32:5a:b9:ca:
+                    36:c3:1f:0b:86:47:1b:67:3c:0d:38:40:02:e2:96:
+                    fc:e3:ae:fa:16:a6:18:09:14:b8:d0:ba:49:83:21:
+                    19:9b:ac:fd:5a:0f:26:e7:45:e6:fa:7e:e4:09:2d:
+                    84:0a:3f:37:9c:0f:c4:89:bf:9d:62:57:57:c3:6b:
+                    f4:27:76:e1:32:1b:ed:37:97:e8:44:96:0a:46:4c:
+                    b3:f3:b7:d4:15:b1:25:9f:77:9f:93:ef:ea:e1:0f:
+                    94:1a:75:6e:1e:68:8f:af:45:da:f5:66:f6:46:a5:
+                    f1:89:a9:3b:c8:e4:bb:0c:ee:c0:98:2c:ed:fd:f4:
+                    d1:a8:86:f8:92:45:f8:fc:fa:f3:0f:f9:07:5e:f4:
+                    a6:0b:ae:c9:bc:aa:f1:44:0d:24:98:58:33:2a:3d:
+                    2f:d9:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                13:52:C6:BA:47:03:D1:DF:AE:FB:87:8E:FB:8A:66:74:D7:91:D3:76
+            X509v3 Authority Key Identifier: 
+                keyid:71:DD:B2:44:84:DE:FF:91:25:C8:97:E1:91:0E:58:3E:52:25:9F:AA
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:CC:E1:89:CD:8C:F7:3F:7A
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         40:c6:2a:2c:27:c7:69:e5:54:1e:15:a4:af:87:e1:f1:3a:29:
+         82:e3:a8:60:a9:64:b9:62:47:15:c3:d9:5f:f3:2f:05:ed:eb:
+         78:58:18:c3:d4:c5:49:aa:ab:e9:e7:40:02:33:6d:17:8e:7f:
+         8f:f7:6a:fc:2e:6a:83:1c:87:c3:c6:99:b4:dd:a1:98:9c:e5:
+         0c:6e:d0:5c:0d:ed:fd:b8:79:e9:98:b8:4b:42:f1:1e:a3:ac:
+         b5:47:7d:fb:82:98:d5:fe:9f:de:13:f4:5c:3c:76:1e:59:e0:
+         16:3d:5b:72:47:af:ad:b2:e4:29:11:13:4d:d5:4d:68:22:bb:
+         89:d1:96:e9:27:c3:22:45:60:57:23:f2:9f:21:ea:4b:7d:a8:
+         8a:12:a5:c6:8e:4d:fc:ab:85:45:20:c6:ee:27:8c:40:82:c3:
+         b6:63:65:b2:ef:69:6a:b8:93:94:9e:6b:dc:c1:2f:fe:69:f6:
+         98:49:56:f8:26:64:17:e2:a0:c5:ca:6d:8a:e0:f4:c5:2e:9d:
+         6c:4c:0c:9d:be:0d:17:4b:bd:5e:f0:5b:00:72:1e:b3:21:7d:
+         b6:7b:d4:a3:c0:78:91:7c:32:c5:d1:e9:61:da:1d:3c:dc:92:
+         a3:a1:d2:5f:0e:e4:13:f3:53:4e:c8:27:18:4a:87:61:c8:da:
+         3a:1a:65:f1:1f:e5:d7:fd:f4:04:6d:1f:bc:94:8b:da:9b:db:
+         f3:a0:a9:47:b6:b8:5f:d9:e8:c0:d4:ba:e8:a9:a0:af:79:3c:
+         00:9f:f3:2b:c6:18:4a:6b:ce:a0:04:ba:ca:12:92:f5:c9:02:
+         44:c7:05:a8:cd:3d:97:f7:33:dd:3d:5a:ac:b4:0b:ca:d1:54:
+         2d:3a:fb:2f:40:4f:54:e8:6d:ad:f2:4d:bd:b0:50:43:85:43:
+         8b:f0:24:af:88:c2:2d:dd:d7:ac:da:ea:fc:d9:02:b1:20:a6:
+         28:f6:99:ee:51:55:b9:70:56:84:83:96:a6:d3:4c:a3:7f:a1:
+         b4:ce:9b:75:6b:da:d0:57:d4:d0:9d:55:a4:2e:c3:05:93:70:
+         09:a3:ce:e3:1d:f9:b9:6e:10:e3:a7:94:17:c0:4e:e2:dd:9d:
+         17:60:64:00:34:2d:bb:50:03:13:9c:a5:d5:2c:c5:1e:8a:c7:
+         25:c5:aa:5a:3b:c0:f7:9f:c7:b1:89:29:e4:da:02:dd:14:e7:
+         42:70:ef:a8:13:03:0c:53:81:d8:32:06:ea:25:f7:df:29:66:
+         17:b2:b8:56:af:8c:7f:4a:99:66:3f:ab:53:7e:5b:23:ad:3e:
+         01:77:d1:58:db:a4:33:5f:19:71:fc:cc:58:79:e8:bc:85:b4:
+         1c:5d:a6:3b:95:49:41:23
+-----BEGIN CERTIFICATE-----
+MIIHLjCCBRagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODIyMTMwNloXDTM4MDMxODIyMTMwNlowgacxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRkwFwYDVQQDExBWUE4tU1BS
+LWd3LWNrdWJ1MRAwDgYDVQQpEwdWUE4gU1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1
+c0Bvb3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANmowNDa
+f1Pz+ACS/w8DzUiRIu7i6yfteeWBnVTh4pF0wmmbIV6sq7nFXHefINYYju/szU5D
+jqm1750YUPKVmJi7c+CNKkQt2kNa80qPENaZ50TuQAWjHgIgVC1IPpkjk/+2dIk4
+rVKPwC0B2qolvH8lj1VXgt6ieRU6CwLCuB5JtvKbOEz0wCS2sCKPscz0R+/9jf+9
+DAB6Cr1t4MkawJ7h3mn17N3tmfDUqyGr3hf8nvJgMFBTJsRLKcgdNEfDUGYT1cJ5
+8rqNlBjssx24T2Kv/V72tvgv0Y88jDQLJIAO/swqWcYaqKHQAvvmg3zYfri10V9M
+sExKswfEvGLgly+3EkMhPuEU9Jqi+c5m4awKGx6Ww0YgJJkhgHw+D8/7/EjiaXM2
+sVwSWijStYRmf/LmYlS2Ts38MHAC0WjTd2j8iOB1a4djDv2jGSv0iq3zpv63I0FC
+DqVqTWhzJGkMsUowk4AyWrnKNsMfC4ZHG2c8DThAAuKW/OOu+hamGAkUuNC6SYMh
+GZus/VoPJudF5vp+5AkthAo/N5wPxIm/nWJXV8Nr9Cd24TIb7TeX6ESWCkZMs/O3
+1BWxJZ93n5Pv6uEPlBp1bh5oj69F2vVm9kal8YmpO8jkuwzuwJgs7f300aiG+JJF
++Pz68w/5B170pguuybyq8UQNJJhYMyo9L9nBAgMBAAGjggFqMIIBZjAJBgNVHRME
+AjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNh
+dGUwHQYDVR0OBBYEFBNSxrpHA9HfrvuHjvuKZnTXkdN2MIHTBgNVHSMEgcswgciA
+FHHdskSE3v+RJciX4ZEOWD5SJZ+qoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0G
+A1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZ
+MBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4G
+A1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDM
+4YnNjPc/ejATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0R
+BAwwCoIIZ3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAEDGKiwnx2nlVB4VpK+H
+4fE6KYLjqGCpZLliRxXD2V/zLwXt63hYGMPUxUmqq+nnQAIzbReOf4/3avwuaoMc
+h8PGmbTdoZic5Qxu0FwN7f24eemYuEtC8R6jrLVHffuCmNX+n94T9Fw8dh5Z4BY9
+W3JHr62y5CkRE03VTWgiu4nRluknwyJFYFcj8p8h6kt9qIoSpcaOTfyrhUUgxu4n
+jECCw7ZjZbLvaWq4k5Sea9zBL/5p9phJVvgmZBfioMXKbYrg9MUunWxMDJ2+DRdL
+vV7wWwByHrMhfbZ71KPAeJF8MsXR6WHaHTzckqOh0l8O5BPzU07IJxhKh2HI2joa
+ZfEf5df99ARtH7yUi9qb2/OgqUe2uF/Z6MDUuuipoK95PACf8yvGGEprzqAEusoS
+kvXJAkTHBajNPZf3M909Wqy0C8rRVC06+y9AT1Toba3yTb2wUEOFQ4vwJK+Iwi3d
+16za6vzZArEgpij2me5RVblwVoSDlqbTTKN/obTOm3Vr2tBX1NCdVaQuwwWTcAmj
+zuMd+bluEOOnlBfATuLdnRdgZAA0LbtQAxOcpdUsxR6KxyXFqlo7wPefx7GJKeTa
+At0U50Jw76gTAwxTgdgyBuol998pZheyuFavjH9KmWY/q1N+WyOtPgF30VjbpDNf
+GXH8zFh56LyFtBxdpjuVSUEj
+-----END CERTIFICATE-----

SPR-BE/openvpn/gw-ckubu/keys/gw-ckubu.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE7TCCAtUCAQAwgacxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRkwFwYDVQQDExBWUE4tU1BSLWd3LWNrdWJ1MRAwDgYDVQQpEwdW
+UE4gU1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBANmowNDaf1Pz+ACS/w8DzUiRIu7i6yfteeWB
+nVTh4pF0wmmbIV6sq7nFXHefINYYju/szU5Djqm1750YUPKVmJi7c+CNKkQt2kNa
+80qPENaZ50TuQAWjHgIgVC1IPpkjk/+2dIk4rVKPwC0B2qolvH8lj1VXgt6ieRU6
+CwLCuB5JtvKbOEz0wCS2sCKPscz0R+/9jf+9DAB6Cr1t4MkawJ7h3mn17N3tmfDU
+qyGr3hf8nvJgMFBTJsRLKcgdNEfDUGYT1cJ58rqNlBjssx24T2Kv/V72tvgv0Y88
+jDQLJIAO/swqWcYaqKHQAvvmg3zYfri10V9MsExKswfEvGLgly+3EkMhPuEU9Jqi
++c5m4awKGx6Ww0YgJJkhgHw+D8/7/EjiaXM2sVwSWijStYRmf/LmYlS2Ts38MHAC
+0WjTd2j8iOB1a4djDv2jGSv0iq3zpv63I0FCDqVqTWhzJGkMsUowk4AyWrnKNsMf
+C4ZHG2c8DThAAuKW/OOu+hamGAkUuNC6SYMhGZus/VoPJudF5vp+5AkthAo/N5wP
+xIm/nWJXV8Nr9Cd24TIb7TeX6ESWCkZMs/O31BWxJZ93n5Pv6uEPlBp1bh5oj69F
+2vVm9kal8YmpO8jkuwzuwJgs7f300aiG+JJF+Pz68w/5B170pguuybyq8UQNJJhY
+Myo9L9nBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAGvhTaDqObFzTbnEdTmfM
+Oyatagcmh3GIrnyfrn1YK6eZcLCbAodoJMoQE7h0vY32wgwBb59LmjCHElE3GZLG
+8OF/cF8qWwSeQYH3rQ7+xsL1b5VF0pdM6UVFfGWUQZJEybj7Hg99ZDjb3co9NdkZ
+a1qUub+fi6K9ldcZuFfK92eb6ujj8dGCWNcPIsnqbO+hJAvyZBdJxeeEuiaEvPI0
+cv+jaqcuf1txzDwsUG4GVZFjaL2bbk9C+PWKO1lH5dtT0EYhHCGMMthp9dGR513X
+M0CLQZhBSFKVt/ZeYD6u4T5fnMylMkSw10vGFmFZTrOa0mvh8QjRzdOJvlxv1lnr
+9ZRYIBhzZ47I3N7Hm0xopXpLx22em0P1rk6cXyu5Rjt0NQuyLQHbgKV1r5Z/l9KI
+0MN3zB/NSRB/SU+60w0f5Vm4n/6radE4BSXlwMyL9AJy5UpKMePEkSI2eTe58JnH
+bIpphpJapGTKdkKyEegdZql7VuZKEoitZLcsIiY040rMYIPTr4w9QADHHFdF1TGy
+oIYwgJF0KagHLCTUAte35B9WZ+23ASnUIuYFtv2HgpVCGMrW94Psy8efFI+iM+Yk
+zJp3mTVhihoypS36XPnOSgMZJzRkdd0i1tAGSRzfuSqTCHz4CcerXl7W/d7vX5YC
+kE4SPiTbo4N2pDtRsu0leQA=
+-----END CERTIFICATE REQUEST-----

SPR-BE/openvpn/gw-ckubu/keys/gw-ckubu.key

@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJpDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIsMy/MytYtzsCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECM8bcaVcNffeBIIJUNOSqKmf153a
+NBjm25drvNrgo+bEd2kxywgcjqIyl/csUjkbx3WWANZZAdRIFgtM2mN6xiGPAzpB
+AMU+0FhbMeSC4aaoE6kbu0QREcHxgLemoA1+3c/VMfzTXJQ5xtr84pyBfj7lwYTh
+uOC8k5WYV0VCWWwj39TAAfF/eqIzfuN4L2ybSgQyHHyWQPvCgfEPMZi5lBcPtZT5
+OQgS30tFTgNOmz+wTex6uOJi0Qqo6MvH3rWv5rRwO17FZU6v+SLXcopvZfrO4WLN
+AMHzjIvvfwmO+7/ypLnVdBYCd+CpvBUwcEbPVqrddWhNgidlOkoQzVnK34wexRvm
+eDjmm8JbTHFQP8+DMEAODlMPNxMD1vCC/vM7bKMjCNYGjRwrxtL9Z8drp1wgzULJ
+8AY3J72+lL1yMQNoch0Niuda3RDBs68FeVvGaFmGCPlzDdfTlex0Pi+BFeuTao0Q
+7Y9zfcjyv+p4HxMg6YoIIQYOEogWO58GF1UL0zOJD81j4ihkT7HTWtOskw5E6Kfq
+WEWyW5Oe4xR0PZpHNrYVURNg6kIxEBwRFfskFofGac36tKJ2fJseESkuqvXLenNt
+Y0Epi/AxwEZa0E+G2ewNPNoBAIvRlOx0CBWWQKeCVaOgsOD0zyqYPsCGFWDl+2d5
+i8afGhTw/8oqhwNwr25tWhW1xKbMEGchycywGGQloGvquv7kchJb6lDADZtF1++v
+4wgRwtiBYOvkqXSLOpFiZinvmUMmqXD7PqG9yWF7XlnRV8JJ61RP2cuKCTXXCGfI
+dtzLnet/4lUV7S0Wd3g1US2iPz6LJ+ngOBQEbAqFvInBiZFyduPwQJo0yswDyJYd
+WNhmHumuFSSCdnAF6qVjuKhsNhftY5w+xww6RhAqst1idoVqYSt1LLODwKVQfIPs
+uctF108LBYPBGf5tEC5Z1KRpDQO41q3F91eTZTVEH8Su1pW7IbMGt8XTUVRJESbQ
+SYH5ELMdd+tb1ccD2fZZV3R6V7vI7ejAzOWdmjqaITtPGsFcMevc36YmJ18OQVBe
+mTZJjdx28sGrsoqCSvgc7ii0DFLWZrRs4WRrgoxQq/G0zKLuuGXhlEgVw9QhIfeo
+fMj1ebR0oElSimcqwPJYI/DDfhYZUA5Mx2Ewnfs1NS+CGoo+UcDKNHQRR3uEmP7T
+1Mhg+MQ3b6ssZ8uZQut1E6bALf9ipH5xkN6rgniJsBL3lzvkN+/5XiE5qz16bmkN
+gpF1+8G0/pjDi7a0Fw602ffdD1XAfcV6SMobDgTyMmjybgZHzf6cFy9gKrRa6WV0
+do4Oc+uv0Nmj6wrAYO4s/nuJnpeTY0wbuHJgcYnTmUX15kIw+bPJ2UIGjyS8QpkF
+evX8XeN48U9mknoQv1OfC6+kE6jgqQiDzigy9nSHFc4kIQWsihO6NKDEia11RWCn
+QN3t8sHDNZdFY3dy7nnQRIhFNEy6InjLnUbfhuzgZVaVoaqULH8EmoE78z25zi0H
+Xt6P+hkW8zZthYHsucVvyiNqZmIb50MK/5VHuORXsepWD9hX/rEyFxsv71AyBl9x
+TSHjk4cgBqVh3uRH8NxNNvWnx7Th03Zk4/2dzNUc5taj3WX2jCH1vaKBMI1BBHJD
+QWNIrwCExUOIAbYJLGkyihnTv4PCRlZrYQtMyx0laxYRdWR6lsIk83jcMWkWfhPf
+YbYd/XIIR+hOFrUIM28Y2TTPHpJhbuORP7z18o2heUV0ZD3LdMi27/JtsSZHlbOu
+nqdP9reWG8Kx6mjEdSFe5hTD0VmZ3Yks1jGp3QBcxQivAbLoXsP5VOMOPr7zXmb1
+m9uWqtC+/1L6lAg5iH0YNyvrmRL02uzMiEXBQQDx0CYqcWJY+hwaXU6MnSyUMH7F
+H7wAW2cqq1XCBVFWUIPI6P63LUlgewzmseaAGgD7tfbGSsx7BwseMXUwtdOYt+Rp
+H8/3QeLLAfgD2Kl7Mv8F8l+KsBRNpaSJVYCqYH5ogzjRiuwDwsOmRdHKRh+r825g
+fAJsI3grgZOd7poDQSisRZKOAF/ytTclreostJGfwLEE7IpUA/R7yLPCTI/mdPwT
+4zRZ2N0fovkApA6hvhIpnhaA5XXuY7gmN8E0tgokZ7NsiL0JgFUFevEwzvZhlCJI
+7edh2kPl379+bT1lgy37Z0V8ntU0S3I/g+6RsepDuWtCGsW434Z+iAAv7aKPJz0H
+UqNHS4vElG8tQKBkO+qWRdC19hmM5itQoy/nD935hyZgRBZKFTmO3kNPPyvHVTdJ
+hYTN/WAuXAMrP5HvkMv4AXZLQSk/YJCcJsPN5p8Kd40oEuwMumI8HCwXlSnpHnro
+prdZrrCCUQ2232zCw5qQ4KZl7i5LB8AkLmNXtMUscHf6Nge3GSTILFaKoFYrDPF5
+P6u21fO1R2HcA+b7xKzK6ecpPZA25ggxPMqvRwCnT/gueVSXjOIhd3f2pEs3yVWM
+W0HenWuiWcbryuzcPAJytianU1KqtrEYhqFTxcdJAYa4xvFbCtGrmVuJ8NRomSg3
+BdL8lOfdYxE5R8VYfVxw2jcLiK4o2Bqjt17kHTzzP95E8Eybkzgo5vycmMedOBsn
+rBOUJXYFSo6hONNiMR1vlIxNi2Tdo9w5wKHUerVdXhVSLgvC7SeJeArN6+To+MVR
+n73jBAA48VcA8d5miDNnfwEDguP/Fg3+vo9VAWccR3lq9tHT1GkNyz0gyYLxmwoV
+2w+QkNYM2SzbrsDJ0GEN7s8gEkeQHuwcXHsdyJnLJQJsTrZaaHDd65BMXseE9dwu
+Lgf0zuiq2DCDTJEvabd9siS7wDOxJAKzd3atP1O4ylnzSHgvi7DNQJ8Xeu8FF43L
+Sn6KmWhdtfIhL3uNAvI2/6434qWKU4WE5Ro/TjI4uMxmfkTTQPmffJTGnH9nYJjJ
+aURTTNSKQGbeyBS9KEUjSyQAAXBaDka4zP93eOi66aeUNaMcod1aKLo9r1LpjVqe
+3qLBy7cCP56qaMTJChhwhYWtwyu5AqX2fk4LRAOrm7olFNlbJ/QMYEahztZzFuiO
+hCCGNebRqk7IYmXnvoA1gJ7VJEov1QYeLX9xnZqF+qwHzs29pNZwADtvBlWn+MT4
+yCy2JxLwIwfVuMsJWRzvHcpeOzmgtDIgUkqGzpjPB5bdtbr7GFbFkpms29DmGLtT
+Ujfylfy4W1TZtS1ryCsskAiOrTpXH0G7
+-----END ENCRYPTED PRIVATE KEY-----

SPR-BE/openvpn/gw-ckubu/keys/index.txt

@@ -0,0 +1,2 @@
+V	380318155951Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de
+V	380318221306Z		02	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR-gw-ckubu/name=VPN SPR/emailAddress=argus@oopen.de

SPR-BE/openvpn/gw-ckubu/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

SPR-BE/openvpn/gw-ckubu/keys/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

SPR-BE/openvpn/gw-ckubu/keys/index.txt.old

@@ -0,0 +1 @@
+V	380318155951Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de

SPR-BE/openvpn/gw-ckubu/keys/serial

@@ -0,0 +1 @@
+03

SPR-BE/openvpn/gw-ckubu/keys/serial.old

@@ -0,0 +1 @@
+02

SPR-BE/openvpn/gw-ckubu/keys/server.crt

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 15:59:51 2018 GMT
+            Not After : Mar 18 15:59:51 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:a3:49:18:ae:69:4f:5c:4a:34:b1:85:9a:4d:a5:
+                    ce:f6:2d:b5:6a:9e:40:27:02:3b:57:e0:75:ee:1c:
+                    fd:eb:20:56:eb:ed:24:f1:57:a5:cb:ad:0d:09:af:
+                    15:f3:9d:a4:67:8d:e5:a8:67:d5:1b:b8:36:f6:e6:
+                    9c:d3:e8:29:08:d6:8f:a3:5e:e1:e5:30:eb:07:bc:
+                    03:c2:95:a4:93:cc:19:86:c1:89:fb:9d:f5:38:9b:
+                    10:01:6b:74:d2:20:8e:4a:65:34:17:1a:85:39:d4:
+                    35:2b:04:f3:37:4f:f5:93:12:06:fa:c5:04:c3:73:
+                    30:30:1f:33:69:86:bc:60:cf:fb:38:ae:6f:8a:21:
+                    0e:76:35:7e:ba:0d:ad:ae:4c:6b:d0:cf:3b:73:a9:
+                    1e:58:cf:ce:bf:45:8c:52:75:ee:da:a3:f4:6c:24:
+                    8b:bd:b6:f2:db:59:fe:b7:7b:ef:8e:b8:30:ad:67:
+                    dc:bf:3d:ca:d6:e4:b3:86:bc:60:fc:f9:a5:ba:5a:
+                    0c:9d:c9:72:ec:ab:73:6d:2b:f5:9b:f0:a6:a5:c2:
+                    31:6c:5c:a6:54:47:1e:65:73:2b:47:80:bc:27:29:
+                    28:be:45:12:77:5c:44:51:cc:91:55:d3:36:5d:dd:
+                    f1:01:18:68:c5:08:de:ee:06:9b:0c:d3:a7:94:c7:
+                    99:75:c2:bb:f8:2e:19:46:db:d8:13:70:7d:a1:96:
+                    6e:21:8b:32:1b:d6:8d:74:4b:a9:1d:43:53:d2:11:
+                    3b:d9:63:b0:6a:ac:a8:e2:70:15:62:aa:c2:15:d2:
+                    1e:df:34:1e:45:3a:30:b7:54:1a:25:2f:73:c0:d8:
+                    1a:6d:8f:80:aa:7e:86:1a:84:e3:0a:c0:89:61:3f:
+                    fd:bd:19:40:b3:cb:de:2d:aa:97:af:dd:cd:a2:28:
+                    33:17:ae:50:bb:2b:00:d1:01:8a:25:32:56:d8:09:
+                    fd:58:22:fe:33:a1:f3:b5:16:cc:59:ca:d8:d3:8e:
+                    dc:62:13:25:05:c6:6a:02:fb:82:83:35:7b:e4:33:
+                    84:71:18:fa:bb:6e:48:3f:ec:be:72:a2:dd:38:bd:
+                    7a:69:89:28:6c:46:79:bf:34:30:39:5a:9f:a7:e3:
+                    9d:15:73:29:f3:24:f0:84:51:27:38:8a:20:5d:cd:
+                    d6:47:e8:2e:7c:6c:e1:8c:10:29:0a:79:96:24:fa:
+                    94:29:a1:6f:dc:d8:94:fd:d6:f7:62:24:6d:a5:cc:
+                    42:89:94:ee:8c:c4:19:31:0a:49:9d:e2:87:0a:29:
+                    cc:f0:b1:ab:8f:d8:11:71:46:de:2c:d3:a7:5b:2e:
+                    5c:f7:54:92:97:f8:1f:7b:42:23:b9:1e:47:0d:57:
+                    2a:24:bb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                BD:B0:0D:2A:D9:8E:FF:E1:91:B4:A5:26:9C:C4:D3:E8:44:B2:BB:D5
+            X509v3 Authority Key Identifier: 
+                keyid:71:DD:B2:44:84:DE:FF:91:25:C8:97:E1:91:0E:58:3E:52:25:9F:AA
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:CC:E1:89:CD:8C:F7:3F:7A
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         5a:36:4b:aa:dc:7c:3a:1d:93:f5:e3:d3:b4:cd:45:e9:ff:64:
+         9a:61:36:57:06:91:e7:39:24:cf:3c:4d:4a:3a:48:97:49:dc:
+         90:96:d4:4b:0c:35:a2:88:01:47:f6:a0:5a:74:71:cb:7d:08:
+         60:2f:4e:ba:de:99:20:e1:8e:75:d1:f6:96:69:9f:53:ed:e6:
+         7a:31:4a:e2:2a:10:10:94:1b:61:ac:e7:ee:f9:6a:37:ff:80:
+         49:12:35:f8:65:3e:1e:7d:9f:8a:31:cf:0b:31:cb:a2:37:d3:
+         7d:1c:41:cd:c9:0c:34:da:bf:5a:d5:52:da:6d:71:fa:37:10:
+         f1:73:02:5e:0d:01:34:ab:fb:88:5f:ea:ee:9e:e0:1a:e5:58:
+         e1:b7:f2:a6:01:62:bc:80:2c:42:c0:7a:b9:1d:9e:00:0a:bd:
+         87:d6:e4:a5:19:ba:65:c5:24:ba:e5:b7:a5:81:3d:34:b2:20:
+         1c:29:93:98:02:7f:1c:49:53:eb:c9:ef:73:35:cf:31:61:f8:
+         34:1f:cb:76:58:22:fe:4b:ab:93:b3:83:71:93:1a:5d:78:66:
+         29:3f:f4:f6:d5:4b:d5:ff:ff:f4:83:2d:f3:73:c3:d9:33:f2:
+         af:97:4f:f2:f3:f7:54:80:32:30:5b:b3:db:cb:a9:23:e0:df:
+         e1:d6:bd:db:3a:36:55:52:19:e7:1e:6e:72:0c:25:43:31:c3:
+         b5:01:27:af:72:85:e9:ab:ce:5a:62:8b:c0:73:be:67:52:56:
+         a2:6c:04:74:66:46:ab:fb:03:d3:3a:89:e9:7c:8a:0b:e5:d1:
+         01:52:00:41:f1:aa:fe:48:8b:ab:af:e1:4b:40:16:2e:f0:3e:
+         50:cb:6d:d9:bb:95:1f:f3:56:17:6e:67:aa:00:bd:da:9b:2c:
+         8c:b5:dc:3c:41:0d:87:7b:05:5a:6f:a5:a2:d2:cf:bb:a0:7e:
+         d5:aa:d1:cc:d8:57:9a:81:cb:ef:7f:ad:76:95:eb:65:6f:c0:
+         2e:21:61:fa:9c:6a:ee:f3:f9:d3:7a:9c:e1:5a:37:83:1d:61:
+         85:01:70:26:54:29:bf:52:50:7c:ff:5c:24:94:0a:5e:f5:37:
+         a8:36:2a:83:c8:d1:1a:ae:bb:19:b3:1b:a1:68:14:ef:33:a5:
+         7a:d1:b7:ff:74:d5:69:08:91:f7:f2:d6:e1:12:c2:17:70:e2:
+         13:f8:17:92:31:19:46:35:a9:13:79:f9:cf:2a:b9:8b:7a:2b:
+         b4:76:d0:0f:3b:75:0c:99:99:a7:dd:26:f1:da:82:7b:f7:d7:
+         67:8c:cc:c8:16:63:c9:c2:23:47:71:a1:cd:34:88:a9:8a:fa:
+         59:f3:1f:08:ab:e1:33:a6
+-----BEGIN CERTIFICATE-----
+MIIHRDCCBSygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODE1NTk1MVoXDTM4MDMxODE1NTk1MVowgaUxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRcwFQYDVQQDEw5WUE4tU1BS
+LXNlcnZlcjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCjSRiuaU9c
+SjSxhZpNpc72LbVqnkAnAjtX4HXuHP3rIFbr7STxV6XLrQ0JrxXznaRnjeWoZ9Ub
+uDb25pzT6CkI1o+jXuHlMOsHvAPClaSTzBmGwYn7nfU4mxABa3TSII5KZTQXGoU5
+1DUrBPM3T/WTEgb6xQTDczAwHzNphrxgz/s4rm+KIQ52NX66Da2uTGvQzztzqR5Y
+z86/RYxSde7ao/RsJIu9tvLbWf63e++OuDCtZ9y/PcrW5LOGvGD8+aW6WgydyXLs
+q3NtK/Wb8KalwjFsXKZURx5lcytHgLwnKSi+RRJ3XERRzJFV0zZd3fEBGGjFCN7u
+BpsM06eUx5l1wrv4LhlG29gTcH2hlm4hizIb1o10S6kdQ1PSETvZY7BqrKjicBVi
+qsIV0h7fNB5FOjC3VBolL3PA2Bptj4CqfoYahOMKwIlhP/29GUCzy94tqpev3c2i
+KDMXrlC7KwDRAYolMlbYCf1YIv4zofO1FsxZytjTjtxiEyUFxmoC+4KDNXvkM4Rx
+GPq7bkg/7L5yot04vXppiShsRnm/NDA5Wp+n450VcynzJPCEUSc4iiBdzdZH6C58
+bOGMECkKeZYk+pQpoW/c2JT91vdiJG2lzEKJlO6MxBkxCkmd4ocKKczwsauP2BFx
+Rt4s06dbLlz3VJKX+B97QiO5HkcNVyokuwIDAQABo4IBgjCCAX4wCQYDVR0TBAIw
+ADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdl
+bmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFL2wDSrZjv/hkbSl
+JpzE0+hEsrvVMIHTBgNVHSMEgcswgciAFHHdskSE3v+RJciX4ZEOWD5SJZ+qoYGk
+pIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
+ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
+czEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGWCCQDM4YnNjPc/ejATBgNVHSUEDDAKBggrBgEF
+BQcDATALBgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEB
+CwUAA4ICAQBaNkuq3Hw6HZP149O0zUXp/2SaYTZXBpHnOSTPPE1KOkiXSdyQltRL
+DDWiiAFH9qBadHHLfQhgL0663pkg4Y510faWaZ9T7eZ6MUriKhAQlBthrOfu+Wo3
+/4BJEjX4ZT4efZ+KMc8LMcuiN9N9HEHNyQw02r9a1VLabXH6NxDxcwJeDQE0q/uI
+X+runuAa5Vjht/KmAWK8gCxCwHq5HZ4ACr2H1uSlGbplxSS65belgT00siAcKZOY
+An8cSVPrye9zNc8xYfg0H8t2WCL+S6uTs4NxkxpdeGYpP/T21UvV///0gy3zc8PZ
+M/Kvl0/y8/dUgDIwW7Pby6kj4N/h1r3bOjZVUhnnHm5yDCVDMcO1ASevcoXpq85a
+YovAc75nUlaibAR0Zkar+wPTOonpfIoL5dEBUgBB8ar+SIurr+FLQBYu8D5Qy23Z
+u5Uf81YXbmeqAL3amyyMtdw8QQ2HewVab6Wi0s+7oH7VqtHM2Feagcvvf612letl
+b8AuIWH6nGru8/nTepzhWjeDHWGFAXAmVCm/UlB8/1wklApe9TeoNiqDyNEarrsZ
+sxuhaBTvM6V60bf/dNVpCJH38tbhEsIXcOIT+BeSMRlGNakTefnPKrmLeiu0dtAP
+O3UMmZmn3Sbx2oJ799dnjMzIFmPJwiNHcaHNNIipivpZ8x8Iq+Ezpg==
+-----END CERTIFICATE-----

SPR-BE/openvpn/gw-ckubu/keys/server.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE6zCCAtMCAQAwgaUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRcwFQYDVQQDEw5WUE4tU1BSLXNlcnZlcjEQMA4GA1UEKRMHVlBO
+IFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQCjSRiuaU9cSjSxhZpNpc72LbVqnkAnAjtX4HXu
+HP3rIFbr7STxV6XLrQ0JrxXznaRnjeWoZ9UbuDb25pzT6CkI1o+jXuHlMOsHvAPC
+laSTzBmGwYn7nfU4mxABa3TSII5KZTQXGoU51DUrBPM3T/WTEgb6xQTDczAwHzNp
+hrxgz/s4rm+KIQ52NX66Da2uTGvQzztzqR5Yz86/RYxSde7ao/RsJIu9tvLbWf63
+e++OuDCtZ9y/PcrW5LOGvGD8+aW6WgydyXLsq3NtK/Wb8KalwjFsXKZURx5lcytH
+gLwnKSi+RRJ3XERRzJFV0zZd3fEBGGjFCN7uBpsM06eUx5l1wrv4LhlG29gTcH2h
+lm4hizIb1o10S6kdQ1PSETvZY7BqrKjicBViqsIV0h7fNB5FOjC3VBolL3PA2Bpt
+j4CqfoYahOMKwIlhP/29GUCzy94tqpev3c2iKDMXrlC7KwDRAYolMlbYCf1YIv4z
+ofO1FsxZytjTjtxiEyUFxmoC+4KDNXvkM4RxGPq7bkg/7L5yot04vXppiShsRnm/
+NDA5Wp+n450VcynzJPCEUSc4iiBdzdZH6C58bOGMECkKeZYk+pQpoW/c2JT91vdi
+JG2lzEKJlO6MxBkxCkmd4ocKKczwsauP2BFxRt4s06dbLlz3VJKX+B97QiO5HkcN
+VyokuwIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAI6QRLHWK/ezt9t8yLbpFx4M
+mtORWMRiS1JWK3so4CHiXNihm8RIAUkigfKk8PLn25DO9ZRuv4uoB6/lOcYX448Z
+CuAW3y1ciej3uNYh3ok+rqrd2QMSiNsq1ZKSrxH3apzm7Bx2RcXUzE/1pYbWXcY5
+6VbuKjHmMcGMtRXr2DJyhZURmFs03d38b2qJ+TtbpEQJQr/J9nnC2bouFo9MiV8A
+drBS2mfFtjby7kdvHOGMuE4uoy8ANXdde1dMfpIyy+znsX8o0Byi91wWqKueaWpV
+62TxyJfXCA0BbZH0oeaVDReSYK7Q1oLOai2sGjWpK0JmZV6t+X7Ra3SqWNgQrgPw
+n/W+U/hcKFSedhaY5xu+HnonNUVDLNhHH1P4LngaCpUOGLdW/deJm3DoFGj2jSp3
+eDbLCFdj2Hi+LXYrpN7GNYnz5WdkRhsd2AWDnvxNi+LrQUbM4n0JCCVAglSTHnze
+c/zG1ssuD9AuU5RcvBd9no4EWdeygxr3MFNB85cMuKF5x/fkPcP7XM2JXlEgDusU
+UvJp9VnWNgB/zvpjetqbL5KCfUdXyRAxuQ7NK01vtZzVz3pjiV/iT21ocobIySPB
+LPI9ZpVvWwkQPM1wLmez4nLg7+Kj6fyrX/kx6fAaCQVjOrJI22IoKMg/rNxDgkQe
+Y2UEmQLAqTK8ichJa/Pi
+-----END CERTIFICATE REQUEST-----

SPR-BE/openvpn/gw-ckubu/keys/server.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCjSRiuaU9cSjSx
+hZpNpc72LbVqnkAnAjtX4HXuHP3rIFbr7STxV6XLrQ0JrxXznaRnjeWoZ9UbuDb2
+5pzT6CkI1o+jXuHlMOsHvAPClaSTzBmGwYn7nfU4mxABa3TSII5KZTQXGoU51DUr
+BPM3T/WTEgb6xQTDczAwHzNphrxgz/s4rm+KIQ52NX66Da2uTGvQzztzqR5Yz86/
+RYxSde7ao/RsJIu9tvLbWf63e++OuDCtZ9y/PcrW5LOGvGD8+aW6WgydyXLsq3Nt
+K/Wb8KalwjFsXKZURx5lcytHgLwnKSi+RRJ3XERRzJFV0zZd3fEBGGjFCN7uBpsM
+06eUx5l1wrv4LhlG29gTcH2hlm4hizIb1o10S6kdQ1PSETvZY7BqrKjicBViqsIV
+0h7fNB5FOjC3VBolL3PA2Bptj4CqfoYahOMKwIlhP/29GUCzy94tqpev3c2iKDMX
+rlC7KwDRAYolMlbYCf1YIv4zofO1FsxZytjTjtxiEyUFxmoC+4KDNXvkM4RxGPq7
+bkg/7L5yot04vXppiShsRnm/NDA5Wp+n450VcynzJPCEUSc4iiBdzdZH6C58bOGM
+ECkKeZYk+pQpoW/c2JT91vdiJG2lzEKJlO6MxBkxCkmd4ocKKczwsauP2BFxRt4s
+06dbLlz3VJKX+B97QiO5HkcNVyokuwIDAQABAoICAEX72Vk/h6UdpPIFOjpXe5nl
+w2C8DPDrMvYaHVF+GZKCHN8nl/LcxxHBzNm+siDlCwbbOXhxcFReIyi1dLgaRCQm
+mg/CZf1udv2spsvqiUxTaQlpwDMY43Zsd3K0VLCPBY17TNUuJ7W+bz9N8tRdL/rl
++hnXAZCnuRqW9Nkgx3KTEbCciu/f9SvTB8rEfBE9beRkPa336SrVfl5ad6cMJuCM
+7wC+tSoN1I8RRmvr8aPw6+QWpPVOjbaG9S8lZEho05BIcinaoqgvX9yFv9IjVbmr
+vrUcDKoIhU2kDAOseHgsWusZ/a0s3ZdVn2DyktWuf1Ih3R2+DJZmPGRF/wh0eB/i
+gbht0nQXCylbiA0BxwS3HtRg2eqU7xE07YEuo19hKl8JmWe2aFwqs9L7WvkNU1Y9
+Ega62Z83vPZdDkdWKhEj/y6lgbMj0N8OLHAjXRVfecMM3X5Rq5l6sTpwu6Np2jH4
+J0QSPGipFt1Z1WWrgxuMTh+O0vMYRzZHoBqRORT1fFClAxbBe9NA7hia+uq8c+PQ
+cE2jb8o2gsqm8x236RjgIg0jA8yjryx8KNnpYyN+IHKaXrgykNS6LPM0t7NjpXEA
+Ym98u4Vw6Wx/PjE/uFVvP7IJO0705la7He3Mokqk6Irln5JRyaJcKIPF6goP3UmT
+4cLakO3Rz0jA69T/d6HxAoIBAQDUTjJks9jGOwkOb38Kao761IUUfl2LjNV4SFUm
+S83ZO+8yqEbI2ylcR8WmGGc+y+8RtXDkDEcR/UungnqrmDFMt8DxPlYSvD6AYvnF
+OxBhrR86YF780kIaGR5HCliNyj1nbUsbmPcAZN+DtzPwJ/JcH0hVI77CkaDHaQTM
+CDmJRCW6nThvAkNG5vNEajvdTXW+2WeHtQKBET7foDoEy63E9ic+1bKUeonlsTvN
+JnPSzKzhEQ2mInUF5ujpPrJJLQrkCck0cFrsckGXpYuhtxJKfCy7UUo0JKN2oN5k
+ENXP+yx3/VTs9w8wg5/NtxXfcGTlyExEVRGb8vsAbQ6NNrFTAoIBAQDE5Cv1IoRD
+Wo9pgbQIkr9I1bbqLPN9e2abdGyclvKSr+cs978ZTijo/FEJQZYvs59Gb70hBkHF
+rRXivviLw5Y0Fzf8W9pCh98RfQMuki+eJg9tERvcoqZwYRIJ4lvkiG4WCDdNFV08
+rJTebgUXPExkBjG0iKuFe8Fex2dOSaIpBSf10Y7mEdWgtENySAymvpJrU+Z3S8o5
+c4k3qPuTBLJKCSZ6uAX6CaVsS0kdb1IrnI8h2xrW/rhP14JH/+qEvi7qNOO6X/n3
+cn8RoB8q1O7i9tPnytiQ34MuzIL9qddcK0juXkZHta61rLs+s5mMgOMr0XrYcImB
+LY6H9+O6HUn5AoIBAQCgUykFGTejgyN0rkg+wneU/fY9oqvb3Y+7VMxQrkAWQ4eA
+Nsm1lqOmV2Dv7E/TgUfZlK5a2Na2xBRkvEkM2lKof7+JrqxrW5LLe3LpOZBGYulJ
+OUuiGtnmQX+24B49fTNfro5gmeQ1fPe5zRjAzDnezZTfDq5Y2oaS8EC6H5/rg/YF
+9gKO+iN6IKAm0x7AIWXAqQbg2ZW5iB912tbVlkZ0jfrXHaPNMrh+J5hkdRxUXVJU
+aH9pLW439cd/lGQolIY77RPvsMVI94OHFHHcvpZmf118W4fw1pZG2Hb5FCmS9TgA
+qOOAS5ZB6bQ9MnynDoZzbA4EMEWrAhQAn1q000+XAoIBADXifGVKXQhR8I3fgXYX
+M2KrmrPcOYdODnbdFhyE8z5SBeK4qwQx7+BTrZnq6T+E2UJdslUncTi4dhToTv1x
+OdpnwFrAiKtMpDAVFpnYSE/v+qjO1eE8YnC/IEC0QpH5BKfi97+Q6UOBt/xn/9ys
+E/wL9e6CuO5/QBzAVfWHEWpIjvcnswQkPWMN8qeEMHIyFcBp5dkgVOgERrmE9dT2
+pBS/DFjppDkaCrvonsn/fW2SG1oYrO/KJoczY+Rwla5enlhawThwq+ic3UnlmKIQ
+RJC5HKWDTmHXyf802WSy5s3CyuLxyio1/uqZq2Utoghh/cowOn6hzgAch7WOkjSN
+b4ECggEBALCHLM/0yNro6VoT+4t7xt4qAySwgqHGVB6p6ab4gQlE6vxVc/VizUSg
+Tv+u4TRAvT6zWesaw7rk3EdK+0Rh3YEJRQdA0dPhHF6uKoM3Sm5dBQwbH/EUbpL+
+mfq25Q0ODC63967tx+/w8he5jrjcHUblVCSYbGpap3edOEpTkF+y4afJqqJtDico
+hxog9InN+dO1cQ8VstVVt0WEtBWtCF5MsE8y07UYw1fwagbbrUsX13oqF0iRP3yy
+oZOKgOBMpSMwgHEtQSOxM72GRAMbiqE+NX7TGjCH8TqarSf9d0F16tIx+ThYDrva
+tFQ3nrI6uytJXZJKQ6yzsnPZyLYxRE0=
+-----END PRIVATE KEY-----

SPR-BE/openvpn/gw-ckubu/keys/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+50c09d4cd2d32cbfadcc9ebff8e624d2
+f7a5730ff6b708aad8a6bb14b3a7619d
+e32764bbe875f11ce46213a35500cc2c
+fd0b6bf2e7b8cc2392a478ad7f4e7c7a
+3fbe2e50a781ea9a4fd83cfaf64725db
+98b4740b145e2d948b3b09975866c03b
+a268f82e767fa2517b469ec3e563d321
+8156f8f192f75bf8385697aeed6b9f33
+fd74e02426437c42dc7a85afd828012a
+911e7d8e837249d33a4209dbd0a2c017
+c0ee31207a0e5ba05e736fa1c9af1cbb
+0b39dab31939eb37df367d1eccf61ff3
+28135f42ba70344179186cdd0cac5058
+9cb4bac7dd08436d1efbd452b72416e8
+59bc9118c2c6aba6107faca0604d947f
+ff8569318b234e4ddbb68189b1504969
+-----END OpenVPN Static key V1-----

SPR-BE/openvpn/server-gw-ckubu.conf

@@ -0,0 +1,314 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1195
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+topology subnet
+route 192.168.63.0 255.255.255.0 10.1.92.1
+route 192.168.64.0 255.255.255.0 10.1.92.1
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap" if you are ethernet bridging.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Enable TUN IPv6 module
+;tun-ipv6
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca /etc/openvpn/gw-ckubu/keys/ca.crt
+cert /etc/openvpn/gw-ckubu/keys/server.crt
+key /etc/openvpn/gw-ckubu/keys/server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys.
+dh /etc/openvpn/gw-ckubu/keys/dh4096.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+;server 10.8.0.0 255.255.255.0
+;server-ipv6 2a01:30:1fff:fd00::/64
+server 10.1.92.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist /etc/openvpn/gw-ckubu/ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 10.8.0.0  255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+client-config-dir /etc/openvpn/gw-ckubu/ccd/server-gw-ckubu
+
+# ---
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir /etc/openvpn/ccd
+;route 192.168.40.128 255.255.255.248
+
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+# ---
+
+# ---
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+# ---
+
+# ---
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+# ---
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# the TUN/TAP interface to the internet in
+# order for this to work properly).
+# CAVEAT: May break client's network config if
+# client's local DHCP server packets get routed
+# through the tunnel.  Solution: make sure
+# client's local DHCP server is reachable via
+# a more specific route than the default route
+# of 0.0.0.0/0.0.0.0.
+;push "redirect-gateway"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+;push "dhcp-option WINS 10.8.0.1"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+tls-auth /etc/openvpn/gw-ckubu/keys/ta.key 0
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+cipher AES-256-CBC
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+;comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+;status openvpn-status.log
+status /var/log/openvpn/status-server-gw-ckubu.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log-append  openvpn.log
+;log         openvpn.log
+log         /var/log/openvpn/server-gw-ckubu.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 1
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+# CRL (certificate revocation list) verification
+crl-verify /etc/openvpn/gw-ckubu/crl.pem

SPR-BE/openvpn/server-spr.conf

@@ -0,0 +1,314 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+topology subnet
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap" if you are ethernet bridging.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Enable TUN IPv6 module
+;tun-ipv6
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca /etc/openvpn/spr/keys/ca.crt
+cert /etc/openvpn/spr/keys/server.crt
+key /etc/openvpn/spr/keys/server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys.
+dh /etc/openvpn/spr/keys/dh4096.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+;server 10.8.0.0 255.255.255.0
+;server-ipv6 2a01:30:1fff:fd00::/64
+server 10.0.92.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist /etc/openvpn/spr/ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 10.8.0.0  255.255.255.0"
+push "route 192.168.92.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+client-config-dir /etc/openvpn/spr/ccd/server-spr
+
+# ---
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir /etc/openvpn/ccd
+;route 192.168.40.128 255.255.255.248
+
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+# ---
+
+# ---
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+# ---
+
+# ---
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+# ---
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# the TUN/TAP interface to the internet in
+# order for this to work properly).
+# CAVEAT: May break client's network config if
+# client's local DHCP server packets get routed
+# through the tunnel.  Solution: make sure
+# client's local DHCP server is reachable via
+# a more specific route than the default route
+# of 0.0.0.0/0.0.0.0.
+;push "redirect-gateway"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+;push "dhcp-option WINS 10.8.0.1"
+push "dhcp-option DNS 192.168.92.1"
+push "dhcp-option DOMAIN sprachenatelier.netz"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+tls-auth /etc/openvpn/spr/keys/ta.key 0
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+;comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+;status openvpn-status.log
+status /var/log/openvpn/status-server-spr.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log-append  openvpn.log
+;log         openvpn.log
+log         /var/log/openvpn/server-spr.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 1
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+# CRL (certificate revocation list) verification
+crl-verify /etc/openvpn/spr/crl.pem

SPR-BE/openvpn/spr/ccd/server-spr/VPN-SPR-chris

@@ -0,0 +1,7 @@
+ifconfig-push 10.0.92.2 255.255.255.0
+push "route 172.16.92.0 255.255.255.0"
+push "route 192.168.93.0 255.255.255.0 10.0.92.1"
+
+# - Already pushed from server config
+# -
+#push "route 192.168.92.0 255.255.255.0 10.0.92.1"

SPR-BE/openvpn/spr/client-configs/chris.conf

@@ -0,0 +1,270 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote gw-spr.oopen.de 1195
+
+topology subnet
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Server CA
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIGzDCCBLSgAwIBAgIJAJa8ImRNIVSZMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMH
+VlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwIBcNMTgwMzE4MTYwMTU3WhgPMjA1MDAzMTgxNjAxNTdaMIGeMQsw
+CQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzAN
+BgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UE
+AxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJn
+dXNAb29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEhmCg
+nhfyO/Z8q6/cyBTn7/K74AJRHl+8sUv/YFf0AOTgIrO93qdzDZf16IioZ/2+lg5X
+0exZGcXCIEOnWlrnDiVYYsVyYrCWOhhhLBv5Oe+OZCOwWEBY/+/M9Zp2OUgS5zJ6
+1DX4rtmb+WsAjcNJJmZV6q9M0gEZsuCfpgrNGADpuTCEa4RMk7z4mG/yjh0dkT1a
+RT2vAYD2RgUdVyR/xFQNflWh101i06kKwrJOuBT+iopBbyz3X2NkkBba+F9qoOpJ
+3NiOr4UfIMW6chUQiF1+8/PPtVIPkYFjNpUF5l1HXQBjwRCZZPYog1w701jN0G4u
+9GH6ZJjCBzvuSS8lo5jMdUillMh7EoCNdZTq+LgM8ZAro6GJh9oOXf3YL3RBMTfX
+aLFTxHzN+PCG53buZkNiM23OaackKyeOhXbDIQwiaTOcANVGpXrh63Qoj7BFbKx0
+pLTynp6IUXBbsE+ToX5y/BAtm8Q4DXLLe0h82zJIQ/ZBhTorQaMbi0VpLD0zkamM
+YWdZPVnAv+SOAt/uVVLN9aFUZO4V1ebBKVhYY56iW/OlugcSNo7vRcrvBFLI9TLU
+cS9euI4HxKldRZOejoTIbQXVEV7fZ1v1YHC7dafW/YJIJTkliTCQ05E8eiW/0zQd
+V1DWNIiPBOKm1LnMkVr+Aa1JpgpcEEN7ngMvswIDAQABo4IBBzCCAQMwHQYDVR0O
+BBYEFHSigxuV60X8ONBxrGr1ItbazicLMIHTBgNVHSMEgcswgciAFHSigxuV60X8
+ONBxrGr1ItbazicLoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBO
+IFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQCWvCJkTSFUmTAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBkzH3PqKEHjXZytQY7usSL
+6uAjH2jMhZb96GJpMNdpgzntACGjYl80Vxtwj0aIAYyOyIbfA9VyZsnc4dsYqJ82
+bN/K3AlEHeMBaxhrD6qOdyoXkwjx80WfvtF/FTyMHxsCIR/N2l0BM6THKOLMZWB2
+TmY/QBBsD+/nSwy/4JOeeJvtxuY0IXu0aONM+n4tDoVO9O7EyvpzcfrT/SosbtBB
+mBI1hH7/ThmXswvcrN7rCn00yaJC5Qv9HN4osKihzgigS5jh4lOYAvXhxTGU9Nzm
+kH21ONSNZql/mZCfs97RaoM7l2Uap5ex5vPA4BJvQ4WXWL89GYJGwTuOmIf77aX3
+Aoxl8ntuiE9R9oQKqcFe9uW25c1h1o6DRglc6oBEP1T40Ni8b/cTnwSeES4RiYAK
+ScSturvc/Nj2Z5nzR5iVKo/mW9SBHlbk52HvsIIhFRMoHahIcv2Z4+nyUPMlJCly
+lvp9yEFCnjwVbc3ruUqtYQHDxJf/SkBxuCLkN7W7W2voq1mOSOl3i7Aw2zf/kmG7
+BTLQVfIkUKLR6F2erz6QdEn8mST/Niz0la9mfK34ZgdG0zFZ0j5lLC3YnW91lr7B
+hlwVD/nIqjSOFLHdK2d/lefY1ZHcTbs3fUA8oKp8CdJb1NhfUWprigKHsSVHyqJ1
+CAgKxVPrsd1y2i/Xhg74YQ==
+-----END CERTIFICATE-----
+</ca>
+
+# Client Certificate
+<cert>
+-----BEGIN CERTIFICATE-----
+MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODIyMjAzOFoXDTM4MDMxODIyMjAzOFowgaQxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRYwFAYDVQQDEw1WUE4tU1BS
+LWNocmlzMRAwDgYDVQQpEwdWUE4gU1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
+b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALnzXmkGe5c+
+RW0VwkXg4e6ePXjxSQzq74RDNxvKxfwf7CoRBhP6yzQ2XfmZvumesqHHPbI/YjMJ
+Dac9lYKcBMYSAS+IW6WqPdC8NYmpGyRQfvJhoKlxFkDyTD5pOT5S0wXBJf+eZsJp
+H6glWboaJdz/4JpOOPFFGOrxVQyjp0YymCZv3Zc0nsqUhKcgxXTDm09G2oVze/X0
+mju2p1SK5alCyudadE4szi4XQSSctX4YGQ71w/jv7yVnARdIAL92YJ/Xx99wGlWR
+dolMUByrLZYYphEciNZSwXAyHXi/giXteUR5/IuaZ0FAzgWYDldKb5kD4CWzp1tP
+vlV2aw5kiawHzq27TE7sXJfC6UTnp2GIfXAqZ7S9cHT1D2YDMKrlUfMnbBrwyZVg
+rWHlUN6Gf2lmaGnc1loqk19J9v5uf5sD/QiI2R23X7xIxqfRx2QX28vPGUvgb6qI
+87/kpPGeI7q6KAXTW6wDDyhvhTqboSP7xNB/W6Yqc0/QFs2PxHTTBRMZmEkRk8Vd
++qxKwZYLK/4FucQHGWem6xF/XNYwJ/i7WGC4hjCvATN8JZNRCLPoEPrwZtuGiwD+
+jwXwQyX+djjjbkpo6NJGhnaYAQMetXYuGWEvhMzEEhLw7muVxBDIt59VA5lfSy+t
+jeRzWaIJl1IA3N0GQE9YZhMyUt6AlMmvAgMBAAGjggFnMIIBYzAJBgNVHRMEAjAA
+MC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
+HQYDVR0OBBYEFPEa0Qzkh0IB8EoZTuIQl5h6fygPMIHTBgNVHSMEgcswgciAFHSi
+gxuV60X8ONBxrGr1ItbazicLoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UE
+CBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcG
+A1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UE
+KRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQCWvCJk
+TSFUmTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEAYDVR0RBAkw
+B4IFY2hyaXMwDQYJKoZIhvcNAQELBQADggIBADqIgd5cpkF8Q1hUrHhJHo0CIyio
+01zOCKQprLum4s8f1B08qUxwOlc82UCh6t/CjN/hYbQzhHth/pZyXoAJXj1AkxMt
+vmapyR3glVjxbwHC6sNj6hZDDKNXnkXLYXszTQx10pWpP51HzgkOWxUJ7qhWW/98
+RHCkvUkft7mfrHe/QuhkYXvgQjGJI3Z0Ab8ZsCh6wSdqEU0QcJOYQKNbGjRI9lfD
+TE1NNVjRtmcUaFPSlLWYuPAr4/UBW0pJifcC6jUtzmpPfs4pkrq/9JdUpO9H2y17
+7TSqU86YXkBf9apxu3l8vM+UQRdB69js+5OSNvtZwyyvmUr5JOujM6bUCN+PWco8
+pydvUNzIYC7H8One7giVV6Q20XSoMd4suR7W37jAkG02FbUHhOwFodtF8oo5UoLu
+EdB4m6ul+Qje7QsRT70BNFxyAUzXsFIW4qfk50Ay8XDlnBzGft4LDsPhmmDMdWJq
+Kt92Tfp5AdH6ga8i3LW1CxsNZFdlF1jXvRd6o5LwqEzEZwV8H/U8I3mUrCysouqw
+3bp68Tc+cQ25bZS16u5c17xh5VMvIbVTzR1IHURhovwcY98212h+J9bsx7RvjMCI
+wEQu81pjNu0Yx6NubhFJQ6pI/1NeF4I7H/Ksr4D1ng0G7xIOYx9yphVI0ZSoHH97
+16CJQbBARZ0gLeJr
+-----END CERTIFICATE-----
+</cert>
+
+# Client Key
+<key>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI3P+UTRrv91ECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIGofT8rXdMtBIIJSMRkl94ROVWC
+v/madZNyDie+Wlec4pGWYgur/dfgeQyjMEleu642IrvRFgJwdZOhEEIDc/syOHzx
+Hiy6zxvWcnMAfzQKwHcMI4HsOcqtZKiA/UZ+mXIH8H0HW62N8WHpryqpVyZC5EZj
+0bFaulmD7rV0MtYS2z5pfGLTnKvsDIE3rMvwyZTcRSA6Zt3bOxsJN+SjD4AlmJbk
+XERauxx47EmvPle3aIna625eIQjfniLxrEq0e5E8FQdZipHzqKz3Pub2bepAbmFO
+S3t1Eqk3DkA1mG5PKog1IrTgFAJ24tk/EZuFLzGEL0Wc5hdtcIijJh0Us8w0lWJ1
+RMp2+Pr6zMZSK5L1GYubi0IfASsAmBPewLPt/cUqdNuaCFc1dUuaX2/1gtBl/G16
+s6GFwjK8BhMuYi3Z2ehwNCA2koWA9nGbWzT4CSL63Znupc0ieCBob1UqrbtiaIPn
+xMFrKvO2wdnDJiKyNVCx3jUeN7700E2BCdS/G1WLoocQZTooQGJIpWUhcjvf6wXa
+AZhz+z/uFBXslWEB4O3t8VTk2M2/dKqJOg6yg+MwpAQSOd/8ogV0VOpft5GD/t4c
+6mgBs5lwtau7GbTFj060X15znpzvtPRUrNbL5QrK9DpLw+vvYB+IwCq/CVpjjchz
+g3nkpPw0O0gzGf6AEBJLGsfGljifMc1pDd0KNNkAweZSOg5XufFJpjiFnuXS5Puo
+O+vnvy0iie1e0KzMBrWJWY1vt9JuNRI85qNcftRNnyboQBmnnBAvdA5hiYib7+lY
+akB6UNwkREl40/FsDYxJl4yLbtUC/Lr1hEmyQt4ZEI9v96nW/L0/qlOyiYNAP1r0
+/PEKfRKn7uMZnJXZ0SYf9uMfdy8M56DYEEG3X08F6MWVbEozGbbF8l46FH/9cqFp
+/crtnJZi/1W/A12wmzSgGk2zzLtr+drZ8w/rO0sI5Ptjh+G1dSqSTobCb0bOC7+t
+H+6vesuSAdEQuxasbleh1IyBKkPRwNf4FqAumFfZDKlh0+PVw/waSEIcg5Ef4whV
+EI6rUHigVoZ7AtU/XsjJ3YkRulBXgIOVNCHCJqd8tRqgc5dUeG1652L3q5sIljtE
+nT1t/CEGOd+/rjLwbYl7ZdW3E67QovB/CRIh/B23u4jsbdBkZgeRINcrwbOIXE6t
+jhzO6uGjVuu/6VxMBRSSfxvIsMVCt1rDumadckn+MMOM8E/jT7qN+5QAurdSVnPq
+d7R6M14Jlz39NXXYkdAjNpAH9XX+8y/isOD1La6J+bcxpO7BqcAlQTzhgwB56DrN
+UZ234vaAW1hNtSjNS0e3jZ6noiEjfG6qOw5+DxtXLP9Rq5DwjPrIc2dscY4//foM
+u1NvDB4SloHVy1r01sEA5OqO4KyJsxXotKMeY6k92c2SmP7E461UHLn54LTLOs3t
+iuzug6aJh9nK/NOGprJoNgI9C/46phTTfPE73eUVCpbnbd46dZ8qpMnil4YIpk1L
++mOZCDOQD0H1CmFRXu+EzZsZLDLFjLtKtiGO/ifxs+zdNpLCcJyycPy44zteoMFq
+mra1b3hFgGestzHz/2ANY6gIe5sZikZVXgTRP9oZYQ7Wm0c1PVqQ003n60hJlajx
+a+EItIYkQl16BZCBbanDuKwofXmxtGZXtU84qcRIzs6X4NSb1N+0xwBC0TM+xYnN
+ZmX6hkj/ELYbrktcML6yJyDJz2UvMRaORBnrUjfisJ8dUFSKX6J0JCQ5IMSyZjeL
+Vzv7CRKFQ3VTvWgAtY31yjpNrr6oHJQ+Wk8B987IAKIKqIBH+RYiBlf3jQVrB3vl
+kQ93LqTXw2Iiapevb0fEREwoU9qEC/lTv39nrYIpHXMlpfQqFLGMPgS1VP5fQzrU
+QET6SCxYaehYT64aWBARpYUcwc7xMA8WwLc40f1JfXvmbIZ4dC4OZeIHNyy+kDu2
+hVKL7bI6jGZVTmFKGXYF9iMjiV8m4q19WqgvBkKZFzmTAZ4gasieHtOi+TzrEH+u
+G06wcEilg6o9NS2JkNl8H+ReOasnhPs/nuWZlB7hUNXnPA6QARQGZEuk6lKAxl6V
+zjtniLdRsZwVBKb8lExcP+BQ0KovnaLOzorFdISlsuOCwt4YWUbQkN1LMDMd1bq9
+Z3ThemCCOvn4C/Ez6DzFul22jTj8s5XPPZXUKEpu8p6Spt7rCYA8+MLoYmeS1Ztu
+L4ufZler6891KMkn2mLhSb91IB/5MDomgo9H9rBJA5JWa6hG/QV/wTxR2WkKuJAv
+IX8Zkhs5pQBTh+WDf9W5ftv4fqqowEOOztN+XotNAqaSmTE8vTxjePbnDAX5+iyp
+s40aHaxj9BFZrj0/Sp0StL9OzgV8qN8rxeblSoBFU0nx3bTAp76CM6fvp0XqK0el
+Ua6PdBBHKmp0RQoguX99cz3WYNqxTWMWE8c9aoXakBGff1Uz1Qgq0Y7kFnaXxCRM
+aUbkPMBOeMJrt1fQQWSlzurYXAO8pPn63uzZGhiplYh6fJQ3m+8m+AYGwzLTXEkS
+Z88Ox1CCdtR40brDba0pvkRNfOkD8wGpe2uYcAjnhc2MF5DeZf+8syxRnTBYsud9
+dBDCjQkYUKEihmqz31SjojoxaYutFkEe5//Nov2BxxoyVHtpjmLWtEdhVTAkcYTt
+05aO30leUBQ3IX97K68s6GFA1nJCe5WrcpCgjA/718N5tGuvc53zACLzpdEaCm5g
+2nowfRP/lx/faFCC1/ePjlT+1g9BJiaqFBaWR2iQ9VR8nKNws4ULCu6uNr5xtpG9
+LIw3C6DrBWtzVHAiZvz6Ufma4u5TlFxR4IlFS2aY7QzL9+EYqrogZUZIvDH3nOHs
+qS/t+CBbItxpb25X5EI/jruhmHplgHmdqdstRtyxjObEOdm5TV4+oRTIA6YYc4Cz
+TXrdjDkOECV+U/OYzHWxKFyCarn6d81pRu79RuksIhE0uAd5rxT5uJlzf9UuQjFr
+63XCVmLnVXuF4qpdfT7lj0cvtGz/Z7itSPgR3gzu/VnR+u+kdAvRgtDg0BJqV/Om
+vJLAnlJxc0bhwVmWB6q1Tmy3ZpDMsEGz7fLsbUQp+TcjNfrFCTrRgMppUdET5fFc
+8+kUQiLjZYYYINwpeS3cU+5tOtNNsnbgt1xkvbQvJ7qEjL8wF3J4j62M36dKCo5p
+LOq4p2liZ+06x9mtaX7NIg==
+-----END ENCRYPTED PRIVATE KEY-----
+</key>
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-server
+# script in the easy-rsa folder will do this.
+#
+# Note!
+# The option "ns-cert-type" has been deprecated since 
+# version 2.4 and will be removed from later distributions.
+#
+# Use the modern equivalent "remote-cert-tls"
+# 
+;ns-cert-type server
+remote-cert-tls server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+#
+# Don't forget to set the 'key-direction' Parameter if using
+# Inline Key. Usualy , sever has key direction '0', while client
+# has ke direction '1'.
+#
+key-direction 1
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+0f871c0affde12bf4aa4c3683db554ab
+5b289badc22171c46f4fcf749b94c3b3
+fc8da02a98f067a6b624e3755ff08e28
+6c74f622bcb49a31b94bf9e9e9619fd7
+2949dddce9997bdd6b8c08bf7785baba
+54267e89eabf34f4e729d09dad95fbb4
+f254ed52de9287436f718c138f29e927
+36a77a01b8801be92da98eec772e1d9f
+eb568dc508531ca7dbb92af3098f812f
+4b7bcff4c0badbd34b6e168fc7312da1
+030559d8278ea9d2ac200da87d4b9283
+8994c85e9ef639c82214107f12d67f9a
+d71ca5d6a991bf778222f8a87eb99009
+1e1de4379406d4008daf98437ffe0e98
+0dd90d7d41239a14489e6d077740e97a
+90b30b8b8f445e78073ae1f365601bb1
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+cipher none
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+;comp-lzo
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 1
+
+# Setting 'pull' on the client takes care to get the 'push' durectives
+# from the server
+pull

SPR-BE/openvpn/spr/crl.pem

@@ -0,0 +1,18 @@
+-----BEGIN X509 CRL-----
+MIIC5zCB0DANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUxDzANBgNVBAgT
+BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4xGTAXBgNV
+BAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIxEDAOBgNVBCkT
+B1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlFw0xODAzMTgx
+ODA4MTlaGA8yMDUwMDMxODE4MDgxOVowDQYJKoZIhvcNAQELBQADggIBAJCORgWK
+d6nbaAD4ZdnTMAfqRxkiSLyQ1PMTnriA0A6NxXWr905HYwcrPROpSOSF4YCluDwe
+dLmYgfzqJ/FhygXk45Ko9QNnsN6/222CBO0LThN829B3pq4oRmykXVyAp6gCyK3K
++T+GljZ67LOwOe0wz1zqrv2MbqqBeHLkOqlpKnaXSPTFGNhTzwWSUPlubV43Fi8+
+amedFAhchCIAQ8QJ2oY0wE6cnmkPZx5Gd1hmZZxVo/Xh2kBjj2oprxF3R2vMDl3J
+LSkpArUVRuRjo545oSFtEq5qlbuW8L5krgivAPqdGXcvn4fK/2pwzWwPqJxa5MYY
++dHFr29pYcWYT5p0mcZOH56RCTYIGCxNrEnofSgCeotN5q/0/SCbTUT8zUeyPl4P
+FFIeWpifGh6EDB8IW5XtHmxxMykO3g8CPE8KvTRODFj3cYk2DxMgniIX/CoIsNux
+BZ3aMf4KaU5GF3wKipdWe1RBzrO2v5o6nsOKlR8atTsg56pfKZCfqglJwHnblRm2
+DA/Nc8UcCS4DM+wtHgCyhA/ssZGpv0Wli+I004Kwn1BQjpnfwHU/6upSGVza5q37
+NZtJIoh1wSmu3weDaoSgRThSC6KrjlIt7rXeLxfa2qv5h4v1drm5CV65vp/x8nuo
+09TJ/dsYQRRsHXQiSv4Bw6Kiv5t6P+21G6lq
+-----END X509 CRL-----

SPR-BE/openvpn/spr/easy-rsa/build-ca

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-ca

SPR-BE/openvpn/spr/easy-rsa/build-dh

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-dh

SPR-BE/openvpn/spr/easy-rsa/build-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-inter

SPR-BE/openvpn/spr/easy-rsa/build-key

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key

SPR-BE/openvpn/spr/easy-rsa/build-key-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pass

SPR-BE/openvpn/spr/easy-rsa/build-key-pkcs12

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pkcs12

SPR-BE/openvpn/spr/easy-rsa/build-key-server

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-server

SPR-BE/openvpn/spr/easy-rsa/build-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req

SPR-BE/openvpn/spr/easy-rsa/build-req-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req-pass

SPR-BE/openvpn/spr/easy-rsa/clean-all

@@ -0,0 +1 @@
+/usr/share/easy-rsa/clean-all

SPR-BE/openvpn/spr/easy-rsa/inherit-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/inherit-inter

SPR-BE/openvpn/spr/easy-rsa/list-crl

@@ -0,0 +1 @@
+/usr/share/easy-rsa/list-crl

SPR-BE/openvpn/spr/easy-rsa/openssl-0.9.6.cnf

@@ -0,0 +1,268 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

SPR-BE/openvpn/spr/easy-rsa/openssl-0.9.8.cnf

@@ -0,0 +1,293 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

SPR-BE/openvpn/spr/easy-rsa/openssl-1.0.0.cnf

@@ -0,0 +1,290 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+#default_days	= 3650			# how long to certify for
+default_days   = 11688
+#default_crl_days= 30			# how long before next CRL
+default_crl_days   = 11688
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

SPR-BE/openvpn/spr/easy-rsa/openssl-1.0.0.cnf.ORIG

@@ -0,0 +1,288 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

SPR-BE/openvpn/spr/easy-rsa/openssl.cnf

@@ -0,0 +1 @@
+/etc/openvpn/spr/easy-rsa/openssl-1.0.0.cnf

SPR-BE/openvpn/spr/easy-rsa/pkitool

@@ -0,0 +1 @@
+/usr/share/easy-rsa/pkitool

SPR-BE/openvpn/spr/easy-rsa/revoke-full

@@ -0,0 +1 @@
+/usr/share/easy-rsa/revoke-full

SPR-BE/openvpn/spr/easy-rsa/sign-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/sign-req

SPR-BE/openvpn/spr/easy-rsa/vars

@@ -0,0 +1,96 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+export BASE_DIR="/etc/openvpn/spr"
+export EASY_RSA="$BASE_DIR/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="$BASE_DIR/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+##export KEY_SIZE=2048
+export KEY_SIZE=4096
+
+# In how many days should the root CA key expire?
+##export CA_EXPIRE=3650
+export CA_EXPIRE=11688
+
+# In how many days should certificates expire?
+##export KEY_EXPIRE=3650
+export KEY_EXPIRE=7305
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+export KEY_COUNTRY="DE"
+##export KEY_PROVINCE="CA"
+export KEY_PROVINCE="Berlin"
+##export KEY_CITY="SanFrancisco"
+export KEY_CITY="Berlin"
+##export KEY_ORG="Fort-Funston"
+export KEY_ORG="o.open"
+##export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL="argus@oopen.de"
+##export KEY_OU="MyOrganizationalUnit"
+export KEY_OU="Network Services"
+
+# X509 Subject Field
+##export KEY_NAME="EasyRSA"
+export KEY_NAME="VPN SPR"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+## export KEY_CN="CommonName"
+export KEY_CN="VPN-SPR"
+
+export KEY_ALTNAMES="VPN-SPR"

SPR-BE/openvpn/spr/easy-rsa/vars.2018-03-18-1700

@@ -0,0 +1,80 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
+export KEY_EMAIL="me@myhost.mydomain"
+export KEY_OU="MyOrganizationalUnit"
+
+# X509 Subject Field
+export KEY_NAME="EasyRSA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"

SPR-BE/openvpn/spr/easy-rsa/whichopensslcnf

@@ -0,0 +1 @@
+/usr/share/easy-rsa/whichopensslcnf

SPR-BE/openvpn/spr/keys-created.txt

@@ -0,0 +1,4 @@
+
+key...............: chris.key
+common name.......: VPN-SPR-chris
+password..........: dbddhkpuka.&EadGl15E.

SPR-BE/openvpn/spr/keys/01.pem

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 18:08:15 2018 GMT
+            Not After : Mar 18 18:08:15 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:f5:57:0f:71:d1:a5:17:ec:2c:74:fd:16:8f:f7:
+                    8d:16:80:5f:0a:60:e9:3b:9e:65:19:fe:30:71:41:
+                    14:55:f3:f8:17:5a:10:c8:b7:16:1c:bf:21:63:bb:
+                    33:64:75:f0:3a:a9:9b:1a:27:68:33:71:fc:85:a7:
+                    f8:7f:b2:f5:31:c4:39:a2:e4:2e:53:8b:3d:20:49:
+                    0d:e7:83:83:82:54:ff:05:00:5e:5a:e5:e1:b4:9d:
+                    2e:0b:61:c2:71:19:11:10:30:2e:ed:95:62:01:70:
+                    f2:5f:77:25:71:8b:2b:b3:4d:f2:68:13:41:85:3f:
+                    03:82:88:98:89:e5:58:b4:83:e2:65:1f:5e:c1:b1:
+                    b9:80:54:35:f4:00:7e:92:fe:e5:2a:ad:c1:d1:b8:
+                    f3:33:f9:c8:de:ac:08:87:84:5c:61:65:25:a7:cc:
+                    7d:c1:b8:00:63:59:31:68:af:8e:0d:26:ef:62:7c:
+                    93:a8:94:32:18:fb:19:0e:d6:39:36:d8:89:35:eb:
+                    82:5e:cd:32:a0:b9:6b:37:83:c7:51:7e:24:38:84:
+                    d9:dd:c3:6c:f9:5e:7a:aa:c8:7e:d8:3b:ee:e3:bb:
+                    b5:9f:87:b8:c1:ce:91:a6:d5:5c:76:e0:cb:40:f8:
+                    97:4a:3d:bc:0a:d3:06:1b:08:ef:72:50:7c:b9:c5:
+                    72:3f:3a:c6:70:da:d5:4f:db:c9:a4:7a:d2:ac:56:
+                    e5:71:37:34:42:48:f8:8b:d1:ce:ae:34:2b:71:5b:
+                    9c:9d:47:5c:47:6e:f0:90:55:95:a3:81:de:f3:a9:
+                    34:c2:9e:9e:be:e3:ce:f5:46:e1:70:7a:42:d4:71:
+                    c9:78:f7:b4:a0:9e:2f:db:97:e6:e3:44:a4:55:29:
+                    1a:d5:d2:23:b8:a5:37:47:40:5d:c1:1f:67:4d:84:
+                    b6:67:2c:bc:dd:83:ea:1a:75:a7:96:f9:90:7c:29:
+                    47:32:72:fe:79:d4:b8:48:13:e1:80:a9:d2:06:20:
+                    ff:52:16:e8:7c:58:86:ab:3e:9a:ff:f4:c0:e0:7e:
+                    aa:46:eb:16:53:5c:9b:9e:b6:07:8f:a7:1d:68:0a:
+                    81:80:49:1e:45:05:78:d1:7f:0c:29:b9:06:9e:19:
+                    2d:d2:39:a1:a0:dc:d6:54:ac:da:da:20:0e:6d:a2:
+                    22:04:23:95:3b:5e:8a:6c:e9:53:b2:41:8a:86:98:
+                    89:e9:a8:60:45:f0:ba:8b:50:c3:4b:a0:a2:a5:16:
+                    ac:d3:27:bd:dc:a4:dc:b7:69:39:10:60:5e:6f:56:
+                    7a:dd:1a:e7:7d:bd:06:3d:be:b5:09:44:48:79:c7:
+                    69:f1:ea:48:60:6b:cb:eb:5a:43:7c:36:0a:a4:05:
+                    d4:ff:ef
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                AE:A8:6B:BE:2E:F3:60:22:A3:76:8F:4F:F5:26:69:83:AC:2E:19:29
+            X509v3 Authority Key Identifier: 
+                keyid:74:A2:83:1B:95:EB:45:FC:38:D0:71:AC:6A:F5:22:D6:DA:CE:27:0B
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:96:BC:22:64:4D:21:54:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         b4:51:ec:9d:ec:39:ed:c1:29:83:0e:e8:eb:c3:ec:5f:0e:1d:
+         53:d7:51:b9:d2:2e:90:09:a3:27:e8:f7:24:3f:de:15:d9:92:
+         22:80:ae:12:ab:17:5f:a1:7e:01:44:be:54:28:d8:76:42:ba:
+         60:77:7c:46:1d:42:6d:a9:25:ae:57:52:94:f7:76:44:b9:93:
+         de:a4:a7:c8:a3:4a:8d:72:bd:96:15:9a:42:37:b0:1c:e0:38:
+         7d:72:53:45:dc:11:28:62:e5:7d:0f:f9:32:21:81:8a:23:39:
+         85:05:bc:46:6a:23:34:a9:38:a3:fd:3e:a6:76:ae:82:d3:32:
+         a3:d4:6d:7e:33:0c:91:b2:04:26:99:ab:eb:43:9c:22:ab:ca:
+         ce:b1:c0:e9:10:0c:5b:cc:4e:42:8e:c9:e0:1d:59:b1:83:64:
+         57:7a:02:38:bc:b8:4b:ff:be:36:3f:a0:66:43:c6:1a:7e:17:
+         5a:d6:b8:5b:a7:08:7a:9f:e7:3c:00:0e:0b:46:f1:a1:90:73:
+         bd:b4:3e:11:a3:b6:96:4d:30:24:75:fb:fd:24:cc:63:b7:ac:
+         a5:6e:06:ba:1c:c2:6a:b2:fe:59:6e:5a:53:dc:0f:dc:e4:6f:
+         28:7d:c0:b1:cd:e9:14:95:06:ef:e9:91:7d:39:55:62:61:3c:
+         72:8f:0f:35:b4:e8:9b:49:50:41:2f:07:6d:3f:1f:92:94:ed:
+         e2:10:d3:08:75:43:cc:da:7f:00:3b:f9:d2:f1:97:21:2d:c5:
+         d0:30:2e:0e:84:1b:fd:3c:bd:ab:9d:bf:b7:18:ad:01:36:6c:
+         43:7e:04:33:29:14:b1:c7:68:64:a9:cc:85:57:67:f7:a3:3e:
+         c2:d5:a7:bf:f4:20:fb:41:91:2c:8f:6a:c5:d3:55:76:0f:79:
+         3d:12:59:d7:0e:59:f6:02:0c:31:07:39:09:55:97:40:e1:a9:
+         27:01:ad:fa:42:d7:67:14:7b:0f:e6:e3:1d:6f:28:71:17:9f:
+         de:97:2f:d1:a6:95:ba:d4:42:80:9c:0e:db:06:91:8e:bb:c4:
+         af:23:ae:85:9f:e2:57:e4:4a:87:e1:d0:64:9f:9a:15:30:c8:
+         bc:96:ea:da:98:eb:0a:5a:be:13:70:d6:35:50:0e:48:07:2b:
+         8a:19:e5:35:e6:a7:a2:ca:42:50:7b:bc:72:ea:99:4d:b8:2c:
+         06:75:e9:a6:c1:45:1e:97:42:9b:5b:a4:61:92:3c:45:88:31:
+         f4:1f:da:e4:01:72:f9:93:08:e4:66:4d:2c:4c:2f:19:10:49:
+         21:52:ca:18:59:38:76:79:ae:99:8e:ac:20:85:85:af:a8:b6:
+         ab:73:04:66:d5:56:a5:9e
+-----BEGIN CERTIFICATE-----
+MIIHRDCCBSygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODE4MDgxNVoXDTM4MDMxODE4MDgxNVowgaUxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRcwFQYDVQQDEw5WUE4tU1BS
+LXNlcnZlcjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD1Vw9x0aUX
+7Cx0/RaP940WgF8KYOk7nmUZ/jBxQRRV8/gXWhDItxYcvyFjuzNkdfA6qZsaJ2gz
+cfyFp/h/svUxxDmi5C5Tiz0gSQ3ng4OCVP8FAF5a5eG0nS4LYcJxGREQMC7tlWIB
+cPJfdyVxiyuzTfJoE0GFPwOCiJiJ5Vi0g+JlH17BsbmAVDX0AH6S/uUqrcHRuPMz
++cjerAiHhFxhZSWnzH3BuABjWTFor44NJu9ifJOolDIY+xkO1jk22Ik164JezTKg
+uWs3g8dRfiQ4hNndw2z5XnqqyH7YO+7ju7Wfh7jBzpGm1Vx24MtA+JdKPbwK0wYb
+CO9yUHy5xXI/OsZw2tVP28mketKsVuVxNzRCSPiL0c6uNCtxW5ydR1xHbvCQVZWj
+gd7zqTTCnp6+4871RuFwekLUccl497Sgni/bl+bjRKRVKRrV0iO4pTdHQF3BH2dN
+hLZnLLzdg+oadaeW+ZB8KUcycv551LhIE+GAqdIGIP9SFuh8WIarPpr/9MDgfqpG
+6xZTXJuetgePpx1oCoGASR5FBXjRfwwpuQaeGS3SOaGg3NZUrNraIA5toiIEI5U7
+Xops6VOyQYqGmInpqGBF8LqLUMNLoKKlFqzTJ73cpNy3aTkQYF5vVnrdGud9vQY9
+vrUJREh5x2nx6khga8vrWkN8NgqkBdT/7wIDAQABo4IBgjCCAX4wCQYDVR0TBAIw
+ADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdl
+bmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFK6oa74u82Aio3aP
+T/UmaYOsLhkpMIHTBgNVHSMEgcswgciAFHSigxuV60X8ONBxrGr1ItbazicLoYGk
+pIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
+ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
+czEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGWCCQCWvCJkTSFUmTATBgNVHSUEDDAKBggrBgEF
+BQcDATALBgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEB
+CwUAA4ICAQC0Ueyd7DntwSmDDujrw+xfDh1T11G50i6QCaMn6PckP94V2ZIigK4S
+qxdfoX4BRL5UKNh2Qrpgd3xGHUJtqSWuV1KU93ZEuZPepKfIo0qNcr2WFZpCN7Ac
+4Dh9clNF3BEoYuV9D/kyIYGKIzmFBbxGaiM0qTij/T6mdq6C0zKj1G1+MwyRsgQm
+mavrQ5wiq8rOscDpEAxbzE5CjsngHVmxg2RXegI4vLhL/742P6BmQ8Yafhda1rhb
+pwh6n+c8AA4LRvGhkHO9tD4Ro7aWTTAkdfv9JMxjt6ylbga6HMJqsv5ZblpT3A/c
+5G8ofcCxzekUlQbv6ZF9OVViYTxyjw81tOibSVBBLwdtPx+SlO3iENMIdUPM2n8A
+O/nS8ZchLcXQMC4OhBv9PL2rnb+3GK0BNmxDfgQzKRSxx2hkqcyFV2f3oz7C1ae/
+9CD7QZEsj2rF01V2D3k9ElnXDln2AgwxBzkJVZdA4aknAa36QtdnFHsP5uMdbyhx
+F5/ely/RppW61EKAnA7bBpGOu8SvI66Fn+JX5EqH4dBkn5oVMMi8luramOsKWr4T
+cNY1UA5IByuKGeU15qeiykJQe7xy6plNuCwGdemmwUUel0KbW6RhkjxFiDH0H9rk
+AXL5kwjkZk0sTC8ZEEkhUsoYWTh2ea6ZjqwghYWvqLarcwRm1Valng==
+-----END CERTIFICATE-----

SPR-BE/openvpn/spr/keys/02.pem

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 22:20:38 2018 GMT
+            Not After : Mar 18 22:20:38 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-chris/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:b9:f3:5e:69:06:7b:97:3e:45:6d:15:c2:45:e0:
+                    e1:ee:9e:3d:78:f1:49:0c:ea:ef:84:43:37:1b:ca:
+                    c5:fc:1f:ec:2a:11:06:13:fa:cb:34:36:5d:f9:99:
+                    be:e9:9e:b2:a1:c7:3d:b2:3f:62:33:09:0d:a7:3d:
+                    95:82:9c:04:c6:12:01:2f:88:5b:a5:aa:3d:d0:bc:
+                    35:89:a9:1b:24:50:7e:f2:61:a0:a9:71:16:40:f2:
+                    4c:3e:69:39:3e:52:d3:05:c1:25:ff:9e:66:c2:69:
+                    1f:a8:25:59:ba:1a:25:dc:ff:e0:9a:4e:38:f1:45:
+                    18:ea:f1:55:0c:a3:a7:46:32:98:26:6f:dd:97:34:
+                    9e:ca:94:84:a7:20:c5:74:c3:9b:4f:46:da:85:73:
+                    7b:f5:f4:9a:3b:b6:a7:54:8a:e5:a9:42:ca:e7:5a:
+                    74:4e:2c:ce:2e:17:41:24:9c:b5:7e:18:19:0e:f5:
+                    c3:f8:ef:ef:25:67:01:17:48:00:bf:76:60:9f:d7:
+                    c7:df:70:1a:55:91:76:89:4c:50:1c:ab:2d:96:18:
+                    a6:11:1c:88:d6:52:c1:70:32:1d:78:bf:82:25:ed:
+                    79:44:79:fc:8b:9a:67:41:40:ce:05:98:0e:57:4a:
+                    6f:99:03:e0:25:b3:a7:5b:4f:be:55:76:6b:0e:64:
+                    89:ac:07:ce:ad:bb:4c:4e:ec:5c:97:c2:e9:44:e7:
+                    a7:61:88:7d:70:2a:67:b4:bd:70:74:f5:0f:66:03:
+                    30:aa:e5:51:f3:27:6c:1a:f0:c9:95:60:ad:61:e5:
+                    50:de:86:7f:69:66:68:69:dc:d6:5a:2a:93:5f:49:
+                    f6:fe:6e:7f:9b:03:fd:08:88:d9:1d:b7:5f:bc:48:
+                    c6:a7:d1:c7:64:17:db:cb:cf:19:4b:e0:6f:aa:88:
+                    f3:bf:e4:a4:f1:9e:23:ba:ba:28:05:d3:5b:ac:03:
+                    0f:28:6f:85:3a:9b:a1:23:fb:c4:d0:7f:5b:a6:2a:
+                    73:4f:d0:16:cd:8f:c4:74:d3:05:13:19:98:49:11:
+                    93:c5:5d:fa:ac:4a:c1:96:0b:2b:fe:05:b9:c4:07:
+                    19:67:a6:eb:11:7f:5c:d6:30:27:f8:bb:58:60:b8:
+                    86:30:af:01:33:7c:25:93:51:08:b3:e8:10:fa:f0:
+                    66:db:86:8b:00:fe:8f:05:f0:43:25:fe:76:38:e3:
+                    6e:4a:68:e8:d2:46:86:76:98:01:03:1e:b5:76:2e:
+                    19:61:2f:84:cc:c4:12:12:f0:ee:6b:95:c4:10:c8:
+                    b7:9f:55:03:99:5f:4b:2f:ad:8d:e4:73:59:a2:09:
+                    97:52:00:dc:dd:06:40:4f:58:66:13:32:52:de:80:
+                    94:c9:af
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                F1:1A:D1:0C:E4:87:42:01:F0:4A:19:4E:E2:10:97:98:7A:7F:28:0F
+            X509v3 Authority Key Identifier: 
+                keyid:74:A2:83:1B:95:EB:45:FC:38:D0:71:AC:6A:F5:22:D6:DA:CE:27:0B
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:96:BC:22:64:4D:21:54:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         3a:88:81:de:5c:a6:41:7c:43:58:54:ac:78:49:1e:8d:02:23:
+         28:a8:d3:5c:ce:08:a4:29:ac:bb:a6:e2:cf:1f:d4:1d:3c:a9:
+         4c:70:3a:57:3c:d9:40:a1:ea:df:c2:8c:df:e1:61:b4:33:84:
+         7b:61:fe:96:72:5e:80:09:5e:3d:40:93:13:2d:be:66:a9:c9:
+         1d:e0:95:58:f1:6f:01:c2:ea:c3:63:ea:16:43:0c:a3:57:9e:
+         45:cb:61:7b:33:4d:0c:75:d2:95:a9:3f:9d:47:ce:09:0e:5b:
+         15:09:ee:a8:56:5b:ff:7c:44:70:a4:bd:49:1f:b7:b9:9f:ac:
+         77:bf:42:e8:64:61:7b:e0:42:31:89:23:76:74:01:bf:19:b0:
+         28:7a:c1:27:6a:11:4d:10:70:93:98:40:a3:5b:1a:34:48:f6:
+         57:c3:4c:4d:4d:35:58:d1:b6:67:14:68:53:d2:94:b5:98:b8:
+         f0:2b:e3:f5:01:5b:4a:49:89:f7:02:ea:35:2d:ce:6a:4f:7e:
+         ce:29:92:ba:bf:f4:97:54:a4:ef:47:db:2d:7b:ed:34:aa:53:
+         ce:98:5e:40:5f:f5:aa:71:bb:79:7c:bc:cf:94:41:17:41:eb:
+         d8:ec:fb:93:92:36:fb:59:c3:2c:af:99:4a:f9:24:eb:a3:33:
+         a6:d4:08:df:8f:59:ca:3c:a7:27:6f:50:dc:c8:60:2e:c7:f0:
+         e9:de:ee:08:95:57:a4:36:d1:74:a8:31:de:2c:b9:1e:d6:df:
+         b8:c0:90:6d:36:15:b5:07:84:ec:05:a1:db:45:f2:8a:39:52:
+         82:ee:11:d0:78:9b:ab:a5:f9:08:de:ed:0b:11:4f:bd:01:34:
+         5c:72:01:4c:d7:b0:52:16:e2:a7:e4:e7:40:32:f1:70:e5:9c:
+         1c:c6:7e:de:0b:0e:c3:e1:9a:60:cc:75:62:6a:2a:df:76:4d:
+         fa:79:01:d1:fa:81:af:22:dc:b5:b5:0b:1b:0d:64:57:65:17:
+         58:d7:bd:17:7a:a3:92:f0:a8:4c:c4:67:05:7c:1f:f5:3c:23:
+         79:94:ac:2c:ac:a2:ea:b0:dd:ba:7a:f1:37:3e:71:0d:b9:6d:
+         94:b5:ea:ee:5c:d7:bc:61:e5:53:2f:21:b5:53:cd:1d:48:1d:
+         44:61:a2:fc:1c:63:df:36:d7:68:7e:27:d6:ec:c7:b4:6f:8c:
+         c0:88:c0:44:2e:f3:5a:63:36:ed:18:c7:a3:6e:6e:11:49:43:
+         aa:48:ff:53:5e:17:82:3b:1f:f2:ac:af:80:f5:9e:0d:06:ef:
+         12:0e:63:1f:72:a6:15:48:d1:94:a8:1c:7f:7b:d7:a0:89:41:
+         b0:40:45:9d:20:2d:e2:6b
+-----BEGIN CERTIFICATE-----
+MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODIyMjAzOFoXDTM4MDMxODIyMjAzOFowgaQxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRYwFAYDVQQDEw1WUE4tU1BS
+LWNocmlzMRAwDgYDVQQpEwdWUE4gU1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
+b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALnzXmkGe5c+
+RW0VwkXg4e6ePXjxSQzq74RDNxvKxfwf7CoRBhP6yzQ2XfmZvumesqHHPbI/YjMJ
+Dac9lYKcBMYSAS+IW6WqPdC8NYmpGyRQfvJhoKlxFkDyTD5pOT5S0wXBJf+eZsJp
+H6glWboaJdz/4JpOOPFFGOrxVQyjp0YymCZv3Zc0nsqUhKcgxXTDm09G2oVze/X0
+mju2p1SK5alCyudadE4szi4XQSSctX4YGQ71w/jv7yVnARdIAL92YJ/Xx99wGlWR
+dolMUByrLZYYphEciNZSwXAyHXi/giXteUR5/IuaZ0FAzgWYDldKb5kD4CWzp1tP
+vlV2aw5kiawHzq27TE7sXJfC6UTnp2GIfXAqZ7S9cHT1D2YDMKrlUfMnbBrwyZVg
+rWHlUN6Gf2lmaGnc1loqk19J9v5uf5sD/QiI2R23X7xIxqfRx2QX28vPGUvgb6qI
+87/kpPGeI7q6KAXTW6wDDyhvhTqboSP7xNB/W6Yqc0/QFs2PxHTTBRMZmEkRk8Vd
++qxKwZYLK/4FucQHGWem6xF/XNYwJ/i7WGC4hjCvATN8JZNRCLPoEPrwZtuGiwD+
+jwXwQyX+djjjbkpo6NJGhnaYAQMetXYuGWEvhMzEEhLw7muVxBDIt59VA5lfSy+t
+jeRzWaIJl1IA3N0GQE9YZhMyUt6AlMmvAgMBAAGjggFnMIIBYzAJBgNVHRMEAjAA
+MC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
+HQYDVR0OBBYEFPEa0Qzkh0IB8EoZTuIQl5h6fygPMIHTBgNVHSMEgcswgciAFHSi
+gxuV60X8ONBxrGr1ItbazicLoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UE
+CBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcG
+A1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UE
+KRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQCWvCJk
+TSFUmTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEAYDVR0RBAkw
+B4IFY2hyaXMwDQYJKoZIhvcNAQELBQADggIBADqIgd5cpkF8Q1hUrHhJHo0CIyio
+01zOCKQprLum4s8f1B08qUxwOlc82UCh6t/CjN/hYbQzhHth/pZyXoAJXj1AkxMt
+vmapyR3glVjxbwHC6sNj6hZDDKNXnkXLYXszTQx10pWpP51HzgkOWxUJ7qhWW/98
+RHCkvUkft7mfrHe/QuhkYXvgQjGJI3Z0Ab8ZsCh6wSdqEU0QcJOYQKNbGjRI9lfD
+TE1NNVjRtmcUaFPSlLWYuPAr4/UBW0pJifcC6jUtzmpPfs4pkrq/9JdUpO9H2y17
+7TSqU86YXkBf9apxu3l8vM+UQRdB69js+5OSNvtZwyyvmUr5JOujM6bUCN+PWco8
+pydvUNzIYC7H8One7giVV6Q20XSoMd4suR7W37jAkG02FbUHhOwFodtF8oo5UoLu
+EdB4m6ul+Qje7QsRT70BNFxyAUzXsFIW4qfk50Ay8XDlnBzGft4LDsPhmmDMdWJq
+Kt92Tfp5AdH6ga8i3LW1CxsNZFdlF1jXvRd6o5LwqEzEZwV8H/U8I3mUrCysouqw
+3bp68Tc+cQ25bZS16u5c17xh5VMvIbVTzR1IHURhovwcY98212h+J9bsx7RvjMCI
+wEQu81pjNu0Yx6NubhFJQ6pI/1NeF4I7H/Ksr4D1ng0G7xIOYx9yphVI0ZSoHH97
+16CJQbBARZ0gLeJr
+-----END CERTIFICATE-----

SPR-BE/openvpn/spr/keys/ca.crt

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGzDCCBLSgAwIBAgIJAJa8ImRNIVSZMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMH
+VlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwIBcNMTgwMzE4MTYwMTU3WhgPMjA1MDAzMTgxNjAxNTdaMIGeMQsw
+CQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzAN
+BgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UE
+AxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJn
+dXNAb29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEhmCg
+nhfyO/Z8q6/cyBTn7/K74AJRHl+8sUv/YFf0AOTgIrO93qdzDZf16IioZ/2+lg5X
+0exZGcXCIEOnWlrnDiVYYsVyYrCWOhhhLBv5Oe+OZCOwWEBY/+/M9Zp2OUgS5zJ6
+1DX4rtmb+WsAjcNJJmZV6q9M0gEZsuCfpgrNGADpuTCEa4RMk7z4mG/yjh0dkT1a
+RT2vAYD2RgUdVyR/xFQNflWh101i06kKwrJOuBT+iopBbyz3X2NkkBba+F9qoOpJ
+3NiOr4UfIMW6chUQiF1+8/PPtVIPkYFjNpUF5l1HXQBjwRCZZPYog1w701jN0G4u
+9GH6ZJjCBzvuSS8lo5jMdUillMh7EoCNdZTq+LgM8ZAro6GJh9oOXf3YL3RBMTfX
+aLFTxHzN+PCG53buZkNiM23OaackKyeOhXbDIQwiaTOcANVGpXrh63Qoj7BFbKx0
+pLTynp6IUXBbsE+ToX5y/BAtm8Q4DXLLe0h82zJIQ/ZBhTorQaMbi0VpLD0zkamM
+YWdZPVnAv+SOAt/uVVLN9aFUZO4V1ebBKVhYY56iW/OlugcSNo7vRcrvBFLI9TLU
+cS9euI4HxKldRZOejoTIbQXVEV7fZ1v1YHC7dafW/YJIJTkliTCQ05E8eiW/0zQd
+V1DWNIiPBOKm1LnMkVr+Aa1JpgpcEEN7ngMvswIDAQABo4IBBzCCAQMwHQYDVR0O
+BBYEFHSigxuV60X8ONBxrGr1ItbazicLMIHTBgNVHSMEgcswgciAFHSigxuV60X8
+ONBxrGr1ItbazicLoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVy
+bGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQ
+TmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBO
+IFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQCWvCJkTSFUmTAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBkzH3PqKEHjXZytQY7usSL
+6uAjH2jMhZb96GJpMNdpgzntACGjYl80Vxtwj0aIAYyOyIbfA9VyZsnc4dsYqJ82
+bN/K3AlEHeMBaxhrD6qOdyoXkwjx80WfvtF/FTyMHxsCIR/N2l0BM6THKOLMZWB2
+TmY/QBBsD+/nSwy/4JOeeJvtxuY0IXu0aONM+n4tDoVO9O7EyvpzcfrT/SosbtBB
+mBI1hH7/ThmXswvcrN7rCn00yaJC5Qv9HN4osKihzgigS5jh4lOYAvXhxTGU9Nzm
+kH21ONSNZql/mZCfs97RaoM7l2Uap5ex5vPA4BJvQ4WXWL89GYJGwTuOmIf77aX3
+Aoxl8ntuiE9R9oQKqcFe9uW25c1h1o6DRglc6oBEP1T40Ni8b/cTnwSeES4RiYAK
+ScSturvc/Nj2Z5nzR5iVKo/mW9SBHlbk52HvsIIhFRMoHahIcv2Z4+nyUPMlJCly
+lvp9yEFCnjwVbc3ruUqtYQHDxJf/SkBxuCLkN7W7W2voq1mOSOl3i7Aw2zf/kmG7
+BTLQVfIkUKLR6F2erz6QdEn8mST/Niz0la9mfK34ZgdG0zFZ0j5lLC3YnW91lr7B
+hlwVD/nIqjSOFLHdK2d/lefY1ZHcTbs3fUA8oKp8CdJb1NhfUWprigKHsSVHyqJ1
+CAgKxVPrsd1y2i/Xhg74YQ==
+-----END CERTIFICATE-----

SPR-BE/openvpn/spr/keys/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDEhmCgnhfyO/Z8
+q6/cyBTn7/K74AJRHl+8sUv/YFf0AOTgIrO93qdzDZf16IioZ/2+lg5X0exZGcXC
+IEOnWlrnDiVYYsVyYrCWOhhhLBv5Oe+OZCOwWEBY/+/M9Zp2OUgS5zJ61DX4rtmb
++WsAjcNJJmZV6q9M0gEZsuCfpgrNGADpuTCEa4RMk7z4mG/yjh0dkT1aRT2vAYD2
+RgUdVyR/xFQNflWh101i06kKwrJOuBT+iopBbyz3X2NkkBba+F9qoOpJ3NiOr4Uf
+IMW6chUQiF1+8/PPtVIPkYFjNpUF5l1HXQBjwRCZZPYog1w701jN0G4u9GH6ZJjC
+BzvuSS8lo5jMdUillMh7EoCNdZTq+LgM8ZAro6GJh9oOXf3YL3RBMTfXaLFTxHzN
++PCG53buZkNiM23OaackKyeOhXbDIQwiaTOcANVGpXrh63Qoj7BFbKx0pLTynp6I
+UXBbsE+ToX5y/BAtm8Q4DXLLe0h82zJIQ/ZBhTorQaMbi0VpLD0zkamMYWdZPVnA
+v+SOAt/uVVLN9aFUZO4V1ebBKVhYY56iW/OlugcSNo7vRcrvBFLI9TLUcS9euI4H
+xKldRZOejoTIbQXVEV7fZ1v1YHC7dafW/YJIJTkliTCQ05E8eiW/0zQdV1DWNIiP
+BOKm1LnMkVr+Aa1JpgpcEEN7ngMvswIDAQABAoICAARc82I9gEyZdjR4X1QogQZR
+NnNjWsnQQdHfoc9OpUU+i9ZKDvGFMvSD9b645efPPzvu+uyKNZQY1WIk8zuQ7vm4
+P64Bq16JwF/ldEsb/pb+6UmhAYXVv7/6FqnXPhGn3ejFh0Jg2b3mq+AhnnWJsC88
+kgMQTcoH04xtgz0oI49AHC0UNnaKKIrGsOhYAgxBiXXxloodhWwQPXu6PDzVhXLs
+uez+xAnuzMIH7vXVMr46qgSosL8ZJ8dqL7u40zkTUJL+dZUkOQ6Z6Puy75DfHYab
+cG/0HJKc9PBxi4zXVmGmJqYB85NDYwn0yt5FZFPTsmIHYZrbRB2aBCYyoOr+ZvSF
+/44fBymBWiCNkTSHPp6aJUKh5pUxbpV5JWQtQZMbzc4sWONRhqwLnIQITuJg4b1q
+szWH9xyzrceBNCpKvaIWA8++cAexTR648NW4KxO3Po5EYlAYkfZFBsK3SvE18noV
+hMK/Yis8yBVDCTsg45LlACxi/ErYQAGfY1s4kfBYhJgy5aWow9MnKdnA5v5menOw
+w7N4YkrBy4iRcE2NZzd6YQY6ow0+LcEQMoPyj7UKVnmb2EgMRvjEKMngSdEeHL7w
+Amp+fEzgFGIaNZCxBLwOV7waF8mF3QH5/T4sIl3JfQ1oDDv/yFUJwnROR/RDgJ3X
+PCFyWvPEOBUbd1U4TpqJAoIBAQDrmm7QAY1X9brxH2L10QunCbUcx/B9ckzfDrOW
+D/OXgvDZKS9Vkb76MqUUExbdTjRQncUoma5KiVb2DnmGbQubUmgCiD4CEOeWuJl1
+6MQuOu2qjbCbK6iQIO01Lqz6Dbm3ZebobYB+qrnK5OMIhbHhlBTRhP+j5X1Q0vzv
+jTFMFdW3xt+S0aoc0Y5gLjw6i6Q2gXNgxenrCgyuAxJng82xX25O5DyvsXatxOw5
+DbFj7/96OeWc7OFluhpHAxCsgYgG7ff8UyUzr85DoAVSfU7nqMr/M9WmiTQ7Vvwa
+Ku5KtlaGVX5Pv4PCY+ECX07/YyDOXTdg+uwCuS8ROTaIGxOVAoIBAQDVid6Cvh2Z
+9nvq4Q+tIgem3NTmVrrh9QQNdW/HzAwdUvekDgL3Jlev+aO8D3YQHtJJndTJQ46m
+3H5jE+Rzs+Ld5FlpWS2NUMVya/QuUpUPmJ4lml7jsqof52To8NXKi74drNJt6PHq
+uRFUPPHAlLu+IvinSErCCezcDh75Hkf7b43MMFhH5s8msIC2f18SQI3SNnsdyL2u
+zJI4zYPg1lJ3Cn0gt3V97kkGT+FuRgUj5u5fXkvORi0+2TMmyWqybkZA+RQyRhC+
+rAs6qlxVfEvQt1vnGehDefSlyKlrXHdhyKJJ8RZROvbwNY8XDYo/zm3a7MPnLjWr
+FdMq8uymCWQnAoIBAD/ZpYhns0eQR+6K5AXcdnz5a4T2Rp2ouV6GHHNhtVFtYhpo
+R/S3v/sMeKJ9HegyBomGiGUdaRe4KsIaYCLnMIsShS+SfsOOk0TMmIJU573jqH9d
+UOxso40T71VHZgeKardiPXbmHjm1yQ5Mg57OpMuOlynFEob3bcPWuketixukmzvo
+ALVIbwLKY/x660WujH1dDci/OkrBeXg7SuSU2szkIP/uaOfwf0pOoPpBVL7Rzvnv
+8ONbayZnjjGKih1GKXg/S8KtQdrFHXBEUMzvOtAbdZA+Gvu8GVSvmTj6Q4Qp8D8N
+smKoc2veJ5+99qnN0pk6uARnXEjMqQ3Q5I90TxUCggEAX54mtuCunJyUjG5O+LW+
+O2ezJZk8gaWXNPebIBosao0WOq3Tghv3M+NTAAjkUv+aJkC4YY8Qt4MQTQlBSNYK
+BlYT+2plTVwXrc7NPljYSm2Kk0f2qXr9Vt/kfbIp6VJ9xQf4CiM/AF3ydof7sMJo
+9xDtyupCH3UWTMs970sx7FLdactUHI4rwCVU3WNXjPK/Dpw6sPGMjlMoPqs4HFub
+/ZYCxb2grM0ggeUPCrPr5VGo96dfxnQCGpxjnUCfuFpMtxdRhdl98gNT2+chBV5t
+DH6udmNRb7WSaRHbWynCg1S15uo/lgwTOyigdDAp8bxb0KYoasJ0YbGaJycz9H1M
+DQKCAQBElhUv4LAHzwIJJN5dnhUgqraSDzn7es5zRM1MPc+cFfLuZOrHSldFZ6ss
+DrHZ7+FdBqxPHqBso/iUsKZqmPMZFwrVjiGuRvZm6XqH076Zpq7iijQh+DlT67h/
+G3IbYAcH8h6mBSxDHoDDZSDIB6kw2zczSET/XViDtEQOnZD35n9KpI5n81o3iCi3
+R7bpeJe2aDWiWSMnSTE2q6hjw9yKDe/dcHswVGR6VwPdkwAnFPf3Kaa1e4OKWgyt
+c9nDLtdNLw24XZtEHxJrCBlZGfSGVR+l7IMzIAw76sbfh5H0opOQUMYvY+i7mkiq
+iNFVi9ygF7UxmEskpH/4gFKMSJZq
+-----END PRIVATE KEY-----

SPR-BE/openvpn/spr/keys/chris.crt

@@ -0,0 +1,139 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 22:20:38 2018 GMT
+            Not After : Mar 18 22:20:38 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-chris/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:b9:f3:5e:69:06:7b:97:3e:45:6d:15:c2:45:e0:
+                    e1:ee:9e:3d:78:f1:49:0c:ea:ef:84:43:37:1b:ca:
+                    c5:fc:1f:ec:2a:11:06:13:fa:cb:34:36:5d:f9:99:
+                    be:e9:9e:b2:a1:c7:3d:b2:3f:62:33:09:0d:a7:3d:
+                    95:82:9c:04:c6:12:01:2f:88:5b:a5:aa:3d:d0:bc:
+                    35:89:a9:1b:24:50:7e:f2:61:a0:a9:71:16:40:f2:
+                    4c:3e:69:39:3e:52:d3:05:c1:25:ff:9e:66:c2:69:
+                    1f:a8:25:59:ba:1a:25:dc:ff:e0:9a:4e:38:f1:45:
+                    18:ea:f1:55:0c:a3:a7:46:32:98:26:6f:dd:97:34:
+                    9e:ca:94:84:a7:20:c5:74:c3:9b:4f:46:da:85:73:
+                    7b:f5:f4:9a:3b:b6:a7:54:8a:e5:a9:42:ca:e7:5a:
+                    74:4e:2c:ce:2e:17:41:24:9c:b5:7e:18:19:0e:f5:
+                    c3:f8:ef:ef:25:67:01:17:48:00:bf:76:60:9f:d7:
+                    c7:df:70:1a:55:91:76:89:4c:50:1c:ab:2d:96:18:
+                    a6:11:1c:88:d6:52:c1:70:32:1d:78:bf:82:25:ed:
+                    79:44:79:fc:8b:9a:67:41:40:ce:05:98:0e:57:4a:
+                    6f:99:03:e0:25:b3:a7:5b:4f:be:55:76:6b:0e:64:
+                    89:ac:07:ce:ad:bb:4c:4e:ec:5c:97:c2:e9:44:e7:
+                    a7:61:88:7d:70:2a:67:b4:bd:70:74:f5:0f:66:03:
+                    30:aa:e5:51:f3:27:6c:1a:f0:c9:95:60:ad:61:e5:
+                    50:de:86:7f:69:66:68:69:dc:d6:5a:2a:93:5f:49:
+                    f6:fe:6e:7f:9b:03:fd:08:88:d9:1d:b7:5f:bc:48:
+                    c6:a7:d1:c7:64:17:db:cb:cf:19:4b:e0:6f:aa:88:
+                    f3:bf:e4:a4:f1:9e:23:ba:ba:28:05:d3:5b:ac:03:
+                    0f:28:6f:85:3a:9b:a1:23:fb:c4:d0:7f:5b:a6:2a:
+                    73:4f:d0:16:cd:8f:c4:74:d3:05:13:19:98:49:11:
+                    93:c5:5d:fa:ac:4a:c1:96:0b:2b:fe:05:b9:c4:07:
+                    19:67:a6:eb:11:7f:5c:d6:30:27:f8:bb:58:60:b8:
+                    86:30:af:01:33:7c:25:93:51:08:b3:e8:10:fa:f0:
+                    66:db:86:8b:00:fe:8f:05:f0:43:25:fe:76:38:e3:
+                    6e:4a:68:e8:d2:46:86:76:98:01:03:1e:b5:76:2e:
+                    19:61:2f:84:cc:c4:12:12:f0:ee:6b:95:c4:10:c8:
+                    b7:9f:55:03:99:5f:4b:2f:ad:8d:e4:73:59:a2:09:
+                    97:52:00:dc:dd:06:40:4f:58:66:13:32:52:de:80:
+                    94:c9:af
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                F1:1A:D1:0C:E4:87:42:01:F0:4A:19:4E:E2:10:97:98:7A:7F:28:0F
+            X509v3 Authority Key Identifier: 
+                keyid:74:A2:83:1B:95:EB:45:FC:38:D0:71:AC:6A:F5:22:D6:DA:CE:27:0B
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:96:BC:22:64:4D:21:54:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         3a:88:81:de:5c:a6:41:7c:43:58:54:ac:78:49:1e:8d:02:23:
+         28:a8:d3:5c:ce:08:a4:29:ac:bb:a6:e2:cf:1f:d4:1d:3c:a9:
+         4c:70:3a:57:3c:d9:40:a1:ea:df:c2:8c:df:e1:61:b4:33:84:
+         7b:61:fe:96:72:5e:80:09:5e:3d:40:93:13:2d:be:66:a9:c9:
+         1d:e0:95:58:f1:6f:01:c2:ea:c3:63:ea:16:43:0c:a3:57:9e:
+         45:cb:61:7b:33:4d:0c:75:d2:95:a9:3f:9d:47:ce:09:0e:5b:
+         15:09:ee:a8:56:5b:ff:7c:44:70:a4:bd:49:1f:b7:b9:9f:ac:
+         77:bf:42:e8:64:61:7b:e0:42:31:89:23:76:74:01:bf:19:b0:
+         28:7a:c1:27:6a:11:4d:10:70:93:98:40:a3:5b:1a:34:48:f6:
+         57:c3:4c:4d:4d:35:58:d1:b6:67:14:68:53:d2:94:b5:98:b8:
+         f0:2b:e3:f5:01:5b:4a:49:89:f7:02:ea:35:2d:ce:6a:4f:7e:
+         ce:29:92:ba:bf:f4:97:54:a4:ef:47:db:2d:7b:ed:34:aa:53:
+         ce:98:5e:40:5f:f5:aa:71:bb:79:7c:bc:cf:94:41:17:41:eb:
+         d8:ec:fb:93:92:36:fb:59:c3:2c:af:99:4a:f9:24:eb:a3:33:
+         a6:d4:08:df:8f:59:ca:3c:a7:27:6f:50:dc:c8:60:2e:c7:f0:
+         e9:de:ee:08:95:57:a4:36:d1:74:a8:31:de:2c:b9:1e:d6:df:
+         b8:c0:90:6d:36:15:b5:07:84:ec:05:a1:db:45:f2:8a:39:52:
+         82:ee:11:d0:78:9b:ab:a5:f9:08:de:ed:0b:11:4f:bd:01:34:
+         5c:72:01:4c:d7:b0:52:16:e2:a7:e4:e7:40:32:f1:70:e5:9c:
+         1c:c6:7e:de:0b:0e:c3:e1:9a:60:cc:75:62:6a:2a:df:76:4d:
+         fa:79:01:d1:fa:81:af:22:dc:b5:b5:0b:1b:0d:64:57:65:17:
+         58:d7:bd:17:7a:a3:92:f0:a8:4c:c4:67:05:7c:1f:f5:3c:23:
+         79:94:ac:2c:ac:a2:ea:b0:dd:ba:7a:f1:37:3e:71:0d:b9:6d:
+         94:b5:ea:ee:5c:d7:bc:61:e5:53:2f:21:b5:53:cd:1d:48:1d:
+         44:61:a2:fc:1c:63:df:36:d7:68:7e:27:d6:ec:c7:b4:6f:8c:
+         c0:88:c0:44:2e:f3:5a:63:36:ed:18:c7:a3:6e:6e:11:49:43:
+         aa:48:ff:53:5e:17:82:3b:1f:f2:ac:af:80:f5:9e:0d:06:ef:
+         12:0e:63:1f:72:a6:15:48:d1:94:a8:1c:7f:7b:d7:a0:89:41:
+         b0:40:45:9d:20:2d:e2:6b
+-----BEGIN CERTIFICATE-----
+MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODIyMjAzOFoXDTM4MDMxODIyMjAzOFowgaQxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRYwFAYDVQQDEw1WUE4tU1BS
+LWNocmlzMRAwDgYDVQQpEwdWUE4gU1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
+b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALnzXmkGe5c+
+RW0VwkXg4e6ePXjxSQzq74RDNxvKxfwf7CoRBhP6yzQ2XfmZvumesqHHPbI/YjMJ
+Dac9lYKcBMYSAS+IW6WqPdC8NYmpGyRQfvJhoKlxFkDyTD5pOT5S0wXBJf+eZsJp
+H6glWboaJdz/4JpOOPFFGOrxVQyjp0YymCZv3Zc0nsqUhKcgxXTDm09G2oVze/X0
+mju2p1SK5alCyudadE4szi4XQSSctX4YGQ71w/jv7yVnARdIAL92YJ/Xx99wGlWR
+dolMUByrLZYYphEciNZSwXAyHXi/giXteUR5/IuaZ0FAzgWYDldKb5kD4CWzp1tP
+vlV2aw5kiawHzq27TE7sXJfC6UTnp2GIfXAqZ7S9cHT1D2YDMKrlUfMnbBrwyZVg
+rWHlUN6Gf2lmaGnc1loqk19J9v5uf5sD/QiI2R23X7xIxqfRx2QX28vPGUvgb6qI
+87/kpPGeI7q6KAXTW6wDDyhvhTqboSP7xNB/W6Yqc0/QFs2PxHTTBRMZmEkRk8Vd
++qxKwZYLK/4FucQHGWem6xF/XNYwJ/i7WGC4hjCvATN8JZNRCLPoEPrwZtuGiwD+
+jwXwQyX+djjjbkpo6NJGhnaYAQMetXYuGWEvhMzEEhLw7muVxBDIt59VA5lfSy+t
+jeRzWaIJl1IA3N0GQE9YZhMyUt6AlMmvAgMBAAGjggFnMIIBYzAJBgNVHRMEAjAA
+MC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
+HQYDVR0OBBYEFPEa0Qzkh0IB8EoZTuIQl5h6fygPMIHTBgNVHSMEgcswgciAFHSi
+gxuV60X8ONBxrGr1ItbazicLoYGkpIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UE
+CBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcG
+A1UECxMQTmV0d29yayBTZXJ2aWNlczEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UE
+KRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQCWvCJk
+TSFUmTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEAYDVR0RBAkw
+B4IFY2hyaXMwDQYJKoZIhvcNAQELBQADggIBADqIgd5cpkF8Q1hUrHhJHo0CIyio
+01zOCKQprLum4s8f1B08qUxwOlc82UCh6t/CjN/hYbQzhHth/pZyXoAJXj1AkxMt
+vmapyR3glVjxbwHC6sNj6hZDDKNXnkXLYXszTQx10pWpP51HzgkOWxUJ7qhWW/98
+RHCkvUkft7mfrHe/QuhkYXvgQjGJI3Z0Ab8ZsCh6wSdqEU0QcJOYQKNbGjRI9lfD
+TE1NNVjRtmcUaFPSlLWYuPAr4/UBW0pJifcC6jUtzmpPfs4pkrq/9JdUpO9H2y17
+7TSqU86YXkBf9apxu3l8vM+UQRdB69js+5OSNvtZwyyvmUr5JOujM6bUCN+PWco8
+pydvUNzIYC7H8One7giVV6Q20XSoMd4suR7W37jAkG02FbUHhOwFodtF8oo5UoLu
+EdB4m6ul+Qje7QsRT70BNFxyAUzXsFIW4qfk50Ay8XDlnBzGft4LDsPhmmDMdWJq
+Kt92Tfp5AdH6ga8i3LW1CxsNZFdlF1jXvRd6o5LwqEzEZwV8H/U8I3mUrCysouqw
+3bp68Tc+cQ25bZS16u5c17xh5VMvIbVTzR1IHURhovwcY98212h+J9bsx7RvjMCI
+wEQu81pjNu0Yx6NubhFJQ6pI/1NeF4I7H/Ksr4D1ng0G7xIOYx9yphVI0ZSoHH97
+16CJQbBARZ0gLeJr
+-----END CERTIFICATE-----

SPR-BE/openvpn/spr/keys/chris.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE6jCCAtICAQAwgaQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRYwFAYDVQQDEw1WUE4tU1BSLWNocmlzMRAwDgYDVQQpEwdWUE4g
+U1BSMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBALnzXmkGe5c+RW0VwkXg4e6ePXjxSQzq74RDNxvK
+xfwf7CoRBhP6yzQ2XfmZvumesqHHPbI/YjMJDac9lYKcBMYSAS+IW6WqPdC8NYmp
+GyRQfvJhoKlxFkDyTD5pOT5S0wXBJf+eZsJpH6glWboaJdz/4JpOOPFFGOrxVQyj
+p0YymCZv3Zc0nsqUhKcgxXTDm09G2oVze/X0mju2p1SK5alCyudadE4szi4XQSSc
+tX4YGQ71w/jv7yVnARdIAL92YJ/Xx99wGlWRdolMUByrLZYYphEciNZSwXAyHXi/
+giXteUR5/IuaZ0FAzgWYDldKb5kD4CWzp1tPvlV2aw5kiawHzq27TE7sXJfC6UTn
+p2GIfXAqZ7S9cHT1D2YDMKrlUfMnbBrwyZVgrWHlUN6Gf2lmaGnc1loqk19J9v5u
+f5sD/QiI2R23X7xIxqfRx2QX28vPGUvgb6qI87/kpPGeI7q6KAXTW6wDDyhvhTqb
+oSP7xNB/W6Yqc0/QFs2PxHTTBRMZmEkRk8Vd+qxKwZYLK/4FucQHGWem6xF/XNYw
+J/i7WGC4hjCvATN8JZNRCLPoEPrwZtuGiwD+jwXwQyX+djjjbkpo6NJGhnaYAQMe
+tXYuGWEvhMzEEhLw7muVxBDIt59VA5lfSy+tjeRzWaIJl1IA3N0GQE9YZhMyUt6A
+lMmvAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAJngSSAfyxqID3NeeFhxtpb0I
+FE3bQs8tr6UjJusGPGpqLt42t6AZV36saj11WQqt+coexxz6rtevbIThKmi5jleY
+FBjt64cL47TeHY3aM4zIZ7n3YVcxGIbgZS5rDmYYFmydiI7PfOo9P2qUaLoB8I2l
+XL4SKv6NqKuu8k1rKiRt7WjZi3h6YG3P2DhU4BwkP7L/d9JjlLNOcsU7lCS2x/W+
+aBu0wYGZJNb0yxKdY1g0q5G4ciJGtisOt87DPyPi5uMK9zGCrOgdAFNvgYyL7HWy
+sdRPNorcnJxKl2OGTGSGMfy/H8dl7eHnFCtfYlDg1CKPFTrv6RypFE4f0/U1H7n5
+pk2rRKewgsSoex7YZrU8iVgs6/GZZwd+bfSzML0nAgp7Zg9CGV9UmGfgrTz6IdUH
+Me2iZXOSLrHBM8e9rBsDiTC7Fasd/9vm1oTJyEV29aWLodXRVOmE+pA5kloH6Mbk
+CZmKYxU2yBbuHRO7+f3aLa9sMzu5FW+X71qNczTWJ9nGY+mQ9OyPZAYXloRjgchj
+N5rIPu0zJhkWz3m84QG5y3ZCmzVkpqdfQPaY/B0xN9LytqlPcn+wvhiS+DK3PtYL
+jH1vvxaqfnIi89xnCuKEi1o8+SkpCsIKIjZlHAjM76KFnPc6f7w5Jfwh8Ax2jnQ/
++jtW4o7Fj0YKLjomVvo=
+-----END CERTIFICATE REQUEST-----

SPR-BE/openvpn/spr/keys/chris.key

@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI3P+UTRrv91ECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIGofT8rXdMtBIIJSMRkl94ROVWC
+v/madZNyDie+Wlec4pGWYgur/dfgeQyjMEleu642IrvRFgJwdZOhEEIDc/syOHzx
+Hiy6zxvWcnMAfzQKwHcMI4HsOcqtZKiA/UZ+mXIH8H0HW62N8WHpryqpVyZC5EZj
+0bFaulmD7rV0MtYS2z5pfGLTnKvsDIE3rMvwyZTcRSA6Zt3bOxsJN+SjD4AlmJbk
+XERauxx47EmvPle3aIna625eIQjfniLxrEq0e5E8FQdZipHzqKz3Pub2bepAbmFO
+S3t1Eqk3DkA1mG5PKog1IrTgFAJ24tk/EZuFLzGEL0Wc5hdtcIijJh0Us8w0lWJ1
+RMp2+Pr6zMZSK5L1GYubi0IfASsAmBPewLPt/cUqdNuaCFc1dUuaX2/1gtBl/G16
+s6GFwjK8BhMuYi3Z2ehwNCA2koWA9nGbWzT4CSL63Znupc0ieCBob1UqrbtiaIPn
+xMFrKvO2wdnDJiKyNVCx3jUeN7700E2BCdS/G1WLoocQZTooQGJIpWUhcjvf6wXa
+AZhz+z/uFBXslWEB4O3t8VTk2M2/dKqJOg6yg+MwpAQSOd/8ogV0VOpft5GD/t4c
+6mgBs5lwtau7GbTFj060X15znpzvtPRUrNbL5QrK9DpLw+vvYB+IwCq/CVpjjchz
+g3nkpPw0O0gzGf6AEBJLGsfGljifMc1pDd0KNNkAweZSOg5XufFJpjiFnuXS5Puo
+O+vnvy0iie1e0KzMBrWJWY1vt9JuNRI85qNcftRNnyboQBmnnBAvdA5hiYib7+lY
+akB6UNwkREl40/FsDYxJl4yLbtUC/Lr1hEmyQt4ZEI9v96nW/L0/qlOyiYNAP1r0
+/PEKfRKn7uMZnJXZ0SYf9uMfdy8M56DYEEG3X08F6MWVbEozGbbF8l46FH/9cqFp
+/crtnJZi/1W/A12wmzSgGk2zzLtr+drZ8w/rO0sI5Ptjh+G1dSqSTobCb0bOC7+t
+H+6vesuSAdEQuxasbleh1IyBKkPRwNf4FqAumFfZDKlh0+PVw/waSEIcg5Ef4whV
+EI6rUHigVoZ7AtU/XsjJ3YkRulBXgIOVNCHCJqd8tRqgc5dUeG1652L3q5sIljtE
+nT1t/CEGOd+/rjLwbYl7ZdW3E67QovB/CRIh/B23u4jsbdBkZgeRINcrwbOIXE6t
+jhzO6uGjVuu/6VxMBRSSfxvIsMVCt1rDumadckn+MMOM8E/jT7qN+5QAurdSVnPq
+d7R6M14Jlz39NXXYkdAjNpAH9XX+8y/isOD1La6J+bcxpO7BqcAlQTzhgwB56DrN
+UZ234vaAW1hNtSjNS0e3jZ6noiEjfG6qOw5+DxtXLP9Rq5DwjPrIc2dscY4//foM
+u1NvDB4SloHVy1r01sEA5OqO4KyJsxXotKMeY6k92c2SmP7E461UHLn54LTLOs3t
+iuzug6aJh9nK/NOGprJoNgI9C/46phTTfPE73eUVCpbnbd46dZ8qpMnil4YIpk1L
++mOZCDOQD0H1CmFRXu+EzZsZLDLFjLtKtiGO/ifxs+zdNpLCcJyycPy44zteoMFq
+mra1b3hFgGestzHz/2ANY6gIe5sZikZVXgTRP9oZYQ7Wm0c1PVqQ003n60hJlajx
+a+EItIYkQl16BZCBbanDuKwofXmxtGZXtU84qcRIzs6X4NSb1N+0xwBC0TM+xYnN
+ZmX6hkj/ELYbrktcML6yJyDJz2UvMRaORBnrUjfisJ8dUFSKX6J0JCQ5IMSyZjeL
+Vzv7CRKFQ3VTvWgAtY31yjpNrr6oHJQ+Wk8B987IAKIKqIBH+RYiBlf3jQVrB3vl
+kQ93LqTXw2Iiapevb0fEREwoU9qEC/lTv39nrYIpHXMlpfQqFLGMPgS1VP5fQzrU
+QET6SCxYaehYT64aWBARpYUcwc7xMA8WwLc40f1JfXvmbIZ4dC4OZeIHNyy+kDu2
+hVKL7bI6jGZVTmFKGXYF9iMjiV8m4q19WqgvBkKZFzmTAZ4gasieHtOi+TzrEH+u
+G06wcEilg6o9NS2JkNl8H+ReOasnhPs/nuWZlB7hUNXnPA6QARQGZEuk6lKAxl6V
+zjtniLdRsZwVBKb8lExcP+BQ0KovnaLOzorFdISlsuOCwt4YWUbQkN1LMDMd1bq9
+Z3ThemCCOvn4C/Ez6DzFul22jTj8s5XPPZXUKEpu8p6Spt7rCYA8+MLoYmeS1Ztu
+L4ufZler6891KMkn2mLhSb91IB/5MDomgo9H9rBJA5JWa6hG/QV/wTxR2WkKuJAv
+IX8Zkhs5pQBTh+WDf9W5ftv4fqqowEOOztN+XotNAqaSmTE8vTxjePbnDAX5+iyp
+s40aHaxj9BFZrj0/Sp0StL9OzgV8qN8rxeblSoBFU0nx3bTAp76CM6fvp0XqK0el
+Ua6PdBBHKmp0RQoguX99cz3WYNqxTWMWE8c9aoXakBGff1Uz1Qgq0Y7kFnaXxCRM
+aUbkPMBOeMJrt1fQQWSlzurYXAO8pPn63uzZGhiplYh6fJQ3m+8m+AYGwzLTXEkS
+Z88Ox1CCdtR40brDba0pvkRNfOkD8wGpe2uYcAjnhc2MF5DeZf+8syxRnTBYsud9
+dBDCjQkYUKEihmqz31SjojoxaYutFkEe5//Nov2BxxoyVHtpjmLWtEdhVTAkcYTt
+05aO30leUBQ3IX97K68s6GFA1nJCe5WrcpCgjA/718N5tGuvc53zACLzpdEaCm5g
+2nowfRP/lx/faFCC1/ePjlT+1g9BJiaqFBaWR2iQ9VR8nKNws4ULCu6uNr5xtpG9
+LIw3C6DrBWtzVHAiZvz6Ufma4u5TlFxR4IlFS2aY7QzL9+EYqrogZUZIvDH3nOHs
+qS/t+CBbItxpb25X5EI/jruhmHplgHmdqdstRtyxjObEOdm5TV4+oRTIA6YYc4Cz
+TXrdjDkOECV+U/OYzHWxKFyCarn6d81pRu79RuksIhE0uAd5rxT5uJlzf9UuQjFr
+63XCVmLnVXuF4qpdfT7lj0cvtGz/Z7itSPgR3gzu/VnR+u+kdAvRgtDg0BJqV/Om
+vJLAnlJxc0bhwVmWB6q1Tmy3ZpDMsEGz7fLsbUQp+TcjNfrFCTrRgMppUdET5fFc
+8+kUQiLjZYYYINwpeS3cU+5tOtNNsnbgt1xkvbQvJ7qEjL8wF3J4j62M36dKCo5p
+LOq4p2liZ+06x9mtaX7NIg==
+-----END ENCRYPTED PRIVATE KEY-----

SPR-BE/openvpn/spr/keys/crl.pem

@@ -0,0 +1 @@
+../crl.pem

SPR-BE/openvpn/spr/keys/dh4096.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA8HMy/i1H5AJVhuI3mRhJyAW+60dvO7tHI24uyoVwvUPpyoz5VWYw
+XtqTF1a2pOQNsDORvofWgdV6zoj/pzaWUV1IT4TbTxif/G30a7cMbOKK9yQK5cWZ
+CiaDjh96gEL64qF5qk4o2m/9Yg0qQE3NhJvt9VDz/EcfFu78OJP259/6KsPozSwk
+id93JjaMtXUmoAcLclylvVfKAV0uP03PzO8XlsVQnXYy+zSpvC0nhYpPATMcMFeY
+pDxbhoBaN51VoMP+CUeCZp0/s7hZBsistMVoh/Qgkhorru0TpAhsNVUwG0GfMbE1
+jm3Rq1LMT3rFhlxXy2imiSd4Q2dGz5SBjmjwyQ3Jdoovji62q3MfjMTVi1CI4OMH
+kjDZQiLu3nD8DpgHELfDi/Olel8VnSvQ1j1OOINw2MM4h0tINWKMuKKoBFxG2lCl
+86CYZ6nZKlN99FH3dz6vQjzM03zkB+w05PC6mXSkzkoLaTD+pyU/Q9mbwUyfE4ZE
+T79sJ+tBl1uSNPAflqx8AJYkJIHY1STR9YeAk03ZUF21GZtALSJH/+Vy3BbApKEY
++YpemjqXeUoQ9rMYEJu8O26E78KbSqjt/hh+9CKnqllqbXI6EdAV23MlFimxoFSw
+NvOeD3iyUAlqC2RccNwUD8z2z1/fHozcYHE1GCBgXCsVm9HUV38BQVMCAQI=
+-----END DH PARAMETERS-----

SPR-BE/openvpn/spr/keys/index.txt

@@ -0,0 +1,2 @@
+V	380318180815Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de
+V	380318222038Z		02	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR-chris/name=VPN SPR/emailAddress=argus@oopen.de

SPR-BE/openvpn/spr/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

SPR-BE/openvpn/spr/keys/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

SPR-BE/openvpn/spr/keys/index.txt.old

@@ -0,0 +1 @@
+V	380318180815Z		01	unknown	/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de

SPR-BE/openvpn/spr/keys/serial

@@ -0,0 +1 @@
+03

SPR-BE/openvpn/spr/keys/serial.old

@@ -0,0 +1 @@
+02

SPR-BE/openvpn/spr/keys/server.crt

@@ -0,0 +1,141 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+        Validity
+            Not Before: Mar 18 18:08:15 2018 GMT
+            Not After : Mar 18 18:08:15 2038 GMT
+        Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-SPR-server/name=VPN SPR/emailAddress=argus@oopen.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:f5:57:0f:71:d1:a5:17:ec:2c:74:fd:16:8f:f7:
+                    8d:16:80:5f:0a:60:e9:3b:9e:65:19:fe:30:71:41:
+                    14:55:f3:f8:17:5a:10:c8:b7:16:1c:bf:21:63:bb:
+                    33:64:75:f0:3a:a9:9b:1a:27:68:33:71:fc:85:a7:
+                    f8:7f:b2:f5:31:c4:39:a2:e4:2e:53:8b:3d:20:49:
+                    0d:e7:83:83:82:54:ff:05:00:5e:5a:e5:e1:b4:9d:
+                    2e:0b:61:c2:71:19:11:10:30:2e:ed:95:62:01:70:
+                    f2:5f:77:25:71:8b:2b:b3:4d:f2:68:13:41:85:3f:
+                    03:82:88:98:89:e5:58:b4:83:e2:65:1f:5e:c1:b1:
+                    b9:80:54:35:f4:00:7e:92:fe:e5:2a:ad:c1:d1:b8:
+                    f3:33:f9:c8:de:ac:08:87:84:5c:61:65:25:a7:cc:
+                    7d:c1:b8:00:63:59:31:68:af:8e:0d:26:ef:62:7c:
+                    93:a8:94:32:18:fb:19:0e:d6:39:36:d8:89:35:eb:
+                    82:5e:cd:32:a0:b9:6b:37:83:c7:51:7e:24:38:84:
+                    d9:dd:c3:6c:f9:5e:7a:aa:c8:7e:d8:3b:ee:e3:bb:
+                    b5:9f:87:b8:c1:ce:91:a6:d5:5c:76:e0:cb:40:f8:
+                    97:4a:3d:bc:0a:d3:06:1b:08:ef:72:50:7c:b9:c5:
+                    72:3f:3a:c6:70:da:d5:4f:db:c9:a4:7a:d2:ac:56:
+                    e5:71:37:34:42:48:f8:8b:d1:ce:ae:34:2b:71:5b:
+                    9c:9d:47:5c:47:6e:f0:90:55:95:a3:81:de:f3:a9:
+                    34:c2:9e:9e:be:e3:ce:f5:46:e1:70:7a:42:d4:71:
+                    c9:78:f7:b4:a0:9e:2f:db:97:e6:e3:44:a4:55:29:
+                    1a:d5:d2:23:b8:a5:37:47:40:5d:c1:1f:67:4d:84:
+                    b6:67:2c:bc:dd:83:ea:1a:75:a7:96:f9:90:7c:29:
+                    47:32:72:fe:79:d4:b8:48:13:e1:80:a9:d2:06:20:
+                    ff:52:16:e8:7c:58:86:ab:3e:9a:ff:f4:c0:e0:7e:
+                    aa:46:eb:16:53:5c:9b:9e:b6:07:8f:a7:1d:68:0a:
+                    81:80:49:1e:45:05:78:d1:7f:0c:29:b9:06:9e:19:
+                    2d:d2:39:a1:a0:dc:d6:54:ac:da:da:20:0e:6d:a2:
+                    22:04:23:95:3b:5e:8a:6c:e9:53:b2:41:8a:86:98:
+                    89:e9:a8:60:45:f0:ba:8b:50:c3:4b:a0:a2:a5:16:
+                    ac:d3:27:bd:dc:a4:dc:b7:69:39:10:60:5e:6f:56:
+                    7a:dd:1a:e7:7d:bd:06:3d:be:b5:09:44:48:79:c7:
+                    69:f1:ea:48:60:6b:cb:eb:5a:43:7c:36:0a:a4:05:
+                    d4:ff:ef
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                AE:A8:6B:BE:2E:F3:60:22:A3:76:8F:4F:F5:26:69:83:AC:2E:19:29
+            X509v3 Authority Key Identifier: 
+                keyid:74:A2:83:1B:95:EB:45:FC:38:D0:71:AC:6A:F5:22:D6:DA:CE:27:0B
+                DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-SPR/name=VPN SPR/emailAddress=argus@oopen.de
+                serial:96:BC:22:64:4D:21:54:99
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         b4:51:ec:9d:ec:39:ed:c1:29:83:0e:e8:eb:c3:ec:5f:0e:1d:
+         53:d7:51:b9:d2:2e:90:09:a3:27:e8:f7:24:3f:de:15:d9:92:
+         22:80:ae:12:ab:17:5f:a1:7e:01:44:be:54:28:d8:76:42:ba:
+         60:77:7c:46:1d:42:6d:a9:25:ae:57:52:94:f7:76:44:b9:93:
+         de:a4:a7:c8:a3:4a:8d:72:bd:96:15:9a:42:37:b0:1c:e0:38:
+         7d:72:53:45:dc:11:28:62:e5:7d:0f:f9:32:21:81:8a:23:39:
+         85:05:bc:46:6a:23:34:a9:38:a3:fd:3e:a6:76:ae:82:d3:32:
+         a3:d4:6d:7e:33:0c:91:b2:04:26:99:ab:eb:43:9c:22:ab:ca:
+         ce:b1:c0:e9:10:0c:5b:cc:4e:42:8e:c9:e0:1d:59:b1:83:64:
+         57:7a:02:38:bc:b8:4b:ff:be:36:3f:a0:66:43:c6:1a:7e:17:
+         5a:d6:b8:5b:a7:08:7a:9f:e7:3c:00:0e:0b:46:f1:a1:90:73:
+         bd:b4:3e:11:a3:b6:96:4d:30:24:75:fb:fd:24:cc:63:b7:ac:
+         a5:6e:06:ba:1c:c2:6a:b2:fe:59:6e:5a:53:dc:0f:dc:e4:6f:
+         28:7d:c0:b1:cd:e9:14:95:06:ef:e9:91:7d:39:55:62:61:3c:
+         72:8f:0f:35:b4:e8:9b:49:50:41:2f:07:6d:3f:1f:92:94:ed:
+         e2:10:d3:08:75:43:cc:da:7f:00:3b:f9:d2:f1:97:21:2d:c5:
+         d0:30:2e:0e:84:1b:fd:3c:bd:ab:9d:bf:b7:18:ad:01:36:6c:
+         43:7e:04:33:29:14:b1:c7:68:64:a9:cc:85:57:67:f7:a3:3e:
+         c2:d5:a7:bf:f4:20:fb:41:91:2c:8f:6a:c5:d3:55:76:0f:79:
+         3d:12:59:d7:0e:59:f6:02:0c:31:07:39:09:55:97:40:e1:a9:
+         27:01:ad:fa:42:d7:67:14:7b:0f:e6:e3:1d:6f:28:71:17:9f:
+         de:97:2f:d1:a6:95:ba:d4:42:80:9c:0e:db:06:91:8e:bb:c4:
+         af:23:ae:85:9f:e2:57:e4:4a:87:e1:d0:64:9f:9a:15:30:c8:
+         bc:96:ea:da:98:eb:0a:5a:be:13:70:d6:35:50:0e:48:07:2b:
+         8a:19:e5:35:e6:a7:a2:ca:42:50:7b:bc:72:ea:99:4d:b8:2c:
+         06:75:e9:a6:c1:45:1e:97:42:9b:5b:a4:61:92:3c:45:88:31:
+         f4:1f:da:e4:01:72:f9:93:08:e4:66:4d:2c:4c:2f:19:10:49:
+         21:52:ca:18:59:38:76:79:ae:99:8e:ac:20:85:85:af:a8:b6:
+         ab:73:04:66:d5:56:a5:9e
+-----BEGIN CERTIFICATE-----
+MIIHRDCCBSygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
+ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEDAOBgNVBAMTB1ZQTi1TUFIx
+EDAOBgNVBCkTB1ZQTiBTUFIxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRl
+MB4XDTE4MDMxODE4MDgxNVoXDTM4MDMxODE4MDgxNVowgaUxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5v
+cGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRcwFQYDVQQDEw5WUE4tU1BS
+LXNlcnZlcjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNA
+b29wZW4uZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD1Vw9x0aUX
+7Cx0/RaP940WgF8KYOk7nmUZ/jBxQRRV8/gXWhDItxYcvyFjuzNkdfA6qZsaJ2gz
+cfyFp/h/svUxxDmi5C5Tiz0gSQ3ng4OCVP8FAF5a5eG0nS4LYcJxGREQMC7tlWIB
+cPJfdyVxiyuzTfJoE0GFPwOCiJiJ5Vi0g+JlH17BsbmAVDX0AH6S/uUqrcHRuPMz
++cjerAiHhFxhZSWnzH3BuABjWTFor44NJu9ifJOolDIY+xkO1jk22Ik164JezTKg
+uWs3g8dRfiQ4hNndw2z5XnqqyH7YO+7ju7Wfh7jBzpGm1Vx24MtA+JdKPbwK0wYb
+CO9yUHy5xXI/OsZw2tVP28mketKsVuVxNzRCSPiL0c6uNCtxW5ydR1xHbvCQVZWj
+gd7zqTTCnp6+4871RuFwekLUccl497Sgni/bl+bjRKRVKRrV0iO4pTdHQF3BH2dN
+hLZnLLzdg+oadaeW+ZB8KUcycv551LhIE+GAqdIGIP9SFuh8WIarPpr/9MDgfqpG
+6xZTXJuetgePpx1oCoGASR5FBXjRfwwpuQaeGS3SOaGg3NZUrNraIA5toiIEI5U7
+Xops6VOyQYqGmInpqGBF8LqLUMNLoKKlFqzTJ73cpNy3aTkQYF5vVnrdGud9vQY9
+vrUJREh5x2nx6khga8vrWkN8NgqkBdT/7wIDAQABo4IBgjCCAX4wCQYDVR0TBAIw
+ADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdl
+bmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFK6oa74u82Aio3aP
+T/UmaYOsLhkpMIHTBgNVHSMEgcswgciAFHSigxuV60X8ONBxrGr1ItbazicLoYGk
+pIGhMIGeMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZC
+ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNl
+czEQMA4GA1UEAxMHVlBOLVNQUjEQMA4GA1UEKRMHVlBOIFNQUjEdMBsGCSqGSIb3
+DQEJARYOYXJndXNAb29wZW4uZGWCCQCWvCJkTSFUmTATBgNVHSUEDDAKBggrBgEF
+BQcDATALBgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEB
+CwUAA4ICAQC0Ueyd7DntwSmDDujrw+xfDh1T11G50i6QCaMn6PckP94V2ZIigK4S
+qxdfoX4BRL5UKNh2Qrpgd3xGHUJtqSWuV1KU93ZEuZPepKfIo0qNcr2WFZpCN7Ac
+4Dh9clNF3BEoYuV9D/kyIYGKIzmFBbxGaiM0qTij/T6mdq6C0zKj1G1+MwyRsgQm
+mavrQ5wiq8rOscDpEAxbzE5CjsngHVmxg2RXegI4vLhL/742P6BmQ8Yafhda1rhb
+pwh6n+c8AA4LRvGhkHO9tD4Ro7aWTTAkdfv9JMxjt6ylbga6HMJqsv5ZblpT3A/c
+5G8ofcCxzekUlQbv6ZF9OVViYTxyjw81tOibSVBBLwdtPx+SlO3iENMIdUPM2n8A
+O/nS8ZchLcXQMC4OhBv9PL2rnb+3GK0BNmxDfgQzKRSxx2hkqcyFV2f3oz7C1ae/
+9CD7QZEsj2rF01V2D3k9ElnXDln2AgwxBzkJVZdA4aknAa36QtdnFHsP5uMdbyhx
+F5/ely/RppW61EKAnA7bBpGOu8SvI66Fn+JX5EqH4dBkn5oVMMi8luramOsKWr4T
+cNY1UA5IByuKGeU15qeiykJQe7xy6plNuCwGdemmwUUel0KbW6RhkjxFiDH0H9rk
+AXL5kwjkZk0sTC8ZEEkhUsoYWTh2ea6ZjqwghYWvqLarcwRm1Valng==
+-----END CERTIFICATE-----

SPR-BE/openvpn/spr/keys/server.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE6zCCAtMCAQAwgaUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
+IFNlcnZpY2VzMRcwFQYDVQQDEw5WUE4tU1BSLXNlcnZlcjEQMA4GA1UEKRMHVlBO
+IFNQUjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQD1Vw9x0aUX7Cx0/RaP940WgF8KYOk7nmUZ/jBx
+QRRV8/gXWhDItxYcvyFjuzNkdfA6qZsaJ2gzcfyFp/h/svUxxDmi5C5Tiz0gSQ3n
+g4OCVP8FAF5a5eG0nS4LYcJxGREQMC7tlWIBcPJfdyVxiyuzTfJoE0GFPwOCiJiJ
+5Vi0g+JlH17BsbmAVDX0AH6S/uUqrcHRuPMz+cjerAiHhFxhZSWnzH3BuABjWTFo
+r44NJu9ifJOolDIY+xkO1jk22Ik164JezTKguWs3g8dRfiQ4hNndw2z5XnqqyH7Y
+O+7ju7Wfh7jBzpGm1Vx24MtA+JdKPbwK0wYbCO9yUHy5xXI/OsZw2tVP28mketKs
+VuVxNzRCSPiL0c6uNCtxW5ydR1xHbvCQVZWjgd7zqTTCnp6+4871RuFwekLUccl4
+97Sgni/bl+bjRKRVKRrV0iO4pTdHQF3BH2dNhLZnLLzdg+oadaeW+ZB8KUcycv55
+1LhIE+GAqdIGIP9SFuh8WIarPpr/9MDgfqpG6xZTXJuetgePpx1oCoGASR5FBXjR
+fwwpuQaeGS3SOaGg3NZUrNraIA5toiIEI5U7Xops6VOyQYqGmInpqGBF8LqLUMNL
+oKKlFqzTJ73cpNy3aTkQYF5vVnrdGud9vQY9vrUJREh5x2nx6khga8vrWkN8Ngqk
+BdT/7wIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAA4yKihpqPJAXK45e30X9Prz
+/C/RSinDDRctSxEF1tfleUgg+WhNg0xvzee/C0oDJXEovJy0w0/RJzRTvwnFCTlq
+En8L86Gdan4SOKDV+UkXEJCtOmYOiL6AvqKcfMoVThTYSqbNkZ/rkSHAZ9g5hIq8
+sPVfbt5gdWKD7/ZVzbvqKZC7bvS4taFRJutejKgdHyXHpJr9MYfRZncxQT7XtBFe
+LrM8fqJ14fWYTg8Q/E2qL28kPK1YZf+nEawnAldG4zaOyrKGplWf830815EyrQOn
+AhjJgz5RraTHQwo6l0vDtuSnO+1r52RyUA202O04Kdj/eOhtGDdA1vEsQKmVnFzq
+dvwVGVm+SzRb8otGx8JSf+Bc0W/+zGWT9CewW+apM7tpcZ8IyWlYxObMtcXJTEPL
+8XIvkcOGal9+NEqduSEo6goeuiuYo991WeQStrM/gioa6S9x6zzQW36dFmb7Y0VC
+HYjjgG6YOOfJPd2mWIs61c/2u3NDB+9Jy88PvdbJ7ukOAHxkyGq2ctsBZYwzCfoH
+WGq0dvP4qHNqCfhpfXOZsMKfopDmcE1+M6JFKv6OYYoXgOrCumEEly/AVNcr9ExU
+WmqBp5D1DBlaDrcJe/TBAOOBbDB2Ui/kCO3mhONRDKDemF5vriR+jATU4tZ5AVT0
+37MQGB4tDI1V8Iq9ovdD
+-----END CERTIFICATE REQUEST-----

SPR-BE/openvpn/spr/keys/server.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQD1Vw9x0aUX7Cx0
+/RaP940WgF8KYOk7nmUZ/jBxQRRV8/gXWhDItxYcvyFjuzNkdfA6qZsaJ2gzcfyF
+p/h/svUxxDmi5C5Tiz0gSQ3ng4OCVP8FAF5a5eG0nS4LYcJxGREQMC7tlWIBcPJf
+dyVxiyuzTfJoE0GFPwOCiJiJ5Vi0g+JlH17BsbmAVDX0AH6S/uUqrcHRuPMz+cje
+rAiHhFxhZSWnzH3BuABjWTFor44NJu9ifJOolDIY+xkO1jk22Ik164JezTKguWs3
+g8dRfiQ4hNndw2z5XnqqyH7YO+7ju7Wfh7jBzpGm1Vx24MtA+JdKPbwK0wYbCO9y
+UHy5xXI/OsZw2tVP28mketKsVuVxNzRCSPiL0c6uNCtxW5ydR1xHbvCQVZWjgd7z
+qTTCnp6+4871RuFwekLUccl497Sgni/bl+bjRKRVKRrV0iO4pTdHQF3BH2dNhLZn
+LLzdg+oadaeW+ZB8KUcycv551LhIE+GAqdIGIP9SFuh8WIarPpr/9MDgfqpG6xZT
+XJuetgePpx1oCoGASR5FBXjRfwwpuQaeGS3SOaGg3NZUrNraIA5toiIEI5U7Xops
+6VOyQYqGmInpqGBF8LqLUMNLoKKlFqzTJ73cpNy3aTkQYF5vVnrdGud9vQY9vrUJ
+REh5x2nx6khga8vrWkN8NgqkBdT/7wIDAQABAoICAQDNJFneswyXnzxhKgqGoNjR
+Os+9buE2n7Ar9tZsrJ0jbddBN2cXXbfYm5yAttQ3KUKQ2qa9TLwdYC9lVtk7ddj+
+HvSOlruB0chvyYYd0mLRRN7kQLWkzdlXW6JXlAuw4+PXpGJo+GK1j8qqNocRlOwa
+ho+tpIRBtTnrGOprS2FLt4dDROLHlSLmAgQHHa64nPfkItwQz9RT3oWuYyzSm8Nf
+EONWlm+E3qU8bSUaQsjFiIvbzwzshdYJ+1Oti0TV7mN0uZMOUAgISmIzTjYIlzAU
+Lkm526GwNebeDL27cwnCVH9+gE7lhyNU28zv/fEWR4bBZjNo3aCaVHNbI5/W+hkW
+0Ix5cJq18cv0k5pqfdgeUyQsYCH+pWpJg8xRidlq6vrrHnYrYfZfg86WkIZHtkQy
+b81s0Pi4Hy9bd1fvJIwBHG1Q/I47H7G4BD4sRTIGpm4/eXWGk6ceUlQROLu0b0ij
+d9/1K7VeB8IQom+DhRdyJ08tU2p/7/qS+sDR77+A1TfL6pEmtvwaNO8QJmSUE6kR
+/3nQKqJIR0s5R1qHzn6yXQFODVyzi9yWtG92mhyCOIx+hZmyhAzDszx1tTDPDarD
+pxdtaMTO6V6Br7V6x8jlM2iRgh3IVVxdG1pG7ZF5633LPeXycoKaCUL/yyEtGYw1
+NpY4tevGxUueiE8hWp3DYQKCAQEA/9+nkHICSSCWHbRnkkGmJii/ZMWMqr0Yv6wa
+OyaqRswElVFSgh44dYSv2Gw6MkNSb6hytOvSYHMVvbsG54TolO4uXHjsW8KfYaR/
+R7iWsNhJ0woZzJXyjKTPH7vTkeVgwbouqmoM3sFsXdzJMEV2TAsclZYhec7FaWMX
+EYkGEVC2DH7kMrLXddm3h74G4kkm9k8LYVFnXbNeK7Rwlrx9HtdkqrcYC5oiN/cc
+z8JyYt+5WZRB1ovksTv4rhHVe6xsgJb/k/Mdhykdnawl6NnTNcaMGInxH+xt+4st
+7REuwWPGeAa6JWVvuzu618IjIPB4/g5DiYhzKnGbkE6/RpPrsQKCAQEA9XYS/758
+W1W6CdZbo59lfYlKzXJarVJr6PPJxuDEUR3zarKiVdVzcAj8geiQqVTdt5OYFyd0
+Ny4CrnQKqM2EtjUK7m+DJbiMv54jSWItiIvA+3vuoCYE6m0APPfImU3YwxSCOWWF
+f9gNmkk54xON/x/gj5WMmaYezfPPjdCtnXsXq/Eyq0hM2bZwgAfAkmWBRlrVopDr
+9Q61mYm0+lAz6ZSGADldsXIou5zTM5z5kDNk6rbEEpkP5IKeGaNNRvuM4WvfzlUZ
+u7sFCR9GDuvF4C5hNTlH6fRVvoBImcjgAZScgyIqQiDB/7HA1MzSobQOOVWu7pXC
+7+Coygi0s1+tnwKCAQEAkT4SbsLYm0v9ClWKaRIMzyJYKkqc45o9PyfhJ+x1wYQz
+odKspCGlaMftzUr56egfFjSnEB3AqHELSUytyaO/JjLhbCpT+G5MbG+ktECKgU30
+8e+M333KVZ2D2P6URP/QYYdez+ss7REcg1c9eMIlOVshWaQD0pHVq1HNGW4PXKrU
++9jXjhPIjCQOsuXiIHbnv+70hcRgiWa0sNhXBKlv2J7pjKIr6wIOJHiICULWDVvz
+aW7nxHJaWWSyb5S9+trQKFoOL5xUCZIENqkuR7PF2YOfqJo8niNl9uB1LFmRkcMi
+OKWQ6oNe3gg0sh6IND1sYMIWAi7LOK+OX2bj2ptCsQKCAQEApcgshsw5o1pf/xrm
+47jZTBM5EU8lzR/4v+o/onHWRc8Lw0mI+J3kjIuVN4xCgAtQgBdQRnsgM9CAgSDg
+vieodYOXsXhhRE3Dyftda8fCZxG0smV+wm1LLqWV3pefxWLdfsxQM8HMi475iPXi
+AesIIYJ/IZrozjFzZrg/u1FwoQcs8rVB+osnVHeyvdX+iyHBUSoyVcy5gNaBcoSe
+Vd1rYlwssOQN0rX+qs/9mUNxDqKXiysLfGAiaryJWVmA7OsiuHEqRGoXqkJi4Uld
+AODe0U2h29enKW0bqEFuR2dzW73qg2rEzcrgG/kK+u6naA16+eBT+NHvSiIa/fEp
+UmjRkwKCAQAg9Viy5Rm5aBV37X0TDZH0Iftk53N8J/CQtH3jbzUd8H49M92akBdY
+M+X7LZP16iVrIXdvFdSeIGgHNKnHGwDq/Lpnjm3CUpHRSwCXsNKlB1kY8VncSnEe
+zErz7FElHGXWZRJCRfpvMuSxjl3f9QiZrYq9B9VcSrsD5pMIdibXTZngbWyMM7kz
+KW0fasBni5evMASFnWrOsk7RaxAAnj3L+kHF7ijDh1n8X7QzpOv81LPPO+ziwmVm
+bVSoZQKSA6qdODQ6J+5bJjrnWng8JjzJw1554oBZsqj4TB613R80x9UcdoJh2eIN
+39lbdV2Gx8i/VYUZylpD0R8oBgxq4Kkr
+-----END PRIVATE KEY-----

SPR-BE/openvpn/spr/keys/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+0f871c0affde12bf4aa4c3683db554ab
+5b289badc22171c46f4fcf749b94c3b3
+fc8da02a98f067a6b624e3755ff08e28
+6c74f622bcb49a31b94bf9e9e9619fd7
+2949dddce9997bdd6b8c08bf7785baba
+54267e89eabf34f4e729d09dad95fbb4
+f254ed52de9287436f718c138f29e927
+36a77a01b8801be92da98eec772e1d9f
+eb568dc508531ca7dbb92af3098f812f
+4b7bcff4c0badbd34b6e168fc7312da1
+030559d8278ea9d2ac200da87d4b9283
+8994c85e9ef639c82214107f12d67f9a
+d71ca5d6a991bf778222f8a87eb99009
+1e1de4379406d4008daf98437ffe0e98
+0dd90d7d41239a14489e6d077740e97a
+90b30b8b8f445e78073ae1f365601bb1
+-----END OpenVPN Static key V1-----

SPR-BE/openvpn/update-resolv-conf

@@ -0,0 +1,58 @@
+#!/bin/bash
+# 
+# Parses DHCP options from openvpn to update resolv.conf
+# To use set as 'up' and 'down' script in your openvpn *.conf:
+# up /etc/openvpn/update-resolv-conf
+# down /etc/openvpn/update-resolv-conf
+#
+# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
+# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
+# 
+# Example envs set from openvpn:
+#
+#     foreign_option_1='dhcp-option DNS 193.43.27.132'
+#     foreign_option_2='dhcp-option DNS 193.43.27.133'
+#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+#
+
+[ -x /sbin/resolvconf ] || exit 0
+[ "$script_type" ] || exit 0
+[ "$dev" ] || exit 0
+
+split_into_parts()
+{
+	part1="$1"
+	part2="$2"
+	part3="$3"
+}
+
+case "$script_type" in
+  up)
+	NMSRVRS=""
+	SRCHS=""
+	for optionvarname in ${!foreign_option_*} ; do
+		option="${!optionvarname}"
+		echo "$option"
+		split_into_parts $option
+		if [ "$part1" = "dhcp-option" ] ; then
+			if [ "$part2" = "DNS" ] ; then
+				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
+			elif [ "$part2" = "DOMAIN" ] ; then
+				SRCHS="${SRCHS:+$SRCHS }$part3"
+			fi
+		fi
+	done
+	R=""
+	[ "$SRCHS" ] && R="search $SRCHS
+"
+	for NS in $NMSRVRS ; do
+        	R="${R}nameserver $NS
+"
+	done
+	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
+	;;
+  down)
+	/sbin/resolvconf -d "${dev}.openvpn"
+	;;
+esac
+