o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
WF/README.txt Normal file
View File

@ -0,0 +1,25 @@
Notice:
You have to change some configuration files becaus the because
the configuration of network interfaces must not be equal.
!! Take care, to use the right device names !!
Maybe they are called i.e. 'enp0sXX', but you can rename it.
See also : README.rename.netdevices
For the backup gateway host:
eth1 --> LAN
eth2 --> WAN or ppp0 (DSL device)
eth0 --> WLAN or second LAN or what ever
or
br0 --> WLAN or second LAN or what ever
So you have to change the following files
dsl-provider.WF: ppp0 comes over eth2
interfaces.WF: see above
default_isc-dhcp-server.WF
ipt-firewall.WF: LAN device (mostly ) = eth1
second LAN WLAN or what ever (if present) = eth0

1
WF/bin/admin-stuff Submodule

Submodule WF/bin/admin-stuff added at 6c91fc0987

1
WF/bin/manage-gw-config Submodule

Submodule WF/bin/manage-gw-config added at 820fdbff49

1
WF/bin/monitoring Submodule

Submodule WF/bin/monitoring added at 0611d0a2ad

1
WF/bin/os-upgrade.sh Symbolic link
View File

@ -0,0 +1 @@
admin-stuff/os-upgrade.sh

1
WF/bin/test_email.sh Symbolic link
View File

@ -0,0 +1 @@
admin-stuff/test_email.sh

69
WF/bind/bind.keys Normal file
View File

@ -0,0 +1,69 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;
# the key will remain in place but the zone will be otherwise empty.
# Configuring "dnssec-lookaside auto;" to activate this key is
# harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
# the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

12
WF/bind/db.0 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

13
WF/bind/db.127 Normal file
View File

@ -0,0 +1,13 @@
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.

18
WF/bind/db.192.168.42.0 Normal file
View File

@ -0,0 +1,18 @@
;
; BIND data file for local wf.netz zone
;
$TTL 43600
@ IN SOA ns.wf.netz. ckubu.oopen.de. (
2013030701 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.wf.netz.
; Gateway/Firewall
254 IN PTR gw-wf.wf-wlan.netz.

18
WF/bind/db.192.168.43.0 Normal file
View File

@ -0,0 +1,18 @@
;
; BIND data file for local wf.netz zone
;
$TTL 43600
@ IN SOA ns.wf.netz. ckubu.oopen.de. (
2014031001 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.wf.netz.
; Gateway/Firewall
10 IN PTR rapberry.wf.netz.

77
WF/bind/db.192.168.52.0 Normal file
View File

@ -0,0 +1,77 @@
;
; BIND data file for local wf.netz zone
;
$TTL 43600
@ IN SOA ns.wf.netz. ckubu.oopen.de. (
2014031001 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.wf.netz.
; Gateway/Firewall
254 IN PTR gw-wf.wf.netz.
; Ersatz Gateway
253 IN PTR gw-replacement.wf.netz.
; (Caching ) Nameserver
53 IN PTR ns-wf.wf.netz.
; File-Server
60 IN PTR anita.wf.netz.
; Development - Server (Vserver System)
20 IN PTR devel-root.wf.netz.
; NAS System
80 IN PTR wf-nas.wf.netz.
; IPMI
21 IN PTR devel-ipmi.wf.netz
61 IN PTR anita-ipmi.wf.netz
; APC - Smart UPS 3000 RM
15 IN PTR usv.wf.netz.
; Drucker
179 IN PTR brother-5890.wf.netz.
; Vserver Instanzen
22 IN PTR devel-php54.wf.netz.
23 IN PTR devel-db.wf.netz.
24 IN PTR devel-php5.wf.netz.
25 IN PTR devel-repos.wf.netz.
26 IN PTR devel-todo.wf.netz.
27 IN PTR devel-spi.wf.netz.
28 IN PTR devel-schott-be.wf.netz.
29 IN PTR devel-schott-fe.wf.netz.
30 IN PTR devel-solr.wf.netz.
31 IN PTR devel-php7.wf.netz.
; Buero PC's
78 IN PTR kaya.wf.netz.
84 IN PTR christian.wf.netz.
85 IN PTR axel-mini.wf.netz.
87 IN PTR mariettewf.netz.
; Ersatz Gatewy
253 IN PTR gw-replacement.wf.netz.

12
WF/bind/db.255 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
WF/bind/db.empty Normal file
View File

@ -0,0 +1,14 @@
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
WF/bind/db.local Normal file
View File

@ -0,0 +1,14 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

17
WF/bind/db.local.netz Normal file
View File

@ -0,0 +1,17 @@
;
; BIND data file for local domain local.netz
;
$TTL 43600
@ IN SOA ns.wf.netz. ckubu.oopen.de. (
2017101901 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns-wf.wf.netz.
spider IN A 192.168.63.173

90
WF/bind/db.root Normal file
View File

@ -0,0 +1,90 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: February 17, 2016
; related version of root zone: 2016021701
;
; formerly NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

21
WF/bind/db.wf-wlan.netz Normal file
View File

@ -0,0 +1,21 @@
;
; BIND data file for local wf.netz zone
;
$TTL 43600
@ IN SOA ns.wf.netz. ckubu.oopen.de. (
2013030701 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns.wf.netz.
; Gateway/Firewall
gw-wf IN A 192.168.42.254
gate IN CNAME gw-wf
gw IN CNAME gw-wf
gw-d11 IN CNAME gw-wf

199
WF/bind/db.wf.netz Normal file
View File

@ -0,0 +1,199 @@
;
; BIND data file for local wf.netz zone
;
$TTL 43600
@ IN SOA ns.wf.netz. ckubu.oopen.de. (
2017071301 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns-wf.wf.netz.
; Gateway/Firewall
gw-wf IN A 192.168.52.254
gate IN CNAME gw-wf
gw IN CNAME gw-wf
gw-d11 IN CNAME gw-wf
; Ersatz Gateway
gw-replacement IN A 192.168.52.253
; (Caching ) Nameserver
ns-wf IN A 192.168.52.53
ns IN CNAME ns-wf
nscache IN CNAME ns-wf
resolver IN CNAME ns-wf
; File-Server
anita IN A 192.168.52.60
; Development - Server (Vserver System)
devel-root IN A 192.168.52.20
devel IN CNAME devel-root
; NAS System
wf-nas IN A 192.168.52.80
nas IN CNAME wf-nas
; IPMI
anita-ipmi IN A 192.168.52.61
devel-ipmi IN A 192.168.52.21
; APC - Smart UPS 3000 RM
usv IN A 192.168.52.15
ups IN CNAME usv
; Drucker
brother-5890 IN A 192.168.52.179
; Vserver Instanzen
devel-php54 IN A 192.168.52.22
php54 IN CNAME devel-php54
devel-db IN A 192.168.52.23
db IN CNAME devel-db
devel-php5 IN A 192.168.52.24
php5 IN CNAME devel-php5
devel-repos IN A 192.168.52.25
repos IN CNAME devel-repos
devel-todo IN A 192.168.52.26
todo IN CNAME devel-todo
todo-dev IN CNAME devel-todo
devel-spi IN A 192.168.52.27
spi IN CNAME devel-spi
devel-schott-be IN A 192.168.52.28
schott-be IN CNAME devel-schott-be
devel-schott-fe IN A 192.168.52.29
schott-fe IN CNAME devel-schott-fe
devel-solr IN A 192.168.52.30
solr IN CNAME devel-solr
devel-php7 IN A 192.168.52.31
php7 IN CNAME devel-php7
; php5 - Webserver
;
artikelbox IN A 192.168.52.24
benjamin-hoff IN A 192.168.52.24
bodyvib-shop IN A 192.168.52.24
callinus IN A 192.168.52.24
contao IN A 192.168.52.24
demasi IN A 192.168.52.24
die-linke-europa IN A 192.168.52.24
dkf IN A 192.168.52.24
egypt-at-work IN A 192.168.52.24
etherpad IN A 192.168.52.24
forum-ds IN A 192.168.52.24
gambio-shop IN A 192.168.52.24
ism IN A 192.168.52.24
hp-address IN A 192.168.52.24
helle-panke IN A 192.168.52.24
juergen-klute IN A 192.168.52.24
jewrovision-voting IN A 192.168.52.24
jugendkongress IN A 192.168.52.24
jw IN A 192.168.52.24
jw56 IN A 192.168.52.24
jw-test IN A 192.168.52.24
kaya-test IN A 192.168.52.24
kleinpetersberg IN A 192.168.52.24
kontext-chris IN A 192.168.52.24
kontext-emt IN A 192.168.52.24
kontext-felix IN A 192.168.52.24
kontext-test IN A 192.168.52.24
kontext-ml IN A 192.168.52.24
kontext-emt-zr IN A 192.168.52.24
kontext3 IN A 192.168.52.24
kontext3-mvc IN A 192.168.52.24
kontext3-sass IN A 192.168.52.24
limesurvey IN A 192.168.52.24
medientagung IN A 192.168.52.24
mitzvahday IN A 192.168.52.24
michael-leutert IN A 192.168.52.24
nd IN A 192.168.52.24
nd-2017 IN A 192.168.52.24
ndkz IN A 192.168.52.24
nd-archiv IN A 192.168.52.24
nd-2013 IN A 192.168.52.24
nd-redesign2011 IN A 192.168.52.24
parkaue IN A 192.168.52.24
php-manual IN A 192.168.52.24
php5-opcache IN A 192.168.52.24
pessach IN A 192.168.52.24
platinit IN A 192.168.52.24
prager-fruehling-magazin IN A 192.168.52.24
zrkalender IN A 192.168.52.24
zr-alt IN A 192.168.52.24
silverstripe IN A 192.168.52.24
solidarische-moderne IN A 192.168.52.24
typo3neos IN A 192.168.52.24
tvet-laos IN A 192.168.52.24
voltaire IN A 192.168.52.24
wagenknecht IN A 192.168.52.24
wiki IN A 192.168.52.24
wwl IN A 192.168.52.24
wwl-intellektuelle IN A 192.168.52.24
wwl-gewerkschafter IN A 192.168.52.24
wordpress IN A 192.168.52.24
; php54 - Webserver
devel-php54-neu IN A 192.168.52.22
nd-54 IN A 192.168.52.22
kontext3-54 IN A 192.168.52.22
kontext-emt-54 IN A 192.168.52.22
kontext-emt-zr-54 IN A 192.168.52.22
; php7 (php57) - Webserver
helle-panke-php7 IN A 192.168.52.31
kontext3-php7 IN A 192.168.52.31
jw-php7 IN A 192.168.52.31
nd-php7 IN A 192.168.52.31
; Repository Server
trac-efi IN A 192.168.52.25
trac-bdb IN A 192.168.52.25
spider-trac IN A 192.168.52.25
; spi Server
spider IN A 192.168.52.27
spider-dev IN A 192.168.52.27
spider-dev56 IN A 192.168.52.27
; Buero PC's
kaya IN A 192.168.52.78
axel IN A 192.168.52.84
*.axel IN CNAME axel
axel-mini IN CNAME axel
christian IN A 192.168.52.85
*.christian IN CNAME christian
mariette IN A 192.168.52.87
; Ersatz Gatewy
gw-replacement IN A 192.168.52.253
; raspberry (netz 192.168.43.0/24)
raspberry IN A 192.168.43.10
owncloud IN CNAME raspberry

12
WF/bind/named.conf Normal file
View File

@ -0,0 +1,12 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
#include "/etc/bind/bind.keys";

30
WF/bind/named.conf.default-zones Normal file
View File

@ -0,0 +1,30 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

43
WF/bind/named.conf.local Normal file
View File

@ -0,0 +1,43 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// LAN
//
zone "wf.netz" {
type master;
file "/etc/bind/db.wf.netz";
};
zone "local.netz" {
type master;
file "/etc/bind/db.local.netz";
};
zone "52.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.52.0";
};
// W-LAN
//
zone "wf-wlan.netz" {
type master;
file "/etc/bind/db.wf-wlan.netz";
};
zone "42.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.42.0";
};
zone "43.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.43.0";
};

8
WF/bind/named.conf.local.ORIG Normal file
View File

@ -0,0 +1,8 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

94
WF/bind/named.conf.options Normal file
View File

@ -0,0 +1,94 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 8.8.8.8;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
// Security options
listen-on port 53 {
127.0.0.1;
192.168.52.53;
};
allow-query {
127.0.0.1;
192.168.0.0/16;
172.16.0.0/12;
10.0.0.0/8;
};
// caching name services
recursion yes;
allow-recursion {
127.0.0.1;
192.168.0.0/16;
172.16.0.0/12;
10.0.0.0/16;
};
allow-transfer { none; };
listen-on-v6 { any; };
};
logging {
channel simple_log {
file "/var/log/named/bind.log" versions 3 size 5m;
//severity warning;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel queries_log {
file "/var/log/named/query.log" versions 10 size 5m;
severity debug;
//severity notice;
print-time yes;
print-severity yes;
print-category no;
};
channel log_zone_transfers {
file "/var/log/named/axfr.log" versions 5 size 2m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category resolver {
queries_log;
};
category queries {
queries_log;
};
category xfer-in {
log_zone_transfers;
};
category xfer-out {
log_zone_transfers;
};
category notify {
log_zone_transfers;
};
category default{
simple_log;
};
};

20
WF/bind/named.conf.options.ORIG Normal file
View File

@ -0,0 +1,20 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
WF/bind/rndc.key Normal file
View File

@ -0,0 +1,4 @@
key "rndc-key" {
algorithm hmac-md5;
secret "pqwubRNLLzkygQbKaleFjw==";
};

20
WF/bind/zones.rfc1918 Normal file
View File

@ -0,0 +1,20 @@
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

8
WF/chap-secrets.WF Normal file
View File

@ -0,0 +1,8 @@
# Secrets for authentication using CHAP
# client server secret IP addresses
#"feste-ip4/7TB02K2HZ4Q3@t-online-com.de" * "EadGl15E"
#"0025591824365511139967620001@t-online.de" * "EadGl15E"
"0029713004945511268028220001@t-online.de" * "86572293"

49
WF/cron_root.WF Normal file
View File

@ -0,0 +1,49 @@
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.JyiQcI/crontab installed on Fri May 4 18:28:53 2018)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
PATH=/root/bin/admin-stuff:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# m h dom mon dow command
# check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
# if not set this entry to "1"
#
0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
# check if pppd is running and internet access works. if
# not restart it
#
0-59/10 * * * * /root/bin/monitoring/check_inet.sh ppp0 dsl-provider
# - reconnect to internet
# -
9 6 * * * /root/bin/admin-stuff/reconnect_inet.sh ppp0 dsl-provider
## - Copy gateway configuration
## -
09 3 * * * /root/bin/manage-gw-config/copy_gateway-config.sh WF
#02 13 * * * /etc/init.d/iptables stop
#1-59/30 * * * * /etc/init.d/iptables stop

14
WF/default_isc-dhcp-server.WF Normal file
View File

@ -0,0 +1,14 @@
# Defaults for dhcp initscript
# sourced by /etc/init.d/dhcp
# installed at /etc/default/isc-dhcp-server by the maintainer scripts
#
# This is a POSIX shell fragment
#
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
#INTERFACES=""
INTERFACESv4="eth1 eth2"
INTERFACESv6=""

193
WF/dhcpd.conf.WF Normal file
View File

@ -0,0 +1,193 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.52.255;
option domain-name "wf.netz";
option domain-name-servers ns.wf.netz;
option routers 192.168.52.254;
#default-lease-time 600;
#max-lease-time 7200;
default-lease-time 86400;
max-lease-time 172800;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
## - W-LAN
## -
subnet 192.168.42.0 netmask 255.255.255.0 {
# --- 192.168.42.160/27 ---
# network address....: 192.168.42.160
# Broadcast address..: 192.168.42.191
# netmask............: 255.255.255.224
# network range......: 192.168.42.160 - 192.168.42.191
# Usable range.......: 192.168.42.161 - 192.168.42.190
range 192.168.42.161 192.168.42.190;
option domain-name "wf-wlan.netz";
option domain-name-servers 192.168.52.53;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.42.255;
option routers gw-d11.wf-wlan.netz;
default-lease-time 43200;
max-lease-time 86400;
}
## - LAN
## -
subnet 192.168.52.0 netmask 255.255.255.0 {
range 192.168.52.100 192.168.52.199;
# local-address 192.168.52.254;
option domain-name "wf.netz";
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.52.255;
# option domain-name-servers 192.168.52.53;
option domain-name-servers ns.wf.netz;
option routers 192.168.52.254;
default-lease-time 86400;
max-lease-time 172800;
}
# APC - Smart PS 3000 RM
host usv {
hardware ethernet 00:C0:B7:56:62:5D;
fixed-address ups.wf.netz;
}
# NAS
host wf-nas {
hardware ethernet 00:11:32:13:22:3D;
fixed-address wf-nas.wf.netz;
}
# File Server
host anita {
## - ALT -
## -
#hardware ethernet 00:25:90:0B:77:90;
hardware ethernet 0c:c4:7a:41:da:94;
fixed-address anita.wf.netz;
}
# Vserver System
host devel-root {
hardware ethernet 00:25:90:00:BE:6A;
fixed-address devel-root.wf.netz;
}
# Büro PCs
host axel {
hardware ethernet a8:20:66:1e:28:be;
fixed-address axel.wf.netz;
}
host christian {
hardware ethernet 74:d4:35:b9:08:f8;
fixed-address christian.wf.netz;
}
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

102
WF/dhcpd6.conf.WF Normal file
View File

@ -0,0 +1,102 @@
# Server configuration file example for DHCPv6
# From the file used for TAHI tests - addresses chosen
# to match TAHI rather than example block.
# IPv6 address valid lifetime
# (at the end the address is no longer usable by the client)
# (set to 30 days, the usual IPv6 default)
default-lease-time 2592000;
# IPv6 address preferred lifetime
# (at the end the address is deprecated, i.e., the client should use
# other addresses for new connections)
# (set to 7 days, the usual IPv6 default)
preferred-lifetime 604800;
# T1, the delay before Renew
# (default is 1/2 preferred lifetime)
# (set to 1 hour)
option dhcp-renewal-time 3600;
# T2, the delay before Rebind (if Renews failed)
# (default is 3/4 preferred lifetime)
# (set to 2 hours)
option dhcp-rebinding-time 7200;
# Enable RFC 5007 support (same than for DHCPv4)
allow leasequery;
# Global definitions for name server address(es) and domain search list
option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:3f3e;
option dhcp6.domain-search "test.example.com","example.com";
# Set preference to 255 (maximum) in order to avoid waiting for
# additional servers when there is only one
##option dhcp6.preference 255;
# Server side command to enable rapid-commit (2 packet exchange)
##option dhcp6.rapid-commit;
# The delay before information-request refresh
# (minimum is 10 minutes, maximum one day, default is to not refresh)
# (set to 6 hours)
option dhcp6.info-refresh-time 21600;
# Static definition (must be global)
#host myclient {
# # The entry is looked up by this
# host-identifier option
# dhcp6.client-id 00:01:00:01:00:04:93:e0:00:00:00:00:a2:a2;
#
# # A fixed address
# fixed-address6 3ffe:501:ffff:100::1234;
#
# # A fixed prefix
# fixed-prefix6 3ffe:501:ffff:101::/64;
#
# # Override of the global definitions,
# # works only when a resource (address or prefix) is assigned
# option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:4f4e;
#
# # For debug (to see when the entry statements are executed)
# # (log "sol" when a matching Solicitation is received)
# ##if packet(0,1) = 1 { log(debug,"sol"); }
#}
#
#host otherclient {
# # This host entry is hopefully matched if the client supplies a DUID-LL
# # or DUID-LLT containing this MAC address.
# hardware ethernet 01:00:80:a2:55:67;
#
# fixed-address6 3ffe:501:ffff:100::4321;
#}
# The subnet where the server is attached
# (i.e., the server has an address in this subnet)
#subnet6 3ffe:501:ffff:100::/64 {
# # Two addresses available to clients
# # (the third client should get NoAddrsAvail)
# range6 3ffe:501:ffff:100::10 3ffe:501:ffff:100::11;
#
# # Use the whole /64 prefix for temporary addresses
# # (i.e., direct application of RFC 4941)
# range6 3ffe:501:ffff:100:: temporary;
#
# # Some /64 prefixes available for Prefix Delegation (RFC 3633)
# prefix6 3ffe:501:ffff:100:: 3ffe:501:ffff:111:: /64;
#}
# A second subnet behind a relay agent
#subnet6 3ffe:501:ffff:101::/64 {
# range6 3ffe:501:ffff:101::10 3ffe:501:ffff:101::11;
#
# # Override of the global definitions,
# # works only when a resource (address or prefix) is assigned
# option dhcp6.name-servers 3ffe:501:ffff:101:200:ff:fe00:3f3e;
#
#}
# A third subnet behind a relay agent chain
#subnet6 3ffe:501:ffff:102::/64 {
# range6 3ffe:501:ffff:102::10 3ffe:501:ffff:102::11;
#}

33
WF/email_notice.WF Executable file
View File

@ -0,0 +1,33 @@
#!/bin/sh
file=/tmp/mail_ip-up$$
echo "" >> $file
echo " ********************************************************" >> $file
echo " *** This is an autogenerated mail from `hostname -f` ***" >> $file
echo "" >> $file
echo " I brought up the ppp-daemon with the following" >> $file
echo -e " parameters:\n" >> $file
echo -e "\tInterface name...............: $PPP_IFACE" >> $file
echo -e "\tThe tty......................: $PPP_TTY" >> $file
echo -e "\tThe link speed...............: $PPP_SPEED" >> $file
echo -e "\tLocal IP number..............: $PPP_LOCAL" >> $file
echo -e "\tPeer IP number..............: $PPP_REMOTE" >> $file
if [ "$USEPEERDNS" ] && [ "$DNS1" ] ; then
echo -e "\tNameserver 1.................: $DNS1" >> $file
if [ "$DNS2" ] ; then
echo -e "\tNameserver 2.................: $DNS2" >> $file
fi
fi
echo -e "\tOptional \"ipparam\" value.....: $PPP_IPPARAM" >> $file
echo "" >> $file
echo -e "\tDate.........................: `date +\"%d.%m.%Y\"`" >> $file
echo -e "\tTime.........................: `date +\"%H:%M:%S\"`" >> $file
echo "" >> $file
echo " ********************************************************" >> $file
/bin/echo -e "From:ip-up@`hostname -f`\nTo:root@`hostname -f`\nSubject: $PPP_LOCAL\n`cat $file`" | /usr/sbin/sendmail root
rm -f $file

1
WF/hostname.WF Normal file
View File

@ -0,0 +1 @@
gw-d11

11
WF/hosts.WF Normal file
View File

@ -0,0 +1,11 @@
127.0.0.1 localhost
127.0.1.1 gw-d11.wf.netz gw-d11
192.168.43.10 wf-cloud.oopen.de
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

66
WF/interfaces.WF Normal file
View File

@ -0,0 +1,66 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
#-----------------------------
# eth0 - WAN
#-----------------------------
auto eth0
iface eth0 inet static
address 192.168.16.254
network 192.168.16.0
netmask 255.255.255.0
broadcast 192.168.16.255
# VDSL needs vlan
post-up vconfig add eth0 7
post-down vconfig rem eth0.7
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0.7 up # line maintained by pppoeconf
provider dsl-provider
#-----------------------------
# eth1 - LAN + WLAN
#-----------------------------
auto eth1 eth1:0
iface eth1 inet static
#pre-up ( /sbin/modprobe -r dmfe ; /sbin/modprobe -r tulip ; modprobe tulip; )
address 192.168.52.254
network 192.168.52.0
netmask 255.255.255.0
broadcast 192.168.52.255
iface eth1:0 inet static
address 192.168.52.53
network 192.168.52.0
netmask 255.255.255.0
broadcast 192.168.52.255
## - ownloud local net
## -
auto eth1:1
iface eth1:1 inet static
address 192.168.43.254
network 192.168.43.0
netmask 255.255.255.0
broadcast 192.168.43.255
#-----------------------------
# eth2 - WLAN
#-----------------------------
auto eth2
iface eth2 inet static
address 192.168.42.254
network 192.168.42.0
netmask 255.255.255.0
broadcast 192.168.42.255

14
WF/ipt-firewall.service.WF Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
SyslogIdentifier="ipt-gateway"
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-gateway start
ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
User=root
[Install]
WantedBy=multi-user.target

22
WF/ipt-firewall/ban_ipv4.list Normal file
View File

@ -0,0 +1,22 @@
# - IPv4 addresses listet here will be completly banned by the firewall
# -
# - - Line beginning with '#' will be ignored.
# - - Blank lines will be ignored
# - - Only the first entry (until space sign or end of line) of each line will be considered.
# -
# - Valid values are:
# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
# - network/nn CIDR notation like 1.2.3.0/27
# - network/netmask notaions like 1.2.3.0/255.255.255.0
# - network/partial_netmask like 1.2.3.4/255
# -
# - Note:
# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
# -
# - Example:
# - 79.171.81.0/24
# - 79.171.81.0/255.255.255.0
# - 79.171.81.0/255.255.255
# - 79.171.81

44
WF/ipt-firewall/default_ports.conf Normal file
View File

@ -0,0 +1,44 @@
#!/usr/bin/env bash
# =============
# --- Define Ports for Services out
# =============
standard_ident_port=113
standard_silc_port=706
standard_irc_port=6667
standard_jabber_port=5222
standard_smtp_port=25
standard_ssh_port=22
standard_http_port=80
standard_https_port=443
standard_ftp_port=21
standard_tftp_udp_port=69
standard_ntp_port=123
standard_snmp_port=161
standard_snmp_trap_port=162
standard_timeserver_port=37
standard_pgp_keyserver_port=11371
standard_telnet_port=23
standard_whois_port=43
standard_cpan_wait_port=1404
standard_xymon_port=1984
standard_hbci_port=3000
standard_mysql_port=3306
standard_ipp_port=631
standard_cups_port=$standard_ipp_port
standard_print_raw_port=515
standard_print_port=9100
standard_remote_console_port=5900
# - IPsec - Internet Security Association and
# - Key Management Protocol
standard_isakmp_port=500
standard_ipsec_nat_t=4500
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"

113
WF/ipt-firewall/include_functions.conf Normal file
View File

@ -0,0 +1,113 @@
#!/usr/bin/env bash
# =============
# --- Some functions
# =============
# - Is this script running on terminal ?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
echo_done() {
if $terminal ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
else
echo " [ done ]"
fi
}
echo_ok() {
if $terminal ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
else
echo " [ ok ]"
fi
}
echo_warning() {
if $terminal ; then
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
else
echo " [ warning ]"
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
else
echo ' [ failed! ]'
fi
}
echo_skipped() {
if $terminal ; then
echo -e "\033[75G[ \033[37mskipped\033[m ]"
else
echo " [ skipped ]"
fi
}
fatal (){
echo ""
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
echo ""
echo -e "\t\033[31m\033[1m Firewall Script will be interrupted..\033[m\033[m"
else
echo "fatal: $*"
echo "Firewall Script will be interrupted.."
fi
echo ""
exit 1
}
error(){
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
else
echo "Error: $*"
fi
echo ""
}
warn (){
echo ""
if $terminal ; then
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
else
echo "Warning: $*"
fi
echo ""
}
info (){
echo ""
if $terminal ; then
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
else
echo "Info: $*"
fi
echo ""
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}

49
WF/ipt-firewall/interfaces_ipv4.conf Normal file
View File

@ -0,0 +1,49 @@
#!/usr/bin/env bash
# =============
# --- Define Network Interfaces / Ip-Adresses / Ports
# =============
# - Extern Interfaces DSL Lines
# - (blank separated list)
ext_if_dsl_1="ppp0"
ext_if_dsl_2=""
ext_if_dsl_3=""
ext_if_dsl_4=""
ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
# - Extern Interfaces Static Lines
# - (blank separated list)
ext_if_static_1="eth0"
ext_if_static_2=""
ext_if_static_3=""
ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
# - VPN Interfaces
# - (blank separated list)
vpn_ifs="tun+"
# - Local Interfaces
local_if_1="eth1"
local_if_2="eth2"
local_if_3=""
local_if_4=""
local_if_5=""
local_if_6=""
local_if_7=""
local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
# - Devices given in list "nat_devices" will be natted
# -
# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
# -
# - Blank separated list
# -
nat_devices=""
# - Are local alias interfaces like eth0:0 defined"
# -
local_alias_interfaces=true

36
WF/ipt-firewall/load_modules_ipv4.conf Normal file
View File

@ -0,0 +1,36 @@
# =============
# - Load Kernel Modules
# =============
# - Note:!
# - Since Kernel 4.7 the automatic conntrack helper assignment
# - is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# - Enable it by setting this variable in file /etc/sysctl.conf:
# -
# - net.netfilter.nf_conntrack_helper = 1
# -
# - Reboot or type "sysctl -p"
ip_tables
iptable_nat
iptable_filter
iptable_mangle
iptable_raw
# - Load base modules for tracking
# -
nf_conntrack
nf_nat
# - Load module for FTP Connection tracking and NAT
# -
nf_conntrack_ftp
nf_nat_ftp
# - Load modules for SIP VOIP
# -
nf_conntrack_sip
nf_nat_sip

9
WF/ipt-firewall/load_modules_ipv6.conf Normal file
View File

@ -0,0 +1,9 @@
# =============
# - Load Kernel Modules
# =============
ip6_tables
ip6table_filter
ip6t_REJECT
ip6table_mangle

40
WF/ipt-firewall/logging_ipv4.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=false
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv4:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

40
WF/ipt-firewall/logging_ipv6.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=false
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv6:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

1367
WF/ipt-firewall/main_ipv4.conf Normal file
View File

File diff suppressed because it is too large Load Diff

505
WF/ipt-firewall/post_decalrations.conf Normal file
View File

@ -0,0 +1,505 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# - Masquerade TCP Connections
# ---
declare -a nat_network_arr
for _net in $nat_networks ; do
nat_network_arr+=("$_net")
done
declare -a masquerade_tcp_con_arr
for _str in $masquerade_tcp_cons ; do
masquerade_tcp_con_arr+=("$_str")
done
# ---
# - Extern Network interfaces (DSL, Staic Lines, All together)
# ---
declare -a nat_device_arr
declare -a dsl_device_arr
declare -a ext_if_arr
for _dev in $ext_ifs_dsl ; do
dsl_device_arr+=("$_dev")
ext_if_arr+=("$_dev")
nat_device_arr+=("$_dev")
done
for _dev in $ext_ifs_static ; do
ext_if_arr+=("$_dev")
done
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Allow these local networks any access to the internet
# ---
declare -a any_access_to_inet_network_arr
for _net in $any_access_to_inet_networks ; do
any_access_to_inet_network_arr+=("$_net")
done
declare -a any_access_from_inet_network_arr
for _net in $any_access_from_inet_networks ; do
any_access_from_inet_network_arr+=("$_net")
done
# ---
# - Allow local services from given extern networks
# ---
declare -a allow_ext_net_to_local_service_arr
for _val in $allow_ext_net_to_local_service ; do
allow_ext_net_to_local_service_arr+=("$_val")
done
# ---
# - Allow all traffic from extern address/network to local address/network
# ---
declare -a allow_ext_net_to_local_net_arr
for _val in $allow_ext_net_to_local_net ; do
allow_ext_net_to_local_net_arr+=("$_val")
done
# ---
# - Block all extern traffic to (given) local network
# ---
declare -a block_all_ext_to_local_net_arr
for _net in $block_all_ext_to_local_net ; do
block_all_ext_to_local_net_arr+=("$_net")
done
# ---
# - Allow local services from given local networks
# ---
declare -a allow_local_net_to_local_service_arr
for _val in $allow_local_net_to_local_service ; do
allow_local_net_to_local_service_arr+=("$_val")
done
# ---
# - Allow all traffic from local network to local ip-address
# ---
declare -a allow_local_net_to_local_ip_arr
for _val in $allow_local_net_to_local_ip ; do
allow_local_net_to_local_ip_arr+=("$_val")
done
# ---
# - Allow all traffic from local ip-address to local network
# ---
declare -a allow_local_ip_to_local_net_arr
for _val in $allow_local_ip_to_local_net ; do
allow_local_ip_to_local_net_arr+=("$_val")
done
# ---
# - Allow all traffic from (one) local network to (another) local network
# ---
declare -a allow_local_net_to_local_net_arr
for _val in $allow_local_net_to_local_net ; do
allow_local_net_to_local_net_arr+=("$_val")
done
# ---
# - Allow local ip address from given local interface
# ---
declare -a allow_local_if_to_local_ip_arr
for _val in $allow_local_if_to_local_ip ; do
allow_local_if_to_local_ip_arr+=("$_val")
done
# ---
# - Separate local Networks
# ---
declare -a separate_local_network_arr
for _net in $separate_local_networks ; do
separate_local_network_arr+=("$_net")
done
# ---
# - Separate local Interfaces
# ---
declare -a separate_local_if_arr
for _net in $separate_local_ifs ; do
separate_local_if_arr+=("$_net")
done
# ---
# - Generally block ports on extern interfaces
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Not wanted on intern interfaces
# ---
declare -a not_wanted_on_gw_tcp_port_arr
for _port in $not_wanted_on_gw_tcp_ports ; do
not_wanted_on_gw_tcp_port_arr+=("$_port")
done
declare -a not_wanted_on_gw_udp_port_arr
for _port in $not_wanted_on_gw_udp_ports ; do
not_wanted_on_gw_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - Network Devices local DHCP Client
# ---
declare -a dhcp_client_interfaces_arr
for _dev in $dhcp_client_interfaces ; do
dhcp_client_interfaces_arr+=("$_dev")
done
# ---
# - IP Addresses DHCP Failover Server
# ---
declare -a dhcp_failover_server_ip_arr
for _ip in $dhcp_failover_server_ips ; do
dhcp_failover_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses DNS Server
# ---
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SSH Server only at ocal Networks
# ---
declare -a ssh_server_only_local_ip_arr
for _ip in $ssh_server_only_local_ips ; do
ssh_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses HTTP Server only local Networks
# ---
declare -a http_server_only_local_ip_arr
for _ip in $http_server_only_local_ips ; do
http_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Mail Server only local Networks
# ---
declare -a mail_server_only_local_ip_arr
for _ip in $mail_server_only_local_ips ; do
mail_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
declare -a ftp_server_only_local_ip_arr
for _ip in $ftp_server_only_local_ips ; do
ftp_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Samba Server
# ---
declare -a samba_server_local_ip_arr
for _ip in $samba_server_local_ips ; do
samba_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses LDAP Server
# ---
declare -a ldap_server_local_ip_arr
for _ip in $ldap_server_local_ips ; do
ldap_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Telephone Systems
# ---
declare -a tele_sys_ip_arr
for _ip in $tele_sys_ips ; do
tele_sys_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SNMP Server
# ---
declare -a snmp_server_ip_arr
for _ip in $snmp_server_ips ; do
snmp_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Munin Service
# ---
declare -a munin_local_server_ip_arr
for _ip in $munin_local_server_ips ; do
munin_local_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses IPMI interface
# ---
declare -a ipmi_server_ip_arr
for _ip in $ipmi_server_ips ; do
ipmi_server_ip_arr+=("$_ip")
done
# ---
# -IP Addresses Ubiquiti Unifi Accesspoints
# ---
declare -a unifi_ap_local_ip_arr
for _ip in $unifi_ap_local_ips ; do
unifi_ap_local_ip_arr+=("$_ip")
done
declare -a unifi_controller_gateway_ip_arr
for _ip in $unifi_controller_gateway_ips ; do
unifi_controller_gateway_ip_arr+=("$_ip")
done
declare -a unify_controller_local_net_ip_arr
for _ip in $unify_controller_local_net_ips ; do
unify_controller_local_net_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Printer
# -
declare -a printer_ip_arr
for _ip in $printer_ips ; do
printer_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Brother Scanner (brscan)
# ---
declare -a brother_scanner_ip_arr
for _ip in $brother_scanner_ips ; do
brother_scanner_ip_arr+=("$_ip")
done
# ---
# - IP Addresses PCNS Server
# ---
declare -a pcns_server_ip_arr
for _ip in $pcns_server_ips ; do
pcns_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses VNC Service
# ---
declare -a rm_server_ip_arr
for _ip in $rm_server_ips ; do
rm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# ---
# - Other local Services
# ---
declare -a other_service_arr
for _val in $other_services ; do
other_service_arr+=("$_val")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - Cisco kompartible VPN Ports
# ---
declare -a cisco_vpn_out_port_arr
for _port in $cisco_vpn_out_ports ; do
cisco_vpn_out_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
declare -a vpn_gw_port_arr
for _port in $vpn_gw_ports ; do
vpn_gw_port_arr+=("$_port")
done
declare -a vpn_local_net_port_arr
for _port in $vpn_local_net_ports ; do
vpn_local_net_port_arr+=("$_port")
done
declare -a vpn_out_port_arr
for _port in $vpn_out_ports ; do
vpn_out_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Samba Ports
# ---
declare -a samba_udp_port_arr
for _port in $samba_udp_ports ; do
samba_udp_port_arr+=("$_port")
done
declare -a samba_tcp_port_arr
for _port in $samba_tcp_ports ; do
samba_tcp_port_arr+=("$_port")
done
# ---
# - LDAP Ports
# ---
declare -a ldap_udp_port_arr
for _port in $ldap_udp_ports ; do
ldap_udp_port_arr+=("$_port")
done
declare -a ldap_tcp_port_arr
for _port in $ldap_tcp_ports ; do
ldap_tcp_port_arr+=("$_port")
done
# ---
# - IPMI
# ---
declare -a ipmi_udp_port_arr
for _port in $ipmi_udp_ports ; do
ipmi_udp_port_arr+=("$_port")
done
declare -a ipmi_tcp_port_arr
for _port in $ipmi_tcp_ports ; do
ipmi_tcp_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done
# ---
# - MAC Address Filtering
# ---
declare -a allow_all_mac_src_address_arr
for _mac in $allow_all_mac_src_addresses ; do
allow_all_mac_src_address_arr+=("$_mac")
done
declare -a allow_local_mac_src_address_arr
for _mac in $allow_local_mac_src_addresses ; do
allow_local_mac_src_address_arr+=("$_mac")
done
declare -a allow_remote_mac_src_address_arr
for _mac in $allow_remote_mac_src_addresses ; do
allow_remote_mac_src_address_arr+=("$_mac")
done

1
WF/mailname.WF Normal file
View File

@ -0,0 +1 @@
gw-d11.wf.netz

268
WF/main.cf.WF Normal file
View File

@ -0,0 +1,268 @@
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
192.168.52.254
myhostname = gw-d11.wf.netz
mydestination =
gw-d11.wf.netz
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
192.168.52.254/32
#smtp_bind_address = 192.168.52.254
#smtp_bind_address6 =
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = $maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
# ============ Relay parameters ============
#relayhost =
# ============ SASL authentication ============
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [b.mx.oopen.de]
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Force using a (TLS) security connection
# obsulete - use smtp_tls_security_level instead
#smtp_use_tls = yes
#smtp_tls_enforce_peername = no
smtp_tls_security_level = encrypt
# Disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - /bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

5
WF/openvpn/gw-ckubu/ccd/server-gw-ckubu/VPN-WF-gw-ckubu Normal file
View File

@ -0,0 +1,5 @@
ifconfig-push 10.1.52.2 255.255.255.0
push "route 192.168.52.0 255.255.255.0 10.1.52.1"
push "route 192.168.43.0 255.255.255.0 10.1.52.1"
iroute 192.168.63.0 255.255.255.0
iroute 192.168.64.0 255.255.255.0

270
WF/openvpn/gw-ckubu/client-configs/gw-ckubu.conf Normal file
View File

@ -0,0 +1,270 @@
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote wf.oopen.de 1195
topology subnet
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Server CA
<ca>
-----BEGIN CERTIFICATE-----
MIIGxjCCBK6gAwIBAgIJANI5OJTs0bx/MA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMG
VlBOLVdGMQ8wDQYDVQQpEwZWUE4gV0YxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
cGVuLmRlMCAXDTE4MDUwNDIyMDQzNVoYDzIwNTAwNTA0MjIwNDM1WjCBnDELMAkG
A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYD
VQQKEwZvLm9wZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMT
BlZQTi1XRjEPMA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK+Qg+M2wuVE
xG3mDM6abF2wyU7bVeIVgbdU3L+aleso8IyCwyZS3JTWafR2HzHGBIRvmmxNVehs
EAM8AtkxMqKSGTv3HgnaHy6XSNlMqmO78rCUifFs24Uw2vbnbrytxEGGr7aFVaiy
f+nZ6uc+KT4sJzzxc4UV3BxH6aBt/itNCrx/mPrQ6JBsH1U0pJp8O35UNmgPxRTW
A96LMxvupC4K5MWCK/ZMgJ+zaKuHY2Zn09vmxIOEkzGY0MSQynLaIa/W6TLlGXpn
UKRArd098gS6IF3TNLeTHKwwEMdQREguL+C3I4m9a9uCFs9AUGmKx93prRG38RL7
TrdJTG5J2642xBQae/M4NjjPZ8yiNKMiO5CM6RiINtC3NykwlR+74LmDz0wxvxoz
zsNdpYKH9eaqE7xmRhpXPYc41oCT7QOg8kh1k11dx7awx1edD+5MBklyr23yph7I
p4j2aA2Ce4PKgH9p4pPNDuMI7o6AFpQZC/YaKO315PIvkGbI2FPvkD6WAFo6ol4K
P4Qs8l3dek6cqys5tkq5G1vh61P33hnRqIOlDjZ/03gtsZKjndY+WSR+ilcTb+dP
I2dYXqX+Cy6xY4bHVxpHg7MXYDZoXtVnjLcC5EviwiShqDBReH1CFCfDlleWjkob
vlLjvCO19SEzHWK7lAUvSuOk+XFlPwgRAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU
0PJ0ICpJa0iXvNFbAFu9khFc+mkwgdEGA1UdIwSByTCBxoAU0PJ0ICpJa0iXvNFb
AFu9khFc+mmhgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3
b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tV0YxDzANBgNVBCkTBlZQTiBXRjEd
MBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDSOTiU7NG8fzAMBgNVHRME
BTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQA1PlBb6rHJnwpZwfY0Uvb1CVbCuVF2
4C54AMdWKTORs8U9fVKTwVxzV+aeHiEztxOoKLhIq8EN3+0HkDdXBKHagHXjzEoe
h91n/5nfc9IqR4WVO9AqFaqiIQmSOFqtryoG8ZgHtAz65YCGruG3BS95IIooeXQW
r1sH3L/2rb0ea11zP3CtBy2pKlHiu6289JiLyObKFaQFu7PCJzWARV4pIJf1XgZl
qk2YundPpKxtxHUhe0UObYFrcgo1ccBnKEsEcMANk7nz27QXML1dSSRMFc/AInpJ
EMrInTaGI5rGusgbGrPSVAnuLMkmDdNE6r6l4L9cd5m867CUfp89m4BCU8Cjv+UP
5bnBU9DgUqMs0jlOqbfy27FOsPXBhsyR4QdddJCAg+yYuYdBgVo8XRZiSPYTi55G
M29n92ma9HVU95WA4cR9d3IlgNk40RhgAVMcGAOgk/sQFfp43DssBtcY5wweva7B
a9M34o0f4HslXDm6xV8y9P+zcScbs9B9WXE+2HvMwVTrXnM/EhpyL0MlZ5NXcHld
cBqNwRu84Rw2iw54sQDb8R0a3NJ3ZxHbQG8crgUD80xgZe1ds9k6YoCr4c4wh7SP
ru1i2v9bdCskC/vsGOR7BNUvVfJFcfk6PcqynHjvGgz8tWWdEkbRA29UZM0paAwZ
Ic3ZiGwAJvoitQ==
-----END CERTIFICATE-----
</ca>
# Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1XRjEP
MA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
Fw0xODA1MDUwOTQyMzFaFw0zODA1MDUwOTQyMzFaMIGlMQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLVdGLWd3
LWNrdWJ1MQ8wDQYDVQQpEwZWUE4gV0YxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
cGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAspSsnUm1LQ7b
8RkbTcnOZbkY5nrCxuUS48TTR5xldAqAIE4dcBiOt4bk4Owq+Ga/ahSPRE4bzWGg
sxMPAOwrTQbIzTTSa+hE88yb/Yex+ajFF3l5P8UFDnuhsktYKTO5gmm/s7ylUXkD
229PVWJSZPDkoyCk6X9dePIr1Y5bp9hVsu+kAbgv+hqDKVs2t9SEz9sR1D3bPBSo
Qq922A+uAB8TuMO7+Qa56SN3TNeppDbZ8sMJDACo4n6kuGiiwGKwQisuClWc4Ztk
lyxRyk4nX3tazoZ5/HhnWAVIyDtKJLoGTtuJQPTrg6u73L8dZ/Xdzs44JtcVgFyX
c/tYfpa0qwOaEjY4eIZbR8fnE1aDVKOxpF6+dT687g2ejZnk7xat7nQ1xO0dOpuU
nGcHoj6xS/qelJdREhoSmBcM+s47AcChvLQcnYxoMUttGa1IwMQ+JLKAkoe6SxY5
O/RFc7ikFtxqTjoYhEaeOEdpylddkls2GgY+zhr19Q7fQG4GJAzcaX8kZNW9lCsL
bnVNKs0NPqSzlH1V8fRW8qbGLBYo4psmv9ZSVz4uSvjeiztxDXacrn/mk6QaCsBU
iGL5W10SMVzdoCDhZaXLpbav3TqSdO8McJgOrRw4oj6ub4FeRD1PjLfLUJNT4yQU
xaM4cJrrOREcZrZ/QzFb50A5wPj3XmECAwEAAaOCAWgwggFkMAkGA1UdEwQCMAAw
LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUC1o/4VMVvM1Vd/5aZ/6VotQG7/IwgdEGA1UdIwSByTCBxoAU0PJ0
ICpJa0iXvNFbAFu9khFc+mmhgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
VQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tV0YxDzANBgNVBCkT
BlZQTiBXRjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDSOTiU7NG8
fzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0RBAwwCoII
Z3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAF5Lkr5dmfn07fwGHbjBYQcGapqI
r4GEBG9E52PFBL432FLlaLy9HrpQfIj+6aCpO6/M7u5GSQH9/2Bo1COQDenWVJdD
4oAkCcuBFwY2xIMMF4RkWXKrKEVCc+hZsgHl5/ZFKQdx/XYLrJc4s+ZUFgiESfmX
NpP9d2T5kB/SuxxXIP+1wVe7sbKMsa2VZDTe1KI7c1xgb5Z+azGmED3MyfLf+jS2
jOPhJZAxpiGhBC8SvTzmaysGkakAEBzgIuPz3a6rKn3lPFKNp1zoALGVRMwkRYdu
ufdoBlwGq9Vt6WKlih9XFBcuFbKLH20ZG9oPrElMnkMdDucoQZ6hx6WNdvVs5TNb
+kaDaWu4dQqr4VrY1Xx96VctvvkbLT9BWzFBMlOAXJi4Ndox+P9W0z9oq++bOVpN
7H9qrdIG83tN7El4elemvXeyHfq+4vVgrPvLJ3blhuoZKONauXu/0D3Vt3mB2Gv2
JL2oYFMa7reU+IYBZ6HzR0AOTmy/9emA6h5jf27WSWY9JYzvflzIRg6i9eH/goDs
vAYjExeG8UelahsS2XhVhnYzimigBfPE2CkBXCTX9KnEumF/Tk6kb7u9Pqs7Sw+u
w9dpCWspa9+H75kl/I5k52mJpxg0tbG3GP65DpwnGtIYvTFs0DSywlh/5hnoN5Go
Ww26mZRoHwHAtAHo
-----END CERTIFICATE-----
</cert>
# Client Key
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI59wBCS9KufACAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECMafpEYThPSNBIIJSMfS/Nhh6rKg
wYowIdjqeXtALfdMjYM1VPFesantrtCGxxZgyvGhT8GJylJvyKlHpaGKXnqib9k9
vtmLEwgte4gfKQ4DfBLKSx59tMWOubFkP0UipolhJeksCzyq8Jz+vqITr8ZIHm3F
+Rw6Vmf/tH6+tl4E+K9RsC6y9DV+3LT8nApLJw1jFCOPTYJ4MGMXyacrQ0s6uluB
vL0T47A9OVemH9dAJhxIeYXP6oNM5/bbMe7ipAQDmwzAU4YGn3VR7hRdFjhcsw9G
3MiQQc3/vBKYmIwDKdRhkNr6BWU6kj00aHShchQQB3igc/C0T+OdYjbV395+AoeW
N2elVKmVR+jPmQCngb4adE13PqzAil29SMNGCYUmrr6w9beof1lkNgaPGMlizSrj
dyViCIfyKUZIyHoTM2tkWZnvwvTAiLnq/KLb3xeFEz1P52dXNa+iaaT+2/CMJK8y
/K3tI3LelE4GlJ0pqPeBbgPdJtDjti5eLAzlpVt36FXYIauNHPqdudD2gkU1uyQ+
UczS0aiHp/HyR35OhOtjTq9WjL6rNcQydYxKZkQS6SftqC9B3ulG6miI1qykoQRt
7mCOE4hdRLb4qU7ZbuLh3ysX90FgSaCTRkn/WLLRdXL9rnp18/i1o628449p+sCQ
1Y1BaMSiwBKHu5kvFCUiZ/9gS71rZvz2fWYvZult9hM9++XXwGjmaQFTO/O/YAKA
PMnsS7XZZLF8kvWp7kXU94ws+Bozhbfd3Owpktr7oe5pnUz3JoIuZZN7kq99u8+c
0n9hIBrMKcMWbyDOVwlNJ8GvR8QkEcXwzfNjEqawHpjZ4I3FV+nyVuCOt0Ap7ic3
GqEkpfUQavLyxxYanchf04/obbiW63+r2LbLeouvk44LjOdjP1cD9Q72jdEfYTeS
bnqeqA7LtNJ334SsetLyfPpf5StF59HGAlOLRQ5zCM2UW8HPGK+BRn5FWw6lfp9x
8wCIYs8QDzq8PwRNpi5z1YgXGM0GV15uk4JRPphSD0GdB4bDjIufhG1WzAMgHd3K
99ppEmtguBXQwjt3KnRed+sjbhnPEsdfAKlvGhtHgMlxa9Pt+4HY6BapcVrcpE1U
yx72S3BrWgY1b+4E6DEkAZurGcqNeBf+3kXzQb/bgZ089oSkcULayx3qMv9I8pWk
SQ/KiWz0w7LhPcxOHtyLEjn1z/FMnc/H+HYL7nVLHvPQI1QqN6QVDBXMnzWe/LYm
pRlKnFXL8DSQ+U3Y32CsCGmRFoHnC5IOJ9AyLcH8Cf1mGHtq2AUR6A+5fnDnzs4W
wneYMYE+chjoEBhyrbhaBmzMsZn1EQeRSWnKFUv380OeBTQvA6UEX2NbYe96Sm8/
5vym3c9js8SioBiM5nT1IO5w3ySjnaF3UmUldlk3JUCOey7HiuCXBGNiDq06laPX
Gy3cAy9zasaPdsPaPcOjNyHurSp23qXua446IyBZTdzQewE5AcfQMyJIwzuck/oq
UDZvHZUbiqcaWtEcquyLRSQPSRj8zAN0+VJoO88ptfC423ye3SV/bsIJV/dlys0W
NqkfK4e7sqXlbESlxMfhTqKHD0JgC/mvlfWcQi7zQ3KTjWQGKGgkZgPe5YKa9XNy
r1iA0sVKrvJcFWNb64wXUN5KKP+7j+jnkLdsQKrDDrQcdkFZI3TTjB61We8xG4EK
vEkhpxf3DG6QOYpC5xpKGKIKDvb3PlxDw2zLoRghlLOYcrzrCKCRpykVdPa2/WtY
ImvtspFedb1erVuObp7KJtfhnKsiT6D2QXX1YceYwmC+6tbpdyi1/SsnwOnP1vyD
2Kt+l10ISuDIE50NtEmwWjluSHenQXwgkM57YrYi2cwOB8tPxUiFevpFcQpErVyd
7Ocgd7n+NEM0Wk2+9Ap8+uAqIGnwy1og41/EzpaSybhMHhI4W8o7ocTIU+P4o3+5
Lpq67MLebA0nJ2UFK0/CsJFH0mqL+MyYbON5T7IimS5f+dxBTX80zZeyIcV/uf4d
w5T79/5ltjQ61MYS6nxnuEFVsO+S4iQZPV8lyszucRXhK9czJ7DULvbOcUqFgVU/
wkkmIeGRiqntohas7mLzl/GIExt6e/yK40jTbIq0wGt2fXncVZ9yLn5Piap0kjTn
SrDcvBHR2yOjvt/hSiIhB/8Stxfspc+a0gPMWzaFzw5IFxzihA6FI+wnRmLTAIY3
niq6ORveC/9iZLe0tJ6AAG4vw6oDi9wQPqdqMfwcmiFDqT+lpNd0aWOpTvTnVt07
ibNVRV7H1DRomeUodkwcnvlONBWyt30WOE46C6zRGnIpfKO8NSUG5CTJd3YKUo2b
wqSd2N/jhQ5is+vHIxqhHl53p3DvO/OMSb9vYtBoUlHUhxU+4dJa3T1qibKtHXHa
2gsG64/AFt2OQqq9KS9Zi8Hc2MyI3tPeAy4xMctYM2b1fjE9UHWRfbcVZTOPWbz8
PWfvyNwc4c8pqeojmMaMyUPYMsoM+yhj8tHRpoTNUSZx2I9VrhrAMQQt5HIThY0n
/MSWjaWOH1CPbgIyJaBY8WLL1Kz/QsAPV7PgeG5YJVvuqM0uo+iDhf4fHXR4TYqS
baeXV8sXQg+6WDmBESsPOGpL7jMRg0Ay6HHnAmZHWWC+9J4trVerJct621A26y9V
3Bh2r1zbL8dkC3WHvBu1uVlWam1z4Qj+sS66HCDlPWsgQZzBOX3JPRn7IUjCFzWM
q0wZPSNO1outCFEs/uW8nelWr3EOeYBtpJZU81rXSYHvDa0mWZCroabNcgDiHbcj
DwhtAewmLeJhYUPUkU7SoqZLJy/RRymEO1vaNutQtm61vlbnAatcM6y1v51/vLRl
xe5fpp9/EZGXMfnjgKApAO0WFYPk6FhZydm4KrXTQueLS63GGCuSmaAVP3aLWt06
qn5FfIqupymn8xqNkmToUhE4559j7Z+//tvvdNppsD1YY6x6S0NfWreGhArL0uYu
er9iXtrbb0QCitzXdWh90+CEFvENzeYOqE1T4C7pq1Nhoqu6qCzFk63TPBBhlFm9
R002jRL/UcjqDy7L4L4hE6TCQqlnVuPl1Ru8uCpRAUARPbmWNBVi+yUeGTh3YFOa
yPuYDrvQEjzXl16q+U/5MNQ4S0MZzEDtjMYKqLyGsVh503jKO6XH3UmMAFlrWf7J
1xr8RI04RwGrFDkPkuw1dQ==
-----END ENCRYPTED PRIVATE KEY-----
</key>
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
#
# Note!
# The option "ns-cert-type" has been deprecated since
# version 2.4 and will be removed from later distributions.
#
# Use the modern equivalent "remote-cert-tls"
#
;ns-cert-type server
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
#
# Don't forget to set the 'key-direction' Parameter if using
# Inline Key. Usualy , sever has key direction '0', while client
# has ke direction '1'.
#
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
3e5606d9c9b42920092f825f6a23844f
2f37246d81d815ac43de66f4ecfd7237
5c7a90624fce693c8b98330f067e3fb0
3a7e09895d73d7567f1054b54882d4c6
72b6d4b075c817d6304a2928a03af610
89090caccd14025b83683285228bb280
8255101ec75398ec183f14d3ecb45fe7
e26e6fdb81e7d5ac8a81965acd7094a5
5b99d8b392a9998f7468e553a049c539
876925b61b9fc07ebeefad3f672e6baa
538e516961f37ca0e09666cdd6f67d37
89a39089fed07e8755a410b86ca40061
cdb81e6fa11b17b2b5dd74eca1447aa8
b2611b543751b2d53fc79fddbc26f91f
4d9ded064e9ea85b882475aa965950d0
7ee0cd2ce141eb6678d23a7bfa832536
-----END OpenVPN Static key V1-----
</tls-auth>
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 1
# Setting 'pull' on the client takes care to get the 'push' durectives
# from the server
pull

18
WF/openvpn/gw-ckubu/crl.pem Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN X509 CRL-----
MIIC5TCBzjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUxDzANBgNVBAgT
BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4xGTAXBgNV
BAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1XRjEPMA0GA1UEKRMG
VlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZRcNMTgwNTA1MDkw
NzQ1WhgPMjA1MDA1MDUwOTA3NDVaMA0GCSqGSIb3DQEBCwUAA4ICAQBGioki44G8
/5osA+UzYF9xl+l7iaebUnFbysFcs45VGlKTPeXuv4+9zvzhSlpL5jb3s/HRJjvB
R83j+o+D26m97dDEXlBOV23uuhvj/Ovra3vft5kgjDYR4PGkDvVt6NeL/wAlCVqY
wAglg6Ul7qwXG5GAgcSk3yZYfgHXeghIWlkZBCu/Id+ctfptQ9ilEENOxIeL6NRw
YPXnmMwtcbfWKYAM0D/o4p/aJDCd3fNN3657B6BoU5LUywyeMrdmeV82DHon5K+a
45RdT5YJ2J+WyWQELBGo0sItbfZsaHbKTLtHFCfepiaZrbu4Oy/vdjHIITlY/GML
Wlfo+H1FY7pMsA5ej7pvT9pKfhYbFx3DFQyguxeP5zRL5NIxRgNR3EPSJ8VOQa4D
w3u/UilluhDg8WuBUWYkUk2BwmiHp/Bhvz4mlK1xZg45AX3jgnoZ/NxOn69v/D3z
v5zckSz+rSNCBAUZdyd9fnhNjHjWXJ6PGyQQYDeu+nlHBN6mnc0f0zwEYQMxrHm1
xww0ak7cDWsh7vgqtXdBFWpGp0CrIkCVZ54ribrAG+6e7VDuiKe0AHC0DVEzV6Be
x83FTFmD3UzrWHTkbWzCsVTaOJfWBnUGkmVZuB/xGmLyRMBikWkCdHFBiwbyOood
aaYs3nOeLPQjWQF7a/FQhye1EJ8YVN0K7g==
-----END X509 CRL-----

1
WF/openvpn/gw-ckubu/easy-rsa/build-ca Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-ca

1
WF/openvpn/gw-ckubu/easy-rsa/build-dh Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-dh

1
WF/openvpn/gw-ckubu/easy-rsa/build-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-inter

1
WF/openvpn/gw-ckubu/easy-rsa/build-key Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key

1
WF/openvpn/gw-ckubu/easy-rsa/build-key-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pass

1
WF/openvpn/gw-ckubu/easy-rsa/build-key-pkcs12 Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-pkcs12

1
WF/openvpn/gw-ckubu/easy-rsa/build-key-server Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-key-server

1
WF/openvpn/gw-ckubu/easy-rsa/build-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req

1
WF/openvpn/gw-ckubu/easy-rsa/build-req-pass Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/build-req-pass

1
WF/openvpn/gw-ckubu/easy-rsa/clean-all Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/clean-all

1
WF/openvpn/gw-ckubu/easy-rsa/inherit-inter Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/inherit-inter

1
WF/openvpn/gw-ckubu/easy-rsa/list-crl Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/list-crl

268
WF/openvpn/gw-ckubu/easy-rsa/openssl-0.9.6.cnf Normal file
View File

@ -0,0 +1,268 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

293
WF/openvpn/gw-ckubu/easy-rsa/openssl-0.9.8.cnf Normal file
View File

@ -0,0 +1,293 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

290
WF/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf Normal file
View File

@ -0,0 +1,290 @@
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
#default_days = 3650 # how long to certify for
default_days = 11688
#default_crl_days= 30 # how long before next CRL
default_crl_days = 11688
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

288
WF/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf.ORIG Normal file
View File

@ -0,0 +1,288 @@
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

1
WF/openvpn/gw-ckubu/easy-rsa/openssl.cnf Symbolic link
View File

@ -0,0 +1 @@
/etc/openvpn/gw-ckubu/easy-rsa/openssl-1.0.0.cnf

1
WF/openvpn/gw-ckubu/easy-rsa/pkitool Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/pkitool

1
WF/openvpn/gw-ckubu/easy-rsa/revoke-full Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/revoke-full

1
WF/openvpn/gw-ckubu/easy-rsa/sign-req Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/sign-req

96
WF/openvpn/gw-ckubu/easy-rsa/vars Normal file
View File

@ -0,0 +1,96 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
##export EASY_RSA="`pwd`"
export BASE_DIR="/etc/openvpn/gw-ckubu"
export EASY_RSA="$BASE_DIR/easy-rsa"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
##export KEY_DIR="$EASY_RSA/keys"
export KEY_DIR="$BASE_DIR/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
##export KEY_SIZE=2048
export KEY_SIZE=4096
# In how many days should the root CA key expire?
##export CA_EXPIRE=3650
export CA_EXPIRE=11688
# In how many days should certificates expire?
##export KEY_EXPIRE=3650
export KEY_EXPIRE=7305
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
##export KEY_COUNTRY="US"
export KEY_COUNTRY="DE"
##export KEY_PROVINCE="CA"
export KEY_PROVINCE="Berlin"
##export KEY_CITY="SanFrancisco"
export KEY_CITY="Berlin"
##export KEY_ORG="Fort-Funston"
export KEY_ORG="o.open"
##export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL="argus@oopen.de"
##export KEY_OU="MyOrganizationalUnit"
export KEY_OU="Network Services"
# X509 Subject Field
##export KEY_NAME="EasyRSA"
export KEY_NAME="VPN WF"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
## export KEY_CN="CommonName"
export KEY_CN="VPN-WF"
export KEY_ALTNAMES="VPN-WF"

80
WF/openvpn/gw-ckubu/easy-rsa/vars.2018-05-05-0002 Normal file
View File

@ -0,0 +1,80 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

1
WF/openvpn/gw-ckubu/easy-rsa/whichopensslcnf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/easy-rsa/whichopensslcnf

0
WF/openvpn/gw-ckubu/ipp.txt Normal file
View File

4
WF/openvpn/gw-ckubu/keys-created.txt Normal file
View File

@ -0,0 +1,4 @@
key...............: gw-ckubu.key
common name.......: VPN-WF-gw-ckubu
password..........: jeew4rai0bei9noo7Eixoh4aL2Aeveux

141
WF/openvpn/gw-ckubu/keys/01.pem Normal file
View File

@ -0,0 +1,141 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
Validity
Not Before: May 5 09:07:33 2018 GMT
Not After : May 5 09:07:33 2038 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF-server/name=VPN WF/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b7:55:76:2f:0a:b9:28:84:08:aa:51:dc:d3:93:
fb:e8:64:f5:7c:c6:4b:90:6d:a8:9f:51:b6:90:69:
81:30:64:6d:32:dc:59:51:f3:cf:68:96:45:11:ae:
2f:17:79:b5:c7:4b:11:ba:27:bb:94:fb:7c:5e:90:
84:c7:89:d3:a7:60:ed:cc:fc:59:b3:38:4f:67:75:
e0:2a:65:2c:54:5a:c0:98:28:f4:b4:65:4c:aa:5d:
3f:6a:a2:e2:33:a2:5e:0c:60:d5:e1:69:4c:35:9e:
aa:03:bb:01:2d:fb:2c:11:b1:43:09:96:27:f6:ca:
18:5e:6d:d1:a7:e0:5d:8d:3e:52:ae:5d:ff:9e:32:
e9:3c:11:da:35:b7:1a:b0:14:79:74:7b:57:51:15:
8c:a9:ca:1a:ba:e4:0d:53:d7:27:ce:7d:24:aa:98:
ae:2a:da:5a:cd:a5:6f:53:6c:22:f4:5a:52:53:6a:
83:52:fe:8f:e3:dc:8b:a9:99:f5:0b:61:a6:05:c2:
ad:f6:6c:cc:c4:7e:13:8c:28:88:09:98:c8:4d:be:
b1:69:6c:5a:4a:85:71:0b:50:22:b4:ee:35:71:82:
31:31:b3:a2:5f:2f:79:d3:75:68:be:37:e8:e0:7b:
77:a0:fe:62:b0:be:a4:7a:1d:a8:8b:30:d1:d4:0e:
2f:08:18:93:2f:32:b7:29:d5:e6:41:a5:e4:92:09:
d3:d4:d7:c3:f9:33:48:e6:be:f5:e0:e3:ae:35:7a:
a4:ee:40:a1:d4:e9:cf:fc:81:7d:31:e6:af:bf:f1:
e6:6d:da:1f:d0:e2:53:35:9d:b8:f4:a7:53:03:8b:
f9:e0:86:71:b9:45:9e:f9:68:2c:d8:a1:9f:04:73:
f9:8c:b2:9a:53:ea:96:63:8d:13:05:a5:fb:72:e6:
9f:92:23:f5:1b:57:ee:44:8d:75:c8:6b:b6:93:ac:
27:43:10:f0:9a:00:12:d5:95:07:22:ec:fe:01:ea:
0c:c6:0a:86:64:2a:20:98:01:b7:8a:d6:de:35:78:
ad:da:6f:93:eb:b8:29:f3:8a:99:5c:58:8f:dd:15:
ee:8e:26:21:e3:9d:df:60:c0:05:cb:83:3c:7e:9c:
f1:b7:68:bf:f0:b2:7d:c5:0f:56:d6:77:e7:5a:1a:
5c:ba:58:dd:fd:da:8b:03:ed:1e:6d:a7:55:e1:42:
3a:82:a6:17:ad:60:7d:98:bc:ae:c7:ed:a2:d7:6f:
82:a2:a3:4c:b7:79:8b:f4:a4:2e:53:51:a3:33:67:
64:ff:10:53:63:a6:ac:4f:7a:ce:22:74:e0:fc:ee:
2c:f1:a7:71:ae:f5:00:fd:52:a6:23:a0:b2:30:f6:
5a:a3:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
C0:D2:0C:48:39:41:59:DC:87:C8:23:A2:04:51:EF:F7:BF:98:7E:0C
X509v3 Authority Key Identifier:
keyid:D0:F2:74:20:2A:49:6B:48:97:BC:D1:5B:00:5B:BD:92:11:5C:FA:69
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
serial:D2:39:38:94:EC:D1:BC:7F
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
45:6b:87:25:2c:19:e0:ab:c8:6b:8d:bb:e8:3f:98:30:54:9d:
a0:ad:3e:b7:c5:5d:76:a0:ba:2d:1b:16:8a:87:63:9a:23:9a:
b4:94:aa:5c:bd:0f:bf:35:af:60:ef:63:14:cb:00:51:b1:c1:
0c:ef:5a:52:1a:8e:5f:a1:20:bb:42:cd:50:a5:71:87:a7:24:
80:e9:1a:9f:8d:b4:f9:60:42:e1:20:4a:12:f6:a1:a9:6a:17:
94:43:6b:2a:1c:78:02:16:aa:e8:6d:50:b0:95:b8:59:66:ae:
5f:4b:87:5c:e6:64:ef:b7:78:72:57:18:04:b4:cc:9d:4f:35:
73:ec:48:d0:79:6c:20:92:88:32:d3:59:61:57:86:b8:1a:cc:
92:69:f1:9c:82:1d:24:c3:aa:d2:27:0b:ab:c3:3b:0d:44:74:
35:35:c5:b1:ce:95:29:8e:55:9e:00:3e:66:53:61:8a:3d:cd:
99:6b:80:e5:f6:eb:0d:60:54:8a:b5:43:de:02:4c:fd:a2:22:
90:b0:ac:ef:e9:39:9a:3b:f9:0c:cd:49:a5:54:e2:27:74:f6:
d6:f7:5d:2d:ef:20:2f:d7:4c:9d:16:c6:6b:57:fc:46:ed:e0:
44:91:45:c9:d3:1b:c8:be:e6:b5:62:6a:bd:cf:35:2a:66:59:
78:ae:d4:a2:3a:c8:af:79:19:40:73:31:60:3f:5a:df:59:d0:
92:b7:e8:a5:83:c3:50:4c:76:79:f3:21:70:d9:38:de:b9:37:
ee:15:03:82:a0:bc:94:ac:ce:0d:e6:a2:fd:eb:f2:89:96:e9:
9c:e4:f2:f1:09:b7:42:ae:e1:74:fc:87:ee:56:03:c3:46:82:
2d:68:56:fd:ef:9d:ce:41:e5:b1:08:3b:ef:f2:86:16:8c:0a:
21:2f:2b:4a:35:96:dd:34:fd:d3:ef:01:8a:48:ea:4a:7c:22:
af:a8:83:73:c3:2e:0f:de:3a:95:dc:fa:c7:9b:e8:66:77:26:
9f:36:b3:98:59:c7:c4:19:4b:65:28:15:b8:4f:47:70:7c:a2:
5a:33:15:0c:db:9b:2f:c8:73:1a:10:ef:ae:0f:1e:ff:97:1d:
ea:6f:ef:bd:a5:46:3f:d5:cb:d0:7d:2c:1c:00:63:2b:7a:ff:
8b:a2:5f:27:d7:5c:ff:ab:ed:b7:a5:98:98:db:e7:43:e2:18:
97:4d:e1:df:27:d8:57:cd:0e:29:fe:45:84:ee:e4:bf:b9:c5:
dc:4a:63:85:7e:6c:c1:d8:25:c2:fe:13:4d:58:79:ae:98:e7:
4c:ad:a8:36:4d:08:06:8f:fd:5d:1c:29:5e:c3:c6:04:e6:2b:
a8:6a:41:10:cf:fe:22:8b
-----BEGIN CERTIFICATE-----
MIIHPjCCBSagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1XRjEP
MA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
Fw0xODA1MDUwOTA3MzNaFw0zODA1MDUwOTA3MzNaMIGjMQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEWMBQGA1UEAxMNVlBOLVdGLXNl
cnZlcjEPMA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
bi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALdVdi8KuSiECKpR
3NOT++hk9XzGS5BtqJ9RtpBpgTBkbTLcWVHzz2iWRRGuLxd5tcdLEbonu5T7fF6Q
hMeJ06dg7cz8WbM4T2d14CplLFRawJgo9LRlTKpdP2qi4jOiXgxg1eFpTDWeqgO7
AS37LBGxQwmWJ/bKGF5t0afgXY0+Uq5d/54y6TwR2jW3GrAUeXR7V1EVjKnKGrrk
DVPXJ859JKqYriraWs2lb1NsIvRaUlNqg1L+j+Pci6mZ9QthpgXCrfZszMR+E4wo
iAmYyE2+sWlsWkqFcQtQIrTuNXGCMTGzol8vedN1aL436OB7d6D+YrC+pHodqIsw
0dQOLwgYky8ytynV5kGl5JIJ09TXw/kzSOa+9eDjrjV6pO5AodTpz/yBfTHmr7/x
5m3aH9DiUzWduPSnUwOL+eCGcblFnvloLNihnwRz+YyymlPqlmONEwWl+3Lmn5Ij
9RtX7kSNdchrtpOsJ0MQ8JoAEtWVByLs/gHqDMYKhmQqIJgBt4rW3jV4rdpvk+u4
KfOKmVxYj90V7o4mIeOd32DABcuDPH6c8bdov/CyfcUPVtZ351oaXLpY3f3aiwPt
Hm2nVeFCOoKmF61gfZi8rsftotdvgqKjTLd5i/SkLlNRozNnZP8QU2OmrE96ziJ0
4PzuLPGnca71AP1SpiOgsjD2WqNvAgMBAAGjggGAMIIBfDAJBgNVHRMEAjAAMBEG
CWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJh
dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUwNIMSDlBWdyHyCOiBFHv
97+YfgwwgdEGA1UdIwSByTCBxoAU0PJ0ICpJa0iXvNFbAFu9khFc+mmhgaKkgZ8w
gZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxp
bjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8w
DQYDVQQDEwZWUE4tV0YxDzANBgNVBCkTBlZQTiBXRjEdMBsGCSqGSIb3DQEJARYO
YXJndXNAb29wZW4uZGWCCQDSOTiU7NG8fzATBgNVHSUEDDAKBggrBgEFBQcDATAL
BgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IC
AQBFa4clLBngq8hrjbvoP5gwVJ2grT63xV12oLotGxaKh2OaI5q0lKpcvQ+/Na9g
72MUywBRscEM71pSGo5foSC7Qs1QpXGHpySA6RqfjbT5YELhIEoS9qGpaheUQ2sq
HHgCFqrobVCwlbhZZq5fS4dc5mTvt3hyVxgEtMydTzVz7EjQeWwgkogy01lhV4a4
GsySafGcgh0kw6rSJwurwzsNRHQ1NcWxzpUpjlWeAD5mU2GKPc2Za4Dl9usNYFSK
tUPeAkz9oiKQsKzv6TmaO/kMzUmlVOIndPbW910t7yAv10ydFsZrV/xG7eBEkUXJ
0xvIvua1Ymq9zzUqZll4rtSiOsiveRlAczFgP1rfWdCSt+ilg8NQTHZ58yFw2Tje
uTfuFQOCoLyUrM4N5qL96/KJlumc5PLxCbdCruF0/IfuVgPDRoItaFb9753OQeWx
CDvv8oYWjAohLytKNZbdNP3T7wGKSOpKfCKvqINzwy4P3jqV3PrHm+hmdyafNrOY
WcfEGUtlKBW4T0dwfKJaMxUM25svyHMaEO+uDx7/lx3qb++9pUY/1cvQfSwcAGMr
ev+Lol8n11z/q+23pZiY2+dD4hiXTeHfJ9hXzQ4p/kWE7uS/ucXcSmOFfmzB2CXC
/hNNWHmumOdMrag2TQgGj/1dHClew8YE5iuoakEQz/4iiw==
-----END CERTIFICATE-----

139
WF/openvpn/gw-ckubu/keys/02.pem Normal file
View File

@ -0,0 +1,139 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
Validity
Not Before: May 5 09:42:31 2018 GMT
Not After : May 5 09:42:31 2038 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF-gw-ckubu/name=VPN WF/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b2:94:ac:9d:49:b5:2d:0e:db:f1:19:1b:4d:c9:
ce:65:b9:18:e6:7a:c2:c6:e5:12:e3:c4:d3:47:9c:
65:74:0a:80:20:4e:1d:70:18:8e:b7:86:e4:e0:ec:
2a:f8:66:bf:6a:14:8f:44:4e:1b:cd:61:a0:b3:13:
0f:00:ec:2b:4d:06:c8:cd:34:d2:6b:e8:44:f3:cc:
9b:fd:87:b1:f9:a8:c5:17:79:79:3f:c5:05:0e:7b:
a1:b2:4b:58:29:33:b9:82:69:bf:b3:bc:a5:51:79:
03:db:6f:4f:55:62:52:64:f0:e4:a3:20:a4:e9:7f:
5d:78:f2:2b:d5:8e:5b:a7:d8:55:b2:ef:a4:01:b8:
2f:fa:1a:83:29:5b:36:b7:d4:84:cf:db:11:d4:3d:
db:3c:14:a8:42:af:76:d8:0f:ae:00:1f:13:b8:c3:
bb:f9:06:b9:e9:23:77:4c:d7:a9:a4:36:d9:f2:c3:
09:0c:00:a8:e2:7e:a4:b8:68:a2:c0:62:b0:42:2b:
2e:0a:55:9c:e1:9b:64:97:2c:51:ca:4e:27:5f:7b:
5a:ce:86:79:fc:78:67:58:05:48:c8:3b:4a:24:ba:
06:4e:db:89:40:f4:eb:83:ab:bb:dc:bf:1d:67:f5:
dd:ce:ce:38:26:d7:15:80:5c:97:73:fb:58:7e:96:
b4:ab:03:9a:12:36:38:78:86:5b:47:c7:e7:13:56:
83:54:a3:b1:a4:5e:be:75:3e:bc:ee:0d:9e:8d:99:
e4:ef:16:ad:ee:74:35:c4:ed:1d:3a:9b:94:9c:67:
07:a2:3e:b1:4b:fa:9e:94:97:51:12:1a:12:98:17:
0c:fa:ce:3b:01:c0:a1:bc:b4:1c:9d:8c:68:31:4b:
6d:19:ad:48:c0:c4:3e:24:b2:80:92:87:ba:4b:16:
39:3b:f4:45:73:b8:a4:16:dc:6a:4e:3a:18:84:46:
9e:38:47:69:ca:57:5d:92:5b:36:1a:06:3e:ce:1a:
f5:f5:0e:df:40:6e:06:24:0c:dc:69:7f:24:64:d5:
bd:94:2b:0b:6e:75:4d:2a:cd:0d:3e:a4:b3:94:7d:
55:f1:f4:56:f2:a6:c6:2c:16:28:e2:9b:26:bf:d6:
52:57:3e:2e:4a:f8:de:8b:3b:71:0d:76:9c:ae:7f:
e6:93:a4:1a:0a:c0:54:88:62:f9:5b:5d:12:31:5c:
dd:a0:20:e1:65:a5:cb:a5:b6:af:dd:3a:92:74:ef:
0c:70:98:0e:ad:1c:38:a2:3e:ae:6f:81:5e:44:3d:
4f:8c:b7:cb:50:93:53:e3:24:14:c5:a3:38:70:9a:
eb:39:11:1c:66:b6:7f:43:31:5b:e7:40:39:c0:f8:
f7:5e:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
0B:5A:3F:E1:53:15:BC:CD:55:77:FE:5A:67:FE:95:A2:D4:06:EF:F2
X509v3 Authority Key Identifier:
keyid:D0:F2:74:20:2A:49:6B:48:97:BC:D1:5B:00:5B:BD:92:11:5C:FA:69
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
serial:D2:39:38:94:EC:D1:BC:7F
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:gw-ckubu
Signature Algorithm: sha256WithRSAEncryption
5e:4b:92:be:5d:99:f9:f4:ed:fc:06:1d:b8:c1:61:07:06:6a:
9a:88:af:81:84:04:6f:44:e7:63:c5:04:be:37:d8:52:e5:68:
bc:bd:1e:ba:50:7c:88:fe:e9:a0:a9:3b:af:cc:ee:ee:46:49:
01:fd:ff:60:68:d4:23:90:0d:e9:d6:54:97:43:e2:80:24:09:
cb:81:17:06:36:c4:83:0c:17:84:64:59:72:ab:28:45:42:73:
e8:59:b2:01:e5:e7:f6:45:29:07:71:fd:76:0b:ac:97:38:b3:
e6:54:16:08:84:49:f9:97:36:93:fd:77:64:f9:90:1f:d2:bb:
1c:57:20:ff:b5:c1:57:bb:b1:b2:8c:b1:ad:95:64:34:de:d4:
a2:3b:73:5c:60:6f:96:7e:6b:31:a6:10:3d:cc:c9:f2:df:fa:
34:b6:8c:e3:e1:25:90:31:a6:21:a1:04:2f:12:bd:3c:e6:6b:
2b:06:91:a9:00:10:1c:e0:22:e3:f3:dd:ae:ab:2a:7d:e5:3c:
52:8d:a7:5c:e8:00:b1:95:44:cc:24:45:87:6e:b9:f7:68:06:
5c:06:ab:d5:6d:e9:62:a5:8a:1f:57:14:17:2e:15:b2:8b:1f:
6d:19:1b:da:0f:ac:49:4c:9e:43:1d:0e:e7:28:41:9e:a1:c7:
a5:8d:76:f5:6c:e5:33:5b:fa:46:83:69:6b:b8:75:0a:ab:e1:
5a:d8:d5:7c:7d:e9:57:2d:be:f9:1b:2d:3f:41:5b:31:41:32:
53:80:5c:98:b8:35:da:31:f8:ff:56:d3:3f:68:ab:ef:9b:39:
5a:4d:ec:7f:6a:ad:d2:06:f3:7b:4d:ec:49:78:7a:57:a6:bd:
77:b2:1d:fa:be:e2:f5:60:ac:fb:cb:27:76:e5:86:ea:19:28:
e3:5a:b9:7b:bf:d0:3d:d5:b7:79:81:d8:6b:f6:24:bd:a8:60:
53:1a:ee:b7:94:f8:86:01:67:a1:f3:47:40:0e:4e:6c:bf:f5:
e9:80:ea:1e:63:7f:6e:d6:49:66:3d:25:8c:ef:7e:5c:c8:46:
0e:a2:f5:e1:ff:82:80:ec:bc:06:23:13:17:86:f1:47:a5:6a:
1b:12:d9:78:55:86:76:33:8a:68:a0:05:f3:c4:d8:29:01:5c:
24:d7:f4:a9:c4:ba:61:7f:4e:4e:a4:6f:bb:bd:3e:ab:3b:4b:
0f:ae:c3:d7:69:09:6b:29:6b:df:87:ef:99:25:fc:8e:64:e7:
69:89:a7:18:34:b5:b1:b7:18:fe:b9:0e:9c:27:1a:d2:18:bd:
31:6c:d0:34:b2:c2:58:7f:e6:19:e8:37:91:a8:5b:0d:ba:99:
94:68:1f:01:c0:b4:01:e8
-----BEGIN CERTIFICATE-----
MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1XRjEP
MA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
Fw0xODA1MDUwOTQyMzFaFw0zODA1MDUwOTQyMzFaMIGlMQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLVdGLWd3
LWNrdWJ1MQ8wDQYDVQQpEwZWUE4gV0YxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
cGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAspSsnUm1LQ7b
8RkbTcnOZbkY5nrCxuUS48TTR5xldAqAIE4dcBiOt4bk4Owq+Ga/ahSPRE4bzWGg
sxMPAOwrTQbIzTTSa+hE88yb/Yex+ajFF3l5P8UFDnuhsktYKTO5gmm/s7ylUXkD
229PVWJSZPDkoyCk6X9dePIr1Y5bp9hVsu+kAbgv+hqDKVs2t9SEz9sR1D3bPBSo
Qq922A+uAB8TuMO7+Qa56SN3TNeppDbZ8sMJDACo4n6kuGiiwGKwQisuClWc4Ztk
lyxRyk4nX3tazoZ5/HhnWAVIyDtKJLoGTtuJQPTrg6u73L8dZ/Xdzs44JtcVgFyX
c/tYfpa0qwOaEjY4eIZbR8fnE1aDVKOxpF6+dT687g2ejZnk7xat7nQ1xO0dOpuU
nGcHoj6xS/qelJdREhoSmBcM+s47AcChvLQcnYxoMUttGa1IwMQ+JLKAkoe6SxY5
O/RFc7ikFtxqTjoYhEaeOEdpylddkls2GgY+zhr19Q7fQG4GJAzcaX8kZNW9lCsL
bnVNKs0NPqSzlH1V8fRW8qbGLBYo4psmv9ZSVz4uSvjeiztxDXacrn/mk6QaCsBU
iGL5W10SMVzdoCDhZaXLpbav3TqSdO8McJgOrRw4oj6ub4FeRD1PjLfLUJNT4yQU
xaM4cJrrOREcZrZ/QzFb50A5wPj3XmECAwEAAaOCAWgwggFkMAkGA1UdEwQCMAAw
LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUC1o/4VMVvM1Vd/5aZ/6VotQG7/IwgdEGA1UdIwSByTCBxoAU0PJ0
ICpJa0iXvNFbAFu9khFc+mmhgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
VQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tV0YxDzANBgNVBCkT
BlZQTiBXRjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDSOTiU7NG8
fzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0RBAwwCoII
Z3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAF5Lkr5dmfn07fwGHbjBYQcGapqI
r4GEBG9E52PFBL432FLlaLy9HrpQfIj+6aCpO6/M7u5GSQH9/2Bo1COQDenWVJdD
4oAkCcuBFwY2xIMMF4RkWXKrKEVCc+hZsgHl5/ZFKQdx/XYLrJc4s+ZUFgiESfmX
NpP9d2T5kB/SuxxXIP+1wVe7sbKMsa2VZDTe1KI7c1xgb5Z+azGmED3MyfLf+jS2
jOPhJZAxpiGhBC8SvTzmaysGkakAEBzgIuPz3a6rKn3lPFKNp1zoALGVRMwkRYdu
ufdoBlwGq9Vt6WKlih9XFBcuFbKLH20ZG9oPrElMnkMdDucoQZ6hx6WNdvVs5TNb
+kaDaWu4dQqr4VrY1Xx96VctvvkbLT9BWzFBMlOAXJi4Ndox+P9W0z9oq++bOVpN
7H9qrdIG83tN7El4elemvXeyHfq+4vVgrPvLJ3blhuoZKONauXu/0D3Vt3mB2Gv2
JL2oYFMa7reU+IYBZ6HzR0AOTmy/9emA6h5jf27WSWY9JYzvflzIRg6i9eH/goDs
vAYjExeG8UelahsS2XhVhnYzimigBfPE2CkBXCTX9KnEumF/Tk6kb7u9Pqs7Sw+u
w9dpCWspa9+H75kl/I5k52mJpxg0tbG3GP65DpwnGtIYvTFs0DSywlh/5hnoN5Go
Ww26mZRoHwHAtAHo
-----END CERTIFICATE-----

39
WF/openvpn/gw-ckubu/keys/ca.crt Normal file
View File

@ -0,0 +1,39 @@
-----BEGIN CERTIFICATE-----
MIIGxjCCBK6gAwIBAgIJANI5OJTs0bx/MA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBm8ub3BlbjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMG
VlBOLVdGMQ8wDQYDVQQpEwZWUE4gV0YxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
cGVuLmRlMCAXDTE4MDUwNDIyMDQzNVoYDzIwNTAwNTA0MjIwNDM1WjCBnDELMAkG
A1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYD
VQQKEwZvLm9wZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMT
BlZQTi1XRjEPMA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
b3Blbi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK+Qg+M2wuVE
xG3mDM6abF2wyU7bVeIVgbdU3L+aleso8IyCwyZS3JTWafR2HzHGBIRvmmxNVehs
EAM8AtkxMqKSGTv3HgnaHy6XSNlMqmO78rCUifFs24Uw2vbnbrytxEGGr7aFVaiy
f+nZ6uc+KT4sJzzxc4UV3BxH6aBt/itNCrx/mPrQ6JBsH1U0pJp8O35UNmgPxRTW
A96LMxvupC4K5MWCK/ZMgJ+zaKuHY2Zn09vmxIOEkzGY0MSQynLaIa/W6TLlGXpn
UKRArd098gS6IF3TNLeTHKwwEMdQREguL+C3I4m9a9uCFs9AUGmKx93prRG38RL7
TrdJTG5J2642xBQae/M4NjjPZ8yiNKMiO5CM6RiINtC3NykwlR+74LmDz0wxvxoz
zsNdpYKH9eaqE7xmRhpXPYc41oCT7QOg8kh1k11dx7awx1edD+5MBklyr23yph7I
p4j2aA2Ce4PKgH9p4pPNDuMI7o6AFpQZC/YaKO315PIvkGbI2FPvkD6WAFo6ol4K
P4Qs8l3dek6cqys5tkq5G1vh61P33hnRqIOlDjZ/03gtsZKjndY+WSR+ilcTb+dP
I2dYXqX+Cy6xY4bHVxpHg7MXYDZoXtVnjLcC5EviwiShqDBReH1CFCfDlleWjkob
vlLjvCO19SEzHWK7lAUvSuOk+XFlPwgRAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU
0PJ0ICpJa0iXvNFbAFu9khFc+mkwgdEGA1UdIwSByTCBxoAU0PJ0ICpJa0iXvNFb
AFu9khFc+mmhgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4x
DzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3
b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tV0YxDzANBgNVBCkTBlZQTiBXRjEd
MBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDSOTiU7NG8fzAMBgNVHRME
BTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQA1PlBb6rHJnwpZwfY0Uvb1CVbCuVF2
4C54AMdWKTORs8U9fVKTwVxzV+aeHiEztxOoKLhIq8EN3+0HkDdXBKHagHXjzEoe
h91n/5nfc9IqR4WVO9AqFaqiIQmSOFqtryoG8ZgHtAz65YCGruG3BS95IIooeXQW
r1sH3L/2rb0ea11zP3CtBy2pKlHiu6289JiLyObKFaQFu7PCJzWARV4pIJf1XgZl
qk2YundPpKxtxHUhe0UObYFrcgo1ccBnKEsEcMANk7nz27QXML1dSSRMFc/AInpJ
EMrInTaGI5rGusgbGrPSVAnuLMkmDdNE6r6l4L9cd5m867CUfp89m4BCU8Cjv+UP
5bnBU9DgUqMs0jlOqbfy27FOsPXBhsyR4QdddJCAg+yYuYdBgVo8XRZiSPYTi55G
M29n92ma9HVU95WA4cR9d3IlgNk40RhgAVMcGAOgk/sQFfp43DssBtcY5wweva7B
a9M34o0f4HslXDm6xV8y9P+zcScbs9B9WXE+2HvMwVTrXnM/EhpyL0MlZ5NXcHld
cBqNwRu84Rw2iw54sQDb8R0a3NJ3ZxHbQG8crgUD80xgZe1ds9k6YoCr4c4wh7SP
ru1i2v9bdCskC/vsGOR7BNUvVfJFcfk6PcqynHjvGgz8tWWdEkbRA29UZM0paAwZ
Ic3ZiGwAJvoitQ==
-----END CERTIFICATE-----

52
WF/openvpn/gw-ckubu/keys/ca.key Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCvkIPjNsLlRMRt
5gzOmmxdsMlO21XiFYG3VNy/mpXrKPCMgsMmUtyU1mn0dh8xxgSEb5psTVXobBAD
PALZMTKikhk79x4J2h8ul0jZTKpju/KwlInxbNuFMNr25268rcRBhq+2hVWosn/p
2ernPik+LCc88XOFFdwcR+mgbf4rTQq8f5j60OiQbB9VNKSafDt+VDZoD8UU1gPe
izMb7qQuCuTFgiv2TICfs2irh2NmZ9Pb5sSDhJMxmNDEkMpy2iGv1uky5Rl6Z1Ck
QK3dPfIEuiBd0zS3kxysMBDHUERILi/gtyOJvWvbghbPQFBpisfd6a0Rt/ES+063
SUxuSduuNsQUGnvzODY4z2fMojSjIjuQjOkYiDbQtzcpMJUfu+C5g89MMb8aM87D
XaWCh/XmqhO8ZkYaVz2HONaAk+0DoPJIdZNdXce2sMdXnQ/uTAZJcq9t8qYeyKeI
9mgNgnuDyoB/aeKTzQ7jCO6OgBaUGQv2Gijt9eTyL5BmyNhT75A+lgBaOqJeCj+E
LPJd3XpOnKsrObZKuRtb4etT994Z0aiDpQ42f9N4LbGSo53WPlkkfopXE2/nTyNn
WF6l/gsusWOGx1caR4OzF2A2aF7VZ4y3AuRL4sIkoagwUXh9QhQnw5ZXlo5KG75S
47wjtfUhMx1iu5QFL0rjpPlxZT8IEQIDAQABAoICABrj8a99lcB0FfoXQGLsuChp
iYvwgGkOjj28W8tlLA1GygFbjfRywKJzbOsqpICFKe/3ABoShlQBKTq1mGIX7P+F
jSPoJ8uugxQpy9isq3R3NybguXgnCkCOSRuEOyvfGa5HqOY16fba0EjLPfWJSdvh
+2iUOvNpc7tJMHmIH2QWesyAZrgUA2sLhIkSdRvMZ3hkAalSsQcN+K2/eGaQ2MjM
llnCJGWnNhQ/8IpFRG5M/OAzqmnShpEULPXOj5Oj4YEDU9idypc699kQpxC6CjW7
JHX6gZqUh9G/0vIUU0ETAfZTVrgkMT7/3+qCmU5xGUfeIMoT+HLF1zqvmWtTGLiH
WqVmOiDw6TOmEnfN0U0YeWUFKpW2uu8Y1FV4Ga/0fCHZNXbGJWH81a+IQ0U2qXeW
Vu42b6jBraVrjmnjX72dIU7NceolztwiqURM8vlafU4VG3y8MoVMGlgxgrQ4eDNd
V+vBHiIcXyxNPOxRZ8xHeqpPBAu3QDpbNU1J91xveRicgzHC1pmQ/CKwP+rxEDt0
ncO/+yQEAMwf0Lmws+E0htXnlHADDrNFin5OjFMFz1K6E0Dfr+NQQLpEv362ztrb
a2LIAwSq0tsluSAVNOqkRiXvBqk5oIQJ24nXWbBLWY1iCdFJ93Y1R4tj3stoiRUv
9eERxGBefsWotZSmZUahAoIBAQDeTVU6Y1a0U8xnL+GwOcyV+7+iFeYrtqDQlKYB
6q/OenPbsXq9cJvVGTRKwBSoDXEcuqVuYhlAyujOlnPvCXGlK1xxuPO7L+Ei0QR7
VFLJ33XWz0IdPgjt8zyZHB3wiAPm2L9aCCqKyu7ZFPmki6CsEeT6J0gxz5ihwqB8
xcAVWQB40kYyJBuaL2ooYeBCmCmqepQ3xdpQWs5k8FvSPY1mBSsmwVT+cGj863Vq
hklfz0OapJdcQVhI/DsAgKjOvfsyBCHEbC/4adTHUUgxak5C6baLgEajPvPvlPT3
LkDdAcIAsmpGeh4kq50NruS4jod8gs2l67Ic+KWhEVYdgsVNAoIBAQDKLXtFGbQn
0I6ZidY6vMqRLzNyaNOO7efi3/eeSe6fTou0ej3nRUITOni8AyDOWDUV08vnRBHI
mh7eck39CX5f+w1Nie9ucGhp3XXPencAbRk4yBmu94cSdpLBtHRPLGAs0Px6TlEe
u37CnU2yEmFcyKW20pnmQkvY/uGAipW35ox4LhI/Q77AGWShSnrTXke1657EWh+9
P6gmGFyKrmyvK1EwWqm3sLu8/vBcrZ8TOBoVX7tBCDo/iK8I0Eg1BnbRlqEPn4/T
+/rCaD9OV27IZbz0i3EeaoMCkttjLVMQ6mPVX/2+B2ptxVEdJk74zDY5gm4f+ZLo
uNzcmaznSNvVAoIBAGYaVNv1hnxaxNZcGqfLVFlLANCciFRplGFY9QqKVWdbvN0a
Hkrmbtyor+jpYlNxoRNV8ufJLNoimF1SozsWNllrmhEtptzB+AD6ybkvmLrZ5RDd
rvspZAaOorWcQXAZuNkNko3ylD+dR6jzRlo6O3js2yO+aR1fwTYC452LYlcrwti7
k7wx82+U+YhEtDFCHFkN5gfb2xLvMj8QWswss0Y5d4FcaQJYdRA9wXdE6GyWEPH1
SQP5i2gyWZM4hNA4WCi31x6Vpk7NpQpLHgJ8VifLmqlmKIuQPZA79WuWlfosdYPG
bqOiMTgcjo0bWDggVsBsf7IGmI9P8RsSkGALkT0CggEBAIwdZx/lh2hMbndUAmck
rdJefu4cXfnhQOKHy0kk/b3kJogGa95arkc7L69FD7hRg0DETrzQ/O4keZ46Y3go
2y9Tgs2o+Yl1V7d+poYK3mwqL9+dNcd/flm6WUzrbevs2h5VG5T7r9Z3pIrlj5II
kPdHiykf3U6pxXz2b3uxD7+qhNFJRJYZshnZv1bUkjjoTxRx3c9AklyKwFLecUwf
Q+1GPPcg7hwC3KlHmXbxUJx2NgV4GgMg25VqebvG9TPibfgkxyxXrcsBB7ExpCX8
DCfP8lscRGIK+Q6QjoC2Saogdt3Kr8TByO2YYPWtte9RP4ctsHpycXDdpRsxWZXU
dZ0CggEBAMD43PH9kGFG7TdyeCZqBOIGu06CnYq9Y205PH4if+I79olujnJs0iA/
tbfkVMvJxXR7TDg9G/X+oW+cBbblbqe4vRpjfaK6EUvrbEqERfUQ2/dFsp7nrD59
P6yFj442lnZkhBeK1CE00ocpxNz2Ml32xVlx/yunoDZuWFSupvyBMY6KiXMfVq1X
FY+WuQO3Wc62LbsTVOMptoKD/uCiD2b1bHrL6pvzhCAdkAU+O8NfNcoYxJjm0hLc
2Udz/kNggj3I3MRsmPlPmhvZaH1dKvlNjs2ksN47/ppbEDbKh2s//kzLMsXF+Doh
jNt0lT6X2XxBnx0HQL70xPUVieu/+GA=
-----END PRIVATE KEY-----

1
WF/openvpn/gw-ckubu/keys/crl.pem Symbolic link
View File

@ -0,0 +1 @@
../crl.pem

13
WF/openvpn/gw-ckubu/keys/dh4096.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEAzrhrnM4U9xb0xkelwjgDcp+Q9+Fyxj6hWt2pG+X8Xa3XybIFQGWe
Thlu6db1X15hZXEelnmS6TEpBCxSKbiMFOjlCFj52UUSJjs6gidIcmNh0aZoohSn
jgn1atE05qvWSjZu87fZtG3UVZEYysMBmpJB7iID7FyZqXCmwcZRT0HRd6gJX0L9
CUrOflnBAzOGE8Jc7CwIPyqjlkaHiWGYCFKvyuClxrhPHo670wtR0xY8Gn0FcAFx
kygnUmE8g/7UpbfuqhwqxiDQSDW2hz5/hXKcM8CEStRLFH80f9PIvm1lyX+pIxMH
dUGmT1zPW9b6Z6Af5EGbdZp4TvcOGhehA8f2P97tK4GsQDNwWFj63nCWuGMvPTzw
d62aakXx+h0bzUsBQ5df7n3PopLw4Kbh2YmJrxbGVv3FeFl+Pzf0HgKtwmha4qnf
MSVda/EysuGA5uk496zCVPLFbVSWZsn24l4piEXxSQB/EwR7EfqqWnQmEYTxwr54
UtSu7uLU8BwdH1/MeQipZ8o+WA7nqUrAhv8rSnjkv5QMizd0e7bKZnkUKMK59aB+
yTGBbsXsH/JSlY/FBgwb4+Hk1VoYOuZUe8lM9ofXYmk7c5FZnhY5CptMxCkBGoUg
4WQbw+zeC5Ku3A4sU3V7xl1yXk3IlyMYO7FgJlWu7DSlwlDJVdNMOuMCAQI=
-----END DH PARAMETERS-----

139
WF/openvpn/gw-ckubu/keys/gw-ckubu.crt Normal file
View File

@ -0,0 +1,139 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
Validity
Not Before: May 5 09:42:31 2018 GMT
Not After : May 5 09:42:31 2038 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF-gw-ckubu/name=VPN WF/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b2:94:ac:9d:49:b5:2d:0e:db:f1:19:1b:4d:c9:
ce:65:b9:18:e6:7a:c2:c6:e5:12:e3:c4:d3:47:9c:
65:74:0a:80:20:4e:1d:70:18:8e:b7:86:e4:e0:ec:
2a:f8:66:bf:6a:14:8f:44:4e:1b:cd:61:a0:b3:13:
0f:00:ec:2b:4d:06:c8:cd:34:d2:6b:e8:44:f3:cc:
9b:fd:87:b1:f9:a8:c5:17:79:79:3f:c5:05:0e:7b:
a1:b2:4b:58:29:33:b9:82:69:bf:b3:bc:a5:51:79:
03:db:6f:4f:55:62:52:64:f0:e4:a3:20:a4:e9:7f:
5d:78:f2:2b:d5:8e:5b:a7:d8:55:b2:ef:a4:01:b8:
2f:fa:1a:83:29:5b:36:b7:d4:84:cf:db:11:d4:3d:
db:3c:14:a8:42:af:76:d8:0f:ae:00:1f:13:b8:c3:
bb:f9:06:b9:e9:23:77:4c:d7:a9:a4:36:d9:f2:c3:
09:0c:00:a8:e2:7e:a4:b8:68:a2:c0:62:b0:42:2b:
2e:0a:55:9c:e1:9b:64:97:2c:51:ca:4e:27:5f:7b:
5a:ce:86:79:fc:78:67:58:05:48:c8:3b:4a:24:ba:
06:4e:db:89:40:f4:eb:83:ab:bb:dc:bf:1d:67:f5:
dd:ce:ce:38:26:d7:15:80:5c:97:73:fb:58:7e:96:
b4:ab:03:9a:12:36:38:78:86:5b:47:c7:e7:13:56:
83:54:a3:b1:a4:5e:be:75:3e:bc:ee:0d:9e:8d:99:
e4:ef:16:ad:ee:74:35:c4:ed:1d:3a:9b:94:9c:67:
07:a2:3e:b1:4b:fa:9e:94:97:51:12:1a:12:98:17:
0c:fa:ce:3b:01:c0:a1:bc:b4:1c:9d:8c:68:31:4b:
6d:19:ad:48:c0:c4:3e:24:b2:80:92:87:ba:4b:16:
39:3b:f4:45:73:b8:a4:16:dc:6a:4e:3a:18:84:46:
9e:38:47:69:ca:57:5d:92:5b:36:1a:06:3e:ce:1a:
f5:f5:0e:df:40:6e:06:24:0c:dc:69:7f:24:64:d5:
bd:94:2b:0b:6e:75:4d:2a:cd:0d:3e:a4:b3:94:7d:
55:f1:f4:56:f2:a6:c6:2c:16:28:e2:9b:26:bf:d6:
52:57:3e:2e:4a:f8:de:8b:3b:71:0d:76:9c:ae:7f:
e6:93:a4:1a:0a:c0:54:88:62:f9:5b:5d:12:31:5c:
dd:a0:20:e1:65:a5:cb:a5:b6:af:dd:3a:92:74:ef:
0c:70:98:0e:ad:1c:38:a2:3e:ae:6f:81:5e:44:3d:
4f:8c:b7:cb:50:93:53:e3:24:14:c5:a3:38:70:9a:
eb:39:11:1c:66:b6:7f:43:31:5b:e7:40:39:c0:f8:
f7:5e:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
0B:5A:3F:E1:53:15:BC:CD:55:77:FE:5A:67:FE:95:A2:D4:06:EF:F2
X509v3 Authority Key Identifier:
keyid:D0:F2:74:20:2A:49:6B:48:97:BC:D1:5B:00:5B:BD:92:11:5C:FA:69
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
serial:D2:39:38:94:EC:D1:BC:7F
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:gw-ckubu
Signature Algorithm: sha256WithRSAEncryption
5e:4b:92:be:5d:99:f9:f4:ed:fc:06:1d:b8:c1:61:07:06:6a:
9a:88:af:81:84:04:6f:44:e7:63:c5:04:be:37:d8:52:e5:68:
bc:bd:1e:ba:50:7c:88:fe:e9:a0:a9:3b:af:cc:ee:ee:46:49:
01:fd:ff:60:68:d4:23:90:0d:e9:d6:54:97:43:e2:80:24:09:
cb:81:17:06:36:c4:83:0c:17:84:64:59:72:ab:28:45:42:73:
e8:59:b2:01:e5:e7:f6:45:29:07:71:fd:76:0b:ac:97:38:b3:
e6:54:16:08:84:49:f9:97:36:93:fd:77:64:f9:90:1f:d2:bb:
1c:57:20:ff:b5:c1:57:bb:b1:b2:8c:b1:ad:95:64:34:de:d4:
a2:3b:73:5c:60:6f:96:7e:6b:31:a6:10:3d:cc:c9:f2:df:fa:
34:b6:8c:e3:e1:25:90:31:a6:21:a1:04:2f:12:bd:3c:e6:6b:
2b:06:91:a9:00:10:1c:e0:22:e3:f3:dd:ae:ab:2a:7d:e5:3c:
52:8d:a7:5c:e8:00:b1:95:44:cc:24:45:87:6e:b9:f7:68:06:
5c:06:ab:d5:6d:e9:62:a5:8a:1f:57:14:17:2e:15:b2:8b:1f:
6d:19:1b:da:0f:ac:49:4c:9e:43:1d:0e:e7:28:41:9e:a1:c7:
a5:8d:76:f5:6c:e5:33:5b:fa:46:83:69:6b:b8:75:0a:ab:e1:
5a:d8:d5:7c:7d:e9:57:2d:be:f9:1b:2d:3f:41:5b:31:41:32:
53:80:5c:98:b8:35:da:31:f8:ff:56:d3:3f:68:ab:ef:9b:39:
5a:4d:ec:7f:6a:ad:d2:06:f3:7b:4d:ec:49:78:7a:57:a6:bd:
77:b2:1d:fa:be:e2:f5:60:ac:fb:cb:27:76:e5:86:ea:19:28:
e3:5a:b9:7b:bf:d0:3d:d5:b7:79:81:d8:6b:f6:24:bd:a8:60:
53:1a:ee:b7:94:f8:86:01:67:a1:f3:47:40:0e:4e:6c:bf:f5:
e9:80:ea:1e:63:7f:6e:d6:49:66:3d:25:8c:ef:7e:5c:c8:46:
0e:a2:f5:e1:ff:82:80:ec:bc:06:23:13:17:86:f1:47:a5:6a:
1b:12:d9:78:55:86:76:33:8a:68:a0:05:f3:c4:d8:29:01:5c:
24:d7:f4:a9:c4:ba:61:7f:4e:4e:a4:6f:bb:bd:3e:ab:3b:4b:
0f:ae:c3:d7:69:09:6b:29:6b:df:87:ef:99:25:fc:8e:64:e7:
69:89:a7:18:34:b5:b1:b7:18:fe:b9:0e:9c:27:1a:d2:18:bd:
31:6c:d0:34:b2:c2:58:7f:e6:19:e8:37:91:a8:5b:0d:ba:99:
94:68:1f:01:c0:b4:01:e8
-----BEGIN CERTIFICATE-----
MIIHKDCCBRCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1XRjEP
MA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
Fw0xODA1MDUwOTQyMzFaFw0zODA1MDUwOTQyMzFaMIGlMQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEYMBYGA1UEAxMPVlBOLVdGLWd3
LWNrdWJ1MQ8wDQYDVQQpEwZWUE4gV0YxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9v
cGVuLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAspSsnUm1LQ7b
8RkbTcnOZbkY5nrCxuUS48TTR5xldAqAIE4dcBiOt4bk4Owq+Ga/ahSPRE4bzWGg
sxMPAOwrTQbIzTTSa+hE88yb/Yex+ajFF3l5P8UFDnuhsktYKTO5gmm/s7ylUXkD
229PVWJSZPDkoyCk6X9dePIr1Y5bp9hVsu+kAbgv+hqDKVs2t9SEz9sR1D3bPBSo
Qq922A+uAB8TuMO7+Qa56SN3TNeppDbZ8sMJDACo4n6kuGiiwGKwQisuClWc4Ztk
lyxRyk4nX3tazoZ5/HhnWAVIyDtKJLoGTtuJQPTrg6u73L8dZ/Xdzs44JtcVgFyX
c/tYfpa0qwOaEjY4eIZbR8fnE1aDVKOxpF6+dT687g2ejZnk7xat7nQ1xO0dOpuU
nGcHoj6xS/qelJdREhoSmBcM+s47AcChvLQcnYxoMUttGa1IwMQ+JLKAkoe6SxY5
O/RFc7ikFtxqTjoYhEaeOEdpylddkls2GgY+zhr19Q7fQG4GJAzcaX8kZNW9lCsL
bnVNKs0NPqSzlH1V8fRW8qbGLBYo4psmv9ZSVz4uSvjeiztxDXacrn/mk6QaCsBU
iGL5W10SMVzdoCDhZaXLpbav3TqSdO8McJgOrRw4oj6ub4FeRD1PjLfLUJNT4yQU
xaM4cJrrOREcZrZ/QzFb50A5wPj3XmECAwEAAaOCAWgwggFkMAkGA1UdEwQCMAAw
LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUC1o/4VMVvM1Vd/5aZ/6VotQG7/IwgdEGA1UdIwSByTCBxoAU0PJ0
ICpJa0iXvNFbAFu9khFc+mmhgaKkgZ8wgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
VQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8wDQYDVQQDEwZWUE4tV0YxDzANBgNVBCkT
BlZQTiBXRjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGWCCQDSOTiU7NG8
fzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEwYDVR0RBAwwCoII
Z3ctY2t1YnUwDQYJKoZIhvcNAQELBQADggIBAF5Lkr5dmfn07fwGHbjBYQcGapqI
r4GEBG9E52PFBL432FLlaLy9HrpQfIj+6aCpO6/M7u5GSQH9/2Bo1COQDenWVJdD
4oAkCcuBFwY2xIMMF4RkWXKrKEVCc+hZsgHl5/ZFKQdx/XYLrJc4s+ZUFgiESfmX
NpP9d2T5kB/SuxxXIP+1wVe7sbKMsa2VZDTe1KI7c1xgb5Z+azGmED3MyfLf+jS2
jOPhJZAxpiGhBC8SvTzmaysGkakAEBzgIuPz3a6rKn3lPFKNp1zoALGVRMwkRYdu
ufdoBlwGq9Vt6WKlih9XFBcuFbKLH20ZG9oPrElMnkMdDucoQZ6hx6WNdvVs5TNb
+kaDaWu4dQqr4VrY1Xx96VctvvkbLT9BWzFBMlOAXJi4Ndox+P9W0z9oq++bOVpN
7H9qrdIG83tN7El4elemvXeyHfq+4vVgrPvLJ3blhuoZKONauXu/0D3Vt3mB2Gv2
JL2oYFMa7reU+IYBZ6HzR0AOTmy/9emA6h5jf27WSWY9JYzvflzIRg6i9eH/goDs
vAYjExeG8UelahsS2XhVhnYzimigBfPE2CkBXCTX9KnEumF/Tk6kb7u9Pqs7Sw+u
w9dpCWspa9+H75kl/I5k52mJpxg0tbG3GP65DpwnGtIYvTFs0DSywlh/5hnoN5Go
Ww26mZRoHwHAtAHo
-----END CERTIFICATE-----

29
WF/openvpn/gw-ckubu/keys/gw-ckubu.csr Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIE6zCCAtMCAQAwgaUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRgwFgYDVQQDEw9WUE4tV0YtZ3ctY2t1YnUxDzANBgNVBCkTBlZQ
TiBXRjEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQCylKydSbUtDtvxGRtNyc5luRjmesLG5RLjxNNH
nGV0CoAgTh1wGI63huTg7Cr4Zr9qFI9EThvNYaCzEw8A7CtNBsjNNNJr6ETzzJv9
h7H5qMUXeXk/xQUOe6GyS1gpM7mCab+zvKVReQPbb09VYlJk8OSjIKTpf1148ivV
jlun2FWy76QBuC/6GoMpWza31ITP2xHUPds8FKhCr3bYD64AHxO4w7v5BrnpI3dM
16mkNtnywwkMAKjifqS4aKLAYrBCKy4KVZzhm2SXLFHKTidfe1rOhnn8eGdYBUjI
O0okugZO24lA9OuDq7vcvx1n9d3Ozjgm1xWAXJdz+1h+lrSrA5oSNjh4hltHx+cT
VoNUo7GkXr51PrzuDZ6NmeTvFq3udDXE7R06m5ScZweiPrFL+p6Ul1ESGhKYFwz6
zjsBwKG8tBydjGgxS20ZrUjAxD4ksoCSh7pLFjk79EVzuKQW3GpOOhiERp44R2nK
V12SWzYaBj7OGvX1Dt9AbgYkDNxpfyRk1b2UKwtudU0qzQ0+pLOUfVXx9FbypsYs
Fijimya/1lJXPi5K+N6LO3ENdpyuf+aTpBoKwFSIYvlbXRIxXN2gIOFlpcultq/d
OpJ07wxwmA6tHDiiPq5vgV5EPU+Mt8tQk1PjJBTFozhwmus5ERxmtn9DMVvnQDnA
+PdeYQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAD1G7CZjDtBGdx699GNi9EXW
geui5Y0DSq/4HM3+ixH/23dsukP/YH0yLLqOXjw+FiNLiDy0KXwKUh8Ixxt01GYY
/9vZmXETN+Wo61imvlTnzL5ku67noMJAG5j9A4+TW4oU10eOwCfTgJRqb25E/Bmo
rHo/fpw3LXW7H7rRLFKNmJVDVFbyDmJruUpp6Vrq7snAw88NZOkamcKOKmeZSn/6
HMwaicX6pSOICBohC97N1ycuo07ME50LLiWStujPNWeXaprzmordsRlQ/CIyEbQb
XbxzoH44IEcdSDXdBvFwgW5GGwbONHX2mZiuqk72xcBxDWt5zjvbjiaWydmf+59s
rAb68ls4uN6iz8TKS4qgL9eq7S7F4+MQ4ngmCP6fHsm9uUP+EyA1SQkMEYwnBCzu
Z+ItQB1a4RPaZabGNG+XsJnTCSzSL5kxihS7VJD2h/ZYSXS+ZxbS4MZCyyXkpCQz
KOMM85uUtWs1RJsmVCCwwMUA3MmLxzptAgcLbN/PZ0Vy4uiTY8tDJaBDEg7er/WS
HFACCxAChmSaPnI56vNtSD4giVFuufR9rJzO2+1DL1s/9QYO+5n8B0pbQuAAbrMK
DnEQK6qTYv8REM4x9D2YBfZcmPsE6W8rXDCYhll7G72ywn3g8HSOl0YZbiGVDXTo
aPedA4ow0NkhbFFxjCSQ
-----END CERTIFICATE REQUEST-----

54
WF/openvpn/gw-ckubu/keys/gw-ckubu.key Normal file
View File

@ -0,0 +1,54 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI59wBCS9KufACAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECMafpEYThPSNBIIJSMfS/Nhh6rKg
wYowIdjqeXtALfdMjYM1VPFesantrtCGxxZgyvGhT8GJylJvyKlHpaGKXnqib9k9
vtmLEwgte4gfKQ4DfBLKSx59tMWOubFkP0UipolhJeksCzyq8Jz+vqITr8ZIHm3F
+Rw6Vmf/tH6+tl4E+K9RsC6y9DV+3LT8nApLJw1jFCOPTYJ4MGMXyacrQ0s6uluB
vL0T47A9OVemH9dAJhxIeYXP6oNM5/bbMe7ipAQDmwzAU4YGn3VR7hRdFjhcsw9G
3MiQQc3/vBKYmIwDKdRhkNr6BWU6kj00aHShchQQB3igc/C0T+OdYjbV395+AoeW
N2elVKmVR+jPmQCngb4adE13PqzAil29SMNGCYUmrr6w9beof1lkNgaPGMlizSrj
dyViCIfyKUZIyHoTM2tkWZnvwvTAiLnq/KLb3xeFEz1P52dXNa+iaaT+2/CMJK8y
/K3tI3LelE4GlJ0pqPeBbgPdJtDjti5eLAzlpVt36FXYIauNHPqdudD2gkU1uyQ+
UczS0aiHp/HyR35OhOtjTq9WjL6rNcQydYxKZkQS6SftqC9B3ulG6miI1qykoQRt
7mCOE4hdRLb4qU7ZbuLh3ysX90FgSaCTRkn/WLLRdXL9rnp18/i1o628449p+sCQ
1Y1BaMSiwBKHu5kvFCUiZ/9gS71rZvz2fWYvZult9hM9++XXwGjmaQFTO/O/YAKA
PMnsS7XZZLF8kvWp7kXU94ws+Bozhbfd3Owpktr7oe5pnUz3JoIuZZN7kq99u8+c
0n9hIBrMKcMWbyDOVwlNJ8GvR8QkEcXwzfNjEqawHpjZ4I3FV+nyVuCOt0Ap7ic3
GqEkpfUQavLyxxYanchf04/obbiW63+r2LbLeouvk44LjOdjP1cD9Q72jdEfYTeS
bnqeqA7LtNJ334SsetLyfPpf5StF59HGAlOLRQ5zCM2UW8HPGK+BRn5FWw6lfp9x
8wCIYs8QDzq8PwRNpi5z1YgXGM0GV15uk4JRPphSD0GdB4bDjIufhG1WzAMgHd3K
99ppEmtguBXQwjt3KnRed+sjbhnPEsdfAKlvGhtHgMlxa9Pt+4HY6BapcVrcpE1U
yx72S3BrWgY1b+4E6DEkAZurGcqNeBf+3kXzQb/bgZ089oSkcULayx3qMv9I8pWk
SQ/KiWz0w7LhPcxOHtyLEjn1z/FMnc/H+HYL7nVLHvPQI1QqN6QVDBXMnzWe/LYm
pRlKnFXL8DSQ+U3Y32CsCGmRFoHnC5IOJ9AyLcH8Cf1mGHtq2AUR6A+5fnDnzs4W
wneYMYE+chjoEBhyrbhaBmzMsZn1EQeRSWnKFUv380OeBTQvA6UEX2NbYe96Sm8/
5vym3c9js8SioBiM5nT1IO5w3ySjnaF3UmUldlk3JUCOey7HiuCXBGNiDq06laPX
Gy3cAy9zasaPdsPaPcOjNyHurSp23qXua446IyBZTdzQewE5AcfQMyJIwzuck/oq
UDZvHZUbiqcaWtEcquyLRSQPSRj8zAN0+VJoO88ptfC423ye3SV/bsIJV/dlys0W
NqkfK4e7sqXlbESlxMfhTqKHD0JgC/mvlfWcQi7zQ3KTjWQGKGgkZgPe5YKa9XNy
r1iA0sVKrvJcFWNb64wXUN5KKP+7j+jnkLdsQKrDDrQcdkFZI3TTjB61We8xG4EK
vEkhpxf3DG6QOYpC5xpKGKIKDvb3PlxDw2zLoRghlLOYcrzrCKCRpykVdPa2/WtY
ImvtspFedb1erVuObp7KJtfhnKsiT6D2QXX1YceYwmC+6tbpdyi1/SsnwOnP1vyD
2Kt+l10ISuDIE50NtEmwWjluSHenQXwgkM57YrYi2cwOB8tPxUiFevpFcQpErVyd
7Ocgd7n+NEM0Wk2+9Ap8+uAqIGnwy1og41/EzpaSybhMHhI4W8o7ocTIU+P4o3+5
Lpq67MLebA0nJ2UFK0/CsJFH0mqL+MyYbON5T7IimS5f+dxBTX80zZeyIcV/uf4d
w5T79/5ltjQ61MYS6nxnuEFVsO+S4iQZPV8lyszucRXhK9czJ7DULvbOcUqFgVU/
wkkmIeGRiqntohas7mLzl/GIExt6e/yK40jTbIq0wGt2fXncVZ9yLn5Piap0kjTn
SrDcvBHR2yOjvt/hSiIhB/8Stxfspc+a0gPMWzaFzw5IFxzihA6FI+wnRmLTAIY3
niq6ORveC/9iZLe0tJ6AAG4vw6oDi9wQPqdqMfwcmiFDqT+lpNd0aWOpTvTnVt07
ibNVRV7H1DRomeUodkwcnvlONBWyt30WOE46C6zRGnIpfKO8NSUG5CTJd3YKUo2b
wqSd2N/jhQ5is+vHIxqhHl53p3DvO/OMSb9vYtBoUlHUhxU+4dJa3T1qibKtHXHa
2gsG64/AFt2OQqq9KS9Zi8Hc2MyI3tPeAy4xMctYM2b1fjE9UHWRfbcVZTOPWbz8
PWfvyNwc4c8pqeojmMaMyUPYMsoM+yhj8tHRpoTNUSZx2I9VrhrAMQQt5HIThY0n
/MSWjaWOH1CPbgIyJaBY8WLL1Kz/QsAPV7PgeG5YJVvuqM0uo+iDhf4fHXR4TYqS
baeXV8sXQg+6WDmBESsPOGpL7jMRg0Ay6HHnAmZHWWC+9J4trVerJct621A26y9V
3Bh2r1zbL8dkC3WHvBu1uVlWam1z4Qj+sS66HCDlPWsgQZzBOX3JPRn7IUjCFzWM
q0wZPSNO1outCFEs/uW8nelWr3EOeYBtpJZU81rXSYHvDa0mWZCroabNcgDiHbcj
DwhtAewmLeJhYUPUkU7SoqZLJy/RRymEO1vaNutQtm61vlbnAatcM6y1v51/vLRl
xe5fpp9/EZGXMfnjgKApAO0WFYPk6FhZydm4KrXTQueLS63GGCuSmaAVP3aLWt06
qn5FfIqupymn8xqNkmToUhE4559j7Z+//tvvdNppsD1YY6x6S0NfWreGhArL0uYu
er9iXtrbb0QCitzXdWh90+CEFvENzeYOqE1T4C7pq1Nhoqu6qCzFk63TPBBhlFm9
R002jRL/UcjqDy7L4L4hE6TCQqlnVuPl1Ru8uCpRAUARPbmWNBVi+yUeGTh3YFOa
yPuYDrvQEjzXl16q+U/5MNQ4S0MZzEDtjMYKqLyGsVh503jKO6XH3UmMAFlrWf7J
1xr8RI04RwGrFDkPkuw1dQ==
-----END ENCRYPTED PRIVATE KEY-----

2
WF/openvpn/gw-ckubu/keys/index.txt Normal file
View File

@ -0,0 +1,2 @@
V 380505090733Z 01 unknown /C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-WF-server/name=VPN WF/emailAddress=argus@oopen.de
V 380505094231Z 02 unknown /C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-WF-gw-ckubu/name=VPN WF/emailAddress=argus@oopen.de

1
WF/openvpn/gw-ckubu/keys/index.txt.attr Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

1
WF/openvpn/gw-ckubu/keys/index.txt.attr.old Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

1
WF/openvpn/gw-ckubu/keys/index.txt.old Normal file
View File

@ -0,0 +1 @@
V 380505090733Z 01 unknown /C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-WF-server/name=VPN WF/emailAddress=argus@oopen.de

1
WF/openvpn/gw-ckubu/keys/serial Normal file
View File

@ -0,0 +1 @@
03

1
WF/openvpn/gw-ckubu/keys/serial.old Normal file
View File

@ -0,0 +1 @@
02

141
WF/openvpn/gw-ckubu/keys/server.crt Normal file
View File

@ -0,0 +1,141 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
Validity
Not Before: May 5 09:07:33 2018 GMT
Not After : May 5 09:07:33 2038 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=Network Services, CN=VPN-WF-server/name=VPN WF/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b7:55:76:2f:0a:b9:28:84:08:aa:51:dc:d3:93:
fb:e8:64:f5:7c:c6:4b:90:6d:a8:9f:51:b6:90:69:
81:30:64:6d:32:dc:59:51:f3:cf:68:96:45:11:ae:
2f:17:79:b5:c7:4b:11:ba:27:bb:94:fb:7c:5e:90:
84:c7:89:d3:a7:60:ed:cc:fc:59:b3:38:4f:67:75:
e0:2a:65:2c:54:5a:c0:98:28:f4:b4:65:4c:aa:5d:
3f:6a:a2:e2:33:a2:5e:0c:60:d5:e1:69:4c:35:9e:
aa:03:bb:01:2d:fb:2c:11:b1:43:09:96:27:f6:ca:
18:5e:6d:d1:a7:e0:5d:8d:3e:52:ae:5d:ff:9e:32:
e9:3c:11:da:35:b7:1a:b0:14:79:74:7b:57:51:15:
8c:a9:ca:1a:ba:e4:0d:53:d7:27:ce:7d:24:aa:98:
ae:2a:da:5a:cd:a5:6f:53:6c:22:f4:5a:52:53:6a:
83:52:fe:8f:e3:dc:8b:a9:99:f5:0b:61:a6:05:c2:
ad:f6:6c:cc:c4:7e:13:8c:28:88:09:98:c8:4d:be:
b1:69:6c:5a:4a:85:71:0b:50:22:b4:ee:35:71:82:
31:31:b3:a2:5f:2f:79:d3:75:68:be:37:e8:e0:7b:
77:a0:fe:62:b0:be:a4:7a:1d:a8:8b:30:d1:d4:0e:
2f:08:18:93:2f:32:b7:29:d5:e6:41:a5:e4:92:09:
d3:d4:d7:c3:f9:33:48:e6:be:f5:e0:e3:ae:35:7a:
a4:ee:40:a1:d4:e9:cf:fc:81:7d:31:e6:af:bf:f1:
e6:6d:da:1f:d0:e2:53:35:9d:b8:f4:a7:53:03:8b:
f9:e0:86:71:b9:45:9e:f9:68:2c:d8:a1:9f:04:73:
f9:8c:b2:9a:53:ea:96:63:8d:13:05:a5:fb:72:e6:
9f:92:23:f5:1b:57:ee:44:8d:75:c8:6b:b6:93:ac:
27:43:10:f0:9a:00:12:d5:95:07:22:ec:fe:01:ea:
0c:c6:0a:86:64:2a:20:98:01:b7:8a:d6:de:35:78:
ad:da:6f:93:eb:b8:29:f3:8a:99:5c:58:8f:dd:15:
ee:8e:26:21:e3:9d:df:60:c0:05:cb:83:3c:7e:9c:
f1:b7:68:bf:f0:b2:7d:c5:0f:56:d6:77:e7:5a:1a:
5c:ba:58:dd:fd:da:8b:03:ed:1e:6d:a7:55:e1:42:
3a:82:a6:17:ad:60:7d:98:bc:ae:c7:ed:a2:d7:6f:
82:a2:a3:4c:b7:79:8b:f4:a4:2e:53:51:a3:33:67:
64:ff:10:53:63:a6:ac:4f:7a:ce:22:74:e0:fc:ee:
2c:f1:a7:71:ae:f5:00:fd:52:a6:23:a0:b2:30:f6:
5a:a3:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
C0:D2:0C:48:39:41:59:DC:87:C8:23:A2:04:51:EF:F7:BF:98:7E:0C
X509v3 Authority Key Identifier:
keyid:D0:F2:74:20:2A:49:6B:48:97:BC:D1:5B:00:5B:BD:92:11:5C:FA:69
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=Network Services/CN=VPN-WF/name=VPN WF/emailAddress=argus@oopen.de
serial:D2:39:38:94:EC:D1:BC:7F
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
45:6b:87:25:2c:19:e0:ab:c8:6b:8d:bb:e8:3f:98:30:54:9d:
a0:ad:3e:b7:c5:5d:76:a0:ba:2d:1b:16:8a:87:63:9a:23:9a:
b4:94:aa:5c:bd:0f:bf:35:af:60:ef:63:14:cb:00:51:b1:c1:
0c:ef:5a:52:1a:8e:5f:a1:20:bb:42:cd:50:a5:71:87:a7:24:
80:e9:1a:9f:8d:b4:f9:60:42:e1:20:4a:12:f6:a1:a9:6a:17:
94:43:6b:2a:1c:78:02:16:aa:e8:6d:50:b0:95:b8:59:66:ae:
5f:4b:87:5c:e6:64:ef:b7:78:72:57:18:04:b4:cc:9d:4f:35:
73:ec:48:d0:79:6c:20:92:88:32:d3:59:61:57:86:b8:1a:cc:
92:69:f1:9c:82:1d:24:c3:aa:d2:27:0b:ab:c3:3b:0d:44:74:
35:35:c5:b1:ce:95:29:8e:55:9e:00:3e:66:53:61:8a:3d:cd:
99:6b:80:e5:f6:eb:0d:60:54:8a:b5:43:de:02:4c:fd:a2:22:
90:b0:ac:ef:e9:39:9a:3b:f9:0c:cd:49:a5:54:e2:27:74:f6:
d6:f7:5d:2d:ef:20:2f:d7:4c:9d:16:c6:6b:57:fc:46:ed:e0:
44:91:45:c9:d3:1b:c8:be:e6:b5:62:6a:bd:cf:35:2a:66:59:
78:ae:d4:a2:3a:c8:af:79:19:40:73:31:60:3f:5a:df:59:d0:
92:b7:e8:a5:83:c3:50:4c:76:79:f3:21:70:d9:38:de:b9:37:
ee:15:03:82:a0:bc:94:ac:ce:0d:e6:a2:fd:eb:f2:89:96:e9:
9c:e4:f2:f1:09:b7:42:ae:e1:74:fc:87:ee:56:03:c3:46:82:
2d:68:56:fd:ef:9d:ce:41:e5:b1:08:3b:ef:f2:86:16:8c:0a:
21:2f:2b:4a:35:96:dd:34:fd:d3:ef:01:8a:48:ea:4a:7c:22:
af:a8:83:73:c3:2e:0f:de:3a:95:dc:fa:c7:9b:e8:66:77:26:
9f:36:b3:98:59:c7:c4:19:4b:65:28:15:b8:4f:47:70:7c:a2:
5a:33:15:0c:db:9b:2f:c8:73:1a:10:ef:ae:0f:1e:ff:97:1d:
ea:6f:ef:bd:a5:46:3f:d5:cb:d0:7d:2c:1c:00:63:2b:7a:ff:
8b:a2:5f:27:d7:5c:ff:ab:ed:b7:a5:98:98:db:e7:43:e2:18:
97:4d:e1:df:27:d8:57:cd:0e:29:fe:45:84:ee:e4:bf:b9:c5:
dc:4a:63:85:7e:6c:c1:d8:25:c2:fe:13:4d:58:79:ae:98:e7:
4c:ad:a8:36:4d:08:06:8f:fd:5d:1c:29:5e:c3:c6:04:e6:2b:
a8:6a:41:10:cf:fe:22:8b
-----BEGIN CERTIFICATE-----
MIIHPjCCBSagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBlZQTi1XRjEP
MA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTAe
Fw0xODA1MDUwOTA3MzNaFw0zODA1MDUwOTA3MzNaMIGjMQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBm8ub3Bl
bjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEWMBQGA1UEAxMNVlBOLVdGLXNl
cnZlcjEPMA0GA1UEKRMGVlBOIFdGMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Bl
bi5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALdVdi8KuSiECKpR
3NOT++hk9XzGS5BtqJ9RtpBpgTBkbTLcWVHzz2iWRRGuLxd5tcdLEbonu5T7fF6Q
hMeJ06dg7cz8WbM4T2d14CplLFRawJgo9LRlTKpdP2qi4jOiXgxg1eFpTDWeqgO7
AS37LBGxQwmWJ/bKGF5t0afgXY0+Uq5d/54y6TwR2jW3GrAUeXR7V1EVjKnKGrrk
DVPXJ859JKqYriraWs2lb1NsIvRaUlNqg1L+j+Pci6mZ9QthpgXCrfZszMR+E4wo
iAmYyE2+sWlsWkqFcQtQIrTuNXGCMTGzol8vedN1aL436OB7d6D+YrC+pHodqIsw
0dQOLwgYky8ytynV5kGl5JIJ09TXw/kzSOa+9eDjrjV6pO5AodTpz/yBfTHmr7/x
5m3aH9DiUzWduPSnUwOL+eCGcblFnvloLNihnwRz+YyymlPqlmONEwWl+3Lmn5Ij
9RtX7kSNdchrtpOsJ0MQ8JoAEtWVByLs/gHqDMYKhmQqIJgBt4rW3jV4rdpvk+u4
KfOKmVxYj90V7o4mIeOd32DABcuDPH6c8bdov/CyfcUPVtZ351oaXLpY3f3aiwPt
Hm2nVeFCOoKmF61gfZi8rsftotdvgqKjTLd5i/SkLlNRozNnZP8QU2OmrE96ziJ0
4PzuLPGnca71AP1SpiOgsjD2WqNvAgMBAAGjggGAMIIBfDAJBgNVHRMEAjAAMBEG
CWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJh
dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUwNIMSDlBWdyHyCOiBFHv
97+YfgwwgdEGA1UdIwSByTCBxoAU0PJ0ICpJa0iXvNFbAFu9khFc+mmhgaKkgZ8w
gZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxp
bjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMQ8w
DQYDVQQDEwZWUE4tV0YxDzANBgNVBCkTBlZQTiBXRjEdMBsGCSqGSIb3DQEJARYO
YXJndXNAb29wZW4uZGWCCQDSOTiU7NG8fzATBgNVHSUEDDAKBggrBgEFBQcDATAL
BgNVHQ8EBAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IC
AQBFa4clLBngq8hrjbvoP5gwVJ2grT63xV12oLotGxaKh2OaI5q0lKpcvQ+/Na9g
72MUywBRscEM71pSGo5foSC7Qs1QpXGHpySA6RqfjbT5YELhIEoS9qGpaheUQ2sq
HHgCFqrobVCwlbhZZq5fS4dc5mTvt3hyVxgEtMydTzVz7EjQeWwgkogy01lhV4a4
GsySafGcgh0kw6rSJwurwzsNRHQ1NcWxzpUpjlWeAD5mU2GKPc2Za4Dl9usNYFSK
tUPeAkz9oiKQsKzv6TmaO/kMzUmlVOIndPbW910t7yAv10ydFsZrV/xG7eBEkUXJ
0xvIvua1Ymq9zzUqZll4rtSiOsiveRlAczFgP1rfWdCSt+ilg8NQTHZ58yFw2Tje
uTfuFQOCoLyUrM4N5qL96/KJlumc5PLxCbdCruF0/IfuVgPDRoItaFb9753OQeWx
CDvv8oYWjAohLytKNZbdNP3T7wGKSOpKfCKvqINzwy4P3jqV3PrHm+hmdyafNrOY
WcfEGUtlKBW4T0dwfKJaMxUM25svyHMaEO+uDx7/lx3qb++9pUY/1cvQfSwcAGMr
ev+Lol8n11z/q+23pZiY2+dD4hiXTeHfJ9hXzQ4p/kWE7uS/ucXcSmOFfmzB2CXC
/hNNWHmumOdMrag2TQgGj/1dHClew8YE5iuoakEQz/4iiw==
-----END CERTIFICATE-----

29
WF/openvpn/gw-ckubu/keys/server.csr Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIE6TCCAtECAQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBOZXR3b3Jr
IFNlcnZpY2VzMRYwFAYDVQQDEw1WUE4tV0Ytc2VydmVyMQ8wDQYDVQQpEwZWUE4g
V0YxHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAt1V2Lwq5KIQIqlHc05P76GT1fMZLkG2on1G2kGmB
MGRtMtxZUfPPaJZFEa4vF3m1x0sRuie7lPt8XpCEx4nTp2DtzPxZszhPZ3XgKmUs
VFrAmCj0tGVMql0/aqLiM6JeDGDV4WlMNZ6qA7sBLfssEbFDCZYn9soYXm3Rp+Bd
jT5Srl3/njLpPBHaNbcasBR5dHtXURWMqcoauuQNU9cnzn0kqpiuKtpazaVvU2wi
9FpSU2qDUv6P49yLqZn1C2GmBcKt9mzMxH4TjCiICZjITb6xaWxaSoVxC1AitO41
cYIxMbOiXy9503Vovjfo4Ht3oP5isL6keh2oizDR1A4vCBiTLzK3KdXmQaXkkgnT
1NfD+TNI5r714OOuNXqk7kCh1OnP/IF9Meavv/Hmbdof0OJTNZ249KdTA4v54IZx
uUWe+Wgs2KGfBHP5jLKaU+qWY40TBaX7cuafkiP1G1fuRI11yGu2k6wnQxDwmgAS
1ZUHIuz+AeoMxgqGZCogmAG3itbeNXit2m+T67gp84qZXFiP3RXujiYh453fYMAF
y4M8fpzxt2i/8LJ9xQ9W1nfnWhpculjd/dqLA+0ebadV4UI6gqYXrWB9mLyux+2i
12+CoqNMt3mL9KQuU1GjM2dk/xBTY6asT3rOInTg/O4s8adxrvUA/VKmI6CyMPZa
o28CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQBU5G7QjZgZ23SAUp+V98QvxZzU
sQGV1l8tENGMe6NKEvNwQ3DYS7ix3ixmD2TgMWYfG6arnlJZAAZbcVGxUIxpGUY1
8dz4GTJtq2Gum+24hqZJ51o7+kepBFt8MuF8bUMeIMbx1DaK2OgaITwOn+yHkbC5
8FxLlbJKdDZtWM/By+kP9RFlyfLPCYlAop8bPsff+ePs0V2wpjFLTY6j5wII/qY5
4Fla2ofaP66SKFh94MqRVU7JJ4AbgsMmFl+wIXWtCILOXYmNZZMtjhjTSnboT7g5
i9RNM1kcc8DgbRR6OBf91uMF4gluzDA5eUdQGrKhhf9Ydc1bTIFIe/c54+JYY/MJ
a9OZLiM/hRthTtaBVhyKOWswcavcge55czcqNwid56Fq4YUCEzt2CZwHHRFnK8Pr
NpFRWc3z0oAgungBFKVE/0P3Pt1pXL4ud6ZwwTTxaUuSeS5okdiYiq8UnXJMm+tj
3UgJ4LH5DWiuybQHFiYAcN1ytlcL5bpbERLCwOO8bh/X3lYbtJdKgCh8llQq25Di
pLWpg+YlXxQV2Oc3ScV6lC4jxalD3OjQok2D1DD2k7XF1OgCMkSq+NqlDgRTUHM4
/pdbtkUJMMy4USXol3ENJb1i3wUUjJyqsvpmlehkONXw5G+UkMtUygjZdrfEKAD9
KCTZXfxVfQlZ5cJSpA==
-----END CERTIFICATE REQUEST-----

52
WF/openvpn/gw-ckubu/keys/server.key Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC3VXYvCrkohAiq
UdzTk/voZPV8xkuQbaifUbaQaYEwZG0y3FlR889olkURri8XebXHSxG6J7uU+3xe
kITHidOnYO3M/FmzOE9ndeAqZSxUWsCYKPS0ZUyqXT9qouIzol4MYNXhaUw1nqoD
uwEt+ywRsUMJlif2yhhebdGn4F2NPlKuXf+eMuk8Edo1txqwFHl0e1dRFYypyhq6
5A1T1yfOfSSqmK4q2lrNpW9TbCL0WlJTaoNS/o/j3IupmfULYaYFwq32bMzEfhOM
KIgJmMhNvrFpbFpKhXELUCK07jVxgjExs6JfL3nTdWi+N+jge3eg/mKwvqR6HaiL
MNHUDi8IGJMvMrcp1eZBpeSSCdPU18P5M0jmvvXg4641eqTuQKHU6c/8gX0x5q+/
8eZt2h/Q4lM1nbj0p1MDi/nghnG5RZ75aCzYoZ8Ec/mMsppT6pZjjRMFpfty5p+S
I/UbV+5EjXXIa7aTrCdDEPCaABLVlQci7P4B6gzGCoZkKiCYAbeK1t41eK3ab5Pr
uCnziplcWI/dFe6OJiHjnd9gwAXLgzx+nPG3aL/wsn3FD1bWd+daGly6WN392osD
7R5tp1XhQjqCphetYH2YvK7H7aLXb4Kio0y3eYv0pC5TUaMzZ2T/EFNjpqxPes4i
dOD87izxp3Gu9QD9UqYjoLIw9lqjbwIDAQABAoICAEJzHXULg/UldiaVqV6ewq2G
+luRXA4rUPT+HxfUxdiObe4DY/SKVGDqJnq0EamGmdZ0ZSZ+BEWJqZh09UuFr0t5
nHex96k3/b/YP7neFeU1R51fKuK/3LvbNIMoKqjgbwo5hww+qDq/GYxkmZba9Sws
fcnZvP58XbzMPTOF5SKutjUxKNdkSJlXNypFBc1Qfn0zv4BKOUPJV0rqIdKDp4/2
V/XlhStPHZ5wGhu4lCrRGgnWD2djkS/b3ltIzEKl0BFCcN9irA2ETP1+K2CfGerj
9VXqygc8uq6JCytdM83CjKYhH/c0NAnrAl3/0c6bsc6OpaK+VstUOKTKuyMLSQwe
ecrXQkcSy8myVi9SWEetl7dxS6J1vIK5BnlInwCSqs5bbY60CS0WBK5rTP7NbkLR
8eBqF6iX1LMUmyOFXeb3CCLhfvN+/J8kCN2nRfHWk44kUZ1C5OSpA+aKFC7K2/yM
Pi1jD/j3eDU65/LDY+Hsr4fXUyaeOnnHxx4lh0mk7P+Sw7MmHNdyBbUZRg+yTy7p
t+iSdChMq1QTyaFv9h3PSNHmohhspQIKbcAldcDbjnm9Ga1du/fr5oOMYHG2sKmI
VdBLW9A827Rn7ra3ZFlxCUSy9RUj/KAUWcXB+JeQEmNpT5bGD4mtAgr45LPL2+HM
0lTRwXZqgSgqNbFKotyBAoIBAQDtRj0xB0CE9SBZJtgPruBtnY2dawLyW09W74tR
lyZrwTIE9IJptJ1LLJUjHXngS6+SkPcBOSZt1FNYkqwGtAOwjMLbZHA3uuoSaeNS
16KTWbUB1Wqhkay213BB63JiGJgxJVJC8tX/oVHtcMgkSNargaYJ1lCeDruF86sK
YXEqPmk5Erw5TQWc52kuyhkIJUNZEcrLmSV9DlIV99ijhaiSbj7DfCupazkxng9i
SXKrngDtjD+I1NIOHR0QUBJ943AYSrvFoqFxmVpIPIqQejndC08yEFBMCmNirBCP
ySMoXlPF26QYmHJXZUTsmu8DKwX9l8Gn/NcymhjIkE8Rts5hAoIBAQDFzXALaumg
v4HA9oaQgt3OO6le3sa1L3XhDVshcS0NzxoFmWPf9ZLeySYyAWyRQec9/ZRgRp1d
184rMEiPgOEtMHRkoQoBskoubzRKMGRX4+Rdw4bWQ4qtIqS9NxvKSWIJ/aHsLrbj
7TNtdfkYLVjEC2CTzZiqwTF8ONI0yizETfPnAD1JHvHY5AAD1VBXvroVukT15dB0
9lU1w6b1uq4qhW0kDvqzZV7xaTK4hS9dKPA12haBZDhSr6Xz+hw7l3hJm10TaQuU
wJRfw34GislE7YLF50jAz3xAY70foXIH3oTiaiADnBFsTya9+AU/RD8oOPatDxi9
hvAEGsZdYqPPAoIBAQCumqh/AsoszUG/uUD30YWfxHgo5k2l0SHCZMaOBP+l/eZ0
FQY/CUVSw3z/+Tntn2SVI45Q3SB1Y/DtVgm3aRLqAbuGvRODP03uvPMmzD371uDH
d6hfOxbw+frG1581psmgKMmvMInf8nOamgr+AIfQb7iito5esZK3UQeFvQ0MvB6s
fCf8trwxqW0SnG/tOZak3d3xE0KuEzK+rcNDGiFhmDUhn6d1pczRwXGqr0fuGHiw
ViuO4qWs8ymnDnV9JDgh+CTTnAjX0rTIQZzqErev/RmLSsv8GQzn2JzbYnU3yKo3
CJlp7A0AWSpuPtkx6KAg7GL63qnxt8oTFXbKH08hAoIBAQCxGc12C5V+fbj5QkEd
Zm6d1kFBVgln9ESA6epsON7z/Df6R2pq/X8wxbzTDP9d1znqAP82bEM94JkRhjuR
cP0r7rRn3OAOwMk2Zg7VVhqhrsOrSAOUGAk0F06Us6DIL4f+Ff9CblkGHjzrhrMu
eHt/nAgujehhCnT6Gg3rghEu+fSlIUu+ClzTquBwji9PQM9v4MUZvVg1QNDuQG1e
mnSSUcB0hozkzqCBWYU2PNk5egwIy2lXFJpxPh9CIO/iUy46CUb+uBDMcNjoHSrb
RKwMcPOjqf8z0xIWvLZ6eZyVeyBTcF2VncjjxsKTWFuqV7qMkuQZ8uhd2VFQ+4Ab
4NN1AoIBAQCF782PzfuPk5kQo5CKRTQr+0O8klb5iU1yWy1siuOfLVl/WxAItkYT
Av5cgVbmcwbsvxFhDxophPppPxdgYT4koVxuPyBn/OtptVQv0MAje8AZEg+1CfMy
3XldbrvMLJWAmy4HNSfEPS+fvGFA8UIrFZ6XDSxFv63S1qGn+gdH+cvScRJs8lRw
IZiYHdXVTy2ySwE26p+CSsxMmPgP0e2/pOwk+dIWXHULXFELmlSTLE2t1xVH1zxT
CEXNzdJnRjIHDVPoHqykSSliM+zxCWgx70kG5OY6dxAMn1lMDlhZtA0ZORNefYuZ
4WNlCrStLLo7j/jAQyD5mX5jWxRlsgyG
-----END PRIVATE KEY-----

21
WF/openvpn/gw-ckubu/keys/ta.key Normal file
View File

@ -0,0 +1,21 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
3e5606d9c9b42920092f825f6a23844f
2f37246d81d815ac43de66f4ecfd7237
5c7a90624fce693c8b98330f067e3fb0
3a7e09895d73d7567f1054b54882d4c6
72b6d4b075c817d6304a2928a03af610
89090caccd14025b83683285228bb280
8255101ec75398ec183f14d3ecb45fe7
e26e6fdb81e7d5ac8a81965acd7094a5
5b99d8b392a9998f7468e553a049c539
876925b61b9fc07ebeefad3f672e6baa
538e516961f37ca0e09666cdd6f67d37
89a39089fed07e8755a410b86ca40061
cdb81e6fa11b17b2b5dd74eca1447aa8
b2611b543751b2d53fc79fddbc26f91f
4d9ded064e9ea85b882475aa965950d0
7ee0cd2ce141eb6678d23a7bfa832536
-----END OpenVPN Static key V1-----

314
WF/openvpn/server-gw-ckubu.conf Normal file
View File

@ -0,0 +1,314 @@
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1195
# TCP or UDP server?
;proto tcp
proto udp
topology subnet
route 192.168.63.0 255.255.255.0 10.1.52.1
route 192.168.0.64 255.255.255.0 10.1.52.1
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Enable TUN IPv6 module
;tun-ipv6
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/gw-ckubu/keys/ca.crt
cert /etc/openvpn/gw-ckubu/keys/server.crt
key /etc/openvpn/gw-ckubu/keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/gw-ckubu/keys/dh4096.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0
;server-ipv6 2a01:30:1fff:fd00::/64
server 10.1.52.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /etc/openvpn/gw-ckubu/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 10.8.0.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
client-config-dir /etc/openvpn/gw-ckubu/ccd/server-gw-ckubu
# ---
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir /etc/openvpn/ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# ---
# ---
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# ---
# ---
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# ---
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option WINS 10.8.0.1"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
tls-auth /etc/openvpn/gw-ckubu/keys/ta.key 0
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
cipher AES-256-CBC
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
persist-local-ip
persist-remote-ip
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
;status openvpn-status.log
status /var/log/openvpn/status-server-gw-ckubu.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log-append openvpn.log
;log openvpn.log
log /var/log/openvpn/server-gw-ckubu.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 1
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# CRL (certificate revocation list) verification
crl-verify /etc/openvpn/gw-ckubu/crl.pem

317
WF/openvpn/server-wf.conf Normal file
View File

@ -0,0 +1,317 @@
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
topology subnet
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Enable TUN IPv6 module
;tun-ipv6
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/wf/keys/ca.crt
cert /etc/openvpn/wf/keys/server.crt
key /etc/openvpn/wf/keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/wf/keys/dh4096.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0
;server-ipv6 2a01:30:1fff:fd00::/64
server 10.0.52.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /etc/openvpn/wf/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 10.8.0.0 255.255.255.0"
push "route 192.168.52.0 255.255.255.0"
push "route 192.168.42.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
client-config-dir /etc/openvpn/wf/ccd/server-wf
# ---
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir /etc/openvpn/ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# ---
# ---
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# ---
# ---
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# ---
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option WINS 10.8.0.1"
push "dhcp-option DNS 192.168.52.53"
push "dhcp-option DOMAIN wf.netz"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
tls-auth /etc/openvpn/wf/keys/ta.key 0
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
cipher AES-256-CBC
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
persist-local-ip
persist-remote-ip
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
;status openvpn-status.log
status /var/log/openvpn/status-server-wf.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log-append openvpn.log
;log openvpn.log
log /var/log/openvpn/server-wf.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 1
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# CRL (certificate revocation list) verification
crl-verify /etc/openvpn/wf/crl.pem

58
WF/openvpn/update-resolv-conf Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac

2
WF/openvpn/wf/ccd/server-wf/VPN-WF-axel Normal file
View File

@ -0,0 +1,2 @@
ifconfig-push 10.0.52.2 255.255.255.0
#push "route 192.168.52.0 255.255.255.0 10.0.52.1"

Some files were not shown because too many files have changed in this diff Show More