Add GA-Schloss. Renew WF.

GA-Schloss/openvpn/ccd/server-gw-ckubu/gw-ckubu

@@ -0,0 +1,21 @@
+ifconfig-push 10.1.11.2 255.255.255.0
+push "route 192.168.11.0 255.255.255.0 10.1.11.1"
+push "route 192.168.10.0 255.255.255.0 10.1.11.1"
+push "route 192.168.77.0 255.255.255.0 10.1.11.1"
+push "route 192.168.78.0 255.255.255.0 10.1.11.1"
+push "route 172.16.11.0 255.255.255.0 10.1.11.1"
+push "route 172.16.12.0 255.255.255.0 10.1.11.1"
+push "route 10.10.11.0 255.255.255.0 10.1.11.1"
+push "route 10.10.9.0 255.255.255.0 10.1.11.1"
+push "route 10.10.10.0 255.255.255.0 10.1.11.1"
+push "route 10.11.11.0 255.255.255.0 10.1.11.1"
+push "route 10.112.1.0 255.255.255.0 10.1.11.1"
+push "route 10.113.0.0 255.255.0.0 10.1.11.1"
+push "route 10.121.0.0 255.255.240.0 10.1.11.1"
+push "route 10.122.1.0 255.255.255.0 10.1.11.1"
+push "route 10.123.0.0 255.255.0.0 10.1.11.1"
+push "route 172.17.0.0 255.255.255.0 10.1.11.1"
+push "route 172.16.211.0 255.255.255.0 10.1.11.1"
+push "route 172.16.210.0 255.255.255.0 10.1.11.1"
+iroute 192.168.63.0 255.255.255.0
+iroute 192.168.64.0 255.255.255.0

GA-Schloss/openvpn/ccd/server-gw-nh/gw-nh

@@ -0,0 +1,6 @@
+ifconfig-push 10.2.11.2 255.255.255.0
+push "route 192.168.11.0 255.255.255.0 10.2.11.1"
+push "route 192.168.10.0 255.255.255.0 10.2.11.1"
+push "route 10.10.11.0 255.255.255.0 10.2.11.1"
+push "route 10.10.10.0 255.255.255.0 10.2.11.1"
+iroute 192.168.81.0 255.255.255.0

GA-Schloss/openvpn/ccd/server-home/chris

@@ -0,0 +1 @@
+ifconfig-push 10.0.11.2 255.255.255.0

GA-Schloss/openvpn/ccd/server-home/wadmin

@@ -0,0 +1,2 @@
+ifconfig-push 10.0.11.3 255.255.255.0
+push "route 10.113.0.0 255.255.0.0"

GA-Schloss/openvpn/clien-configs/gw-ckubu.conf

@@ -0,0 +1,223 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote ga-st-gw-surf2.oopen.de 1195
+
+topology subnet
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Server CA
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIFKjCCBBKgAwIBAgIJANXFq8sijdObMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEY
+MBYGA1UEChMPR0EgQWx0ZW5zY2hsaXJmMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZp
+Y2VzMRIwEAYDVQQDEwlWUE4tR0EtY2ExDzANBgNVBCkTBlZQTiBHQTEuMCwGCSqG
+SIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0LWFsdGVuc2NobGlyZi5kZTAeFw0xNTEw
+MDkxNTQwMzBaFw00NTEwMDgxNTQwMzBaMIG+MQswCQYDVQQGEwJERTEPMA0GA1UE
+CBMGSGVzc2VuMRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEYMBYGA1UEChMPR0EgQWx0
+ZW5zY2hsaXJmMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlW
+UE4tR0EtY2ExDzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2Vt
+ZWluc2NoYWZ0LWFsdGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKLTHSHgX6/Ibr3AlmJfQ3k3yTvaD031Ps3c+bsXgOQEPNO4x7er
+8R47osA7FHNKI8ob7jnX/xJSJcsE2B1zsYpceW7IN/Mmmz0eZyIr7B0tu2dFixxC
+t4Vi4dBTh8ZvEaTZ3YUzROBc/YnWFyq3NFZ0DLdJBX+lFXAYg7qVyD7RCB1Yrwxq
+rJFYK28qeIi4WHfHQICZ1dBlf7qpnL76MjfzjjiTTs4MZwjYRT2RJaPOhnNzPaeF
+c11kP8T+ER46TqYbmBuImpoOntca002opJxw9iXoYJRLYYfhs4XS654iApGbG0vc
+2Kd7uH+QyWElW19EDmeDRJM6Bc0LUu1rKtkCAwEAAaOCAScwggEjMB0GA1UdDgQW
+BBQ1n9sNhkD5ZQ7jRXnON5gNKFeVWTCB8wYDVR0jBIHrMIHogBQ1n9sNhkD5ZQ7j
+RXnON5gNKFeVWaGBxKSBwTCBvjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUdBLWNh
+MQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFm
+dC1hbHRlbnNjaGxpcmYuZGWCCQDVxavLIo3TmzAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQCXp1hi923vehUa/Gd9Ze9UobRo0kPCLxgQkPOotUPAX+Dp
+BDJOIHzoijORN4LmtQV+UNbRGsGU+Mwbejx1b4NHrFtj6KaCbCdB3bumcSmfFbaJ
+QM+qvMtQYXx1NnFnoV6PYD9ZjfsY0AaVi5FB/eHnP5xuGzmbq7gPgG5sz2RO5jcR
+1jO26hbrOINfYplu/NNQqBfRJPwyPFjHcCD/wWE63fnue3A5Oj6jUcuNLbOAHJEy
+Pu37BPHNzjnTUdOe9scXp3WMCJXOtdxoZkfHfGKXYhz//XwX6X/hJMzOZ2K+kUHC
+NfKwQ6snmDzycXtx0EqsYjzGgxbOR0qJbK/pJhii
+-----END CERTIFICATE-----
+</ca>
+
+# Client Certificate
+<cert>
+-----BEGIN CERTIFICATE-----
+MIIFhDCCBGygAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTYwNzUz
+WhcNMzUxMDA5MTYwNzUzWjCBvTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczERMA8GA1UEAxMIZ3ctY2t1YnUx
+DzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0
+LWFsdGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AK7355Rx645LFvVBtQAzVNqcEVSj4xQP9B3jMiCUSP1G2LJ2EjsjPKLy5IGa5YWr
+w904xeDK7q8REvGPeDp4pT+56k6O2j7md9XOy1Y6yr+X1qVlSRXO4Hta+cKWinAY
+vjtPIL3FubVGB/FUrXZWR/GD7nyKnelCI6Gntvt2wwWt3aj+yPoV9J86MN1NwFAz
+Cxn2UcufcFPHfIDFaXpMuwbsRuRudxh3fBRYRkmarB+mRl/3HHEzpCX0gpKWVv2v
+a8RaDu/T5mg2yOiMHHUS+D40LmTdo7yzfizoVlVbGrNG5AbXs/gZRKMOLZIPyGR2
+r+eD+2KhOpFW+kdjwsPFe0ECAwEAAaOCAYowggGGMAkGA1UdEwQCMAAwLQYJYIZI
+AYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUdxceVU2ZsbHErH1NiTl5R5Oj99kwgfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO
+40V5zjeYDShXlVmhgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNz
+ZW4xFDASBgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxp
+cmYxGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1HQS1j
+YTEPMA0GA1UEKRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hh
+ZnQtYWx0ZW5zY2hsaXJmLmRlggkA1cWryyKN05swEwYDVR0lBAwwCgYIKwYBBQUH
+AwIwCwYDVR0PBAQDAgeAMBMGA1UdEQQMMAqCCGd3LWNrdWJ1MA0GCSqGSIb3DQEB
+CwUAA4IBAQBBTSwtPN85g+0QPT8XvxYQFv9PedtEFdKf4R5JWisSI0hyvW9Sf3Vc
+4bc2GYIIG2DFSJip2lUgyvC3yOqKtT6vF32M4NS+GglDOycXWbpZNB9vtjrDvpo/
+Xhv8dSuwE9BIsoJF+peEbP6lINGi6W/p61NHWmO1ClvtZyRxb4YnqOmIEr9s3XP7
+Mm6nttX7690jwZoae/xwGOy17eUz/cGLBq2t7t7m1rhU4ErvGgJOP9PKHkgFrYjm
+jHeBXLbHsff+Tq10bhyiDb0hsAoZi1bViGpRtfaQ+eC0rXnDy/C+/nm+SzlEKeiC
+2XmTO8dbNgoOqETj7d/iDd4copvdzZYw
+-----END CERTIFICATE-----
+</cert>
+
+# Client Key
+<key>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5AUTsVDif7oCAggA
+MBQGCCqGSIb3DQMHBAg12+MbxEoyygSCBMgCrl75V6WYOCdXaXmPDePYFZnY1rms
+O7VBq16osPoJCUbnowfDlWyj73kM0kypBQPK1l9ZtXiC50BgbjPS16CeeAZNvFyr
+/1glAmHv4wKArmzF8GL98vEDsKbnBV9nFnPe1YV+Rq4QqeSiOmnWJOqoFbpYDJiO
+f2Io1g9DgoYYjMhvvjMk/mG4Oa6aOueMDYBFQ17NCNwXDj65HI685SiMEYzksQEW
+GcerSML5Q9PDwbaiH+xs1AVp3MEa65PDj3KW7jcB8LenSAzodXo6dhzJelSgv2Bo
+Q769n14ZetOK0Mv/o4blxQAPsbfknKylg/tvGIkFt38mH3PBJeXCNElyWHZJD6BR
+xZah53ajLQa6XXhV2LOj+qKjgvIH4lwb10nr+eL3VdXKPXdMrGQUHHx59Z5zGnwK
+qoRvKOtx/Lk56c+ycjCo0MJW4QddxB8rBmMEduUcI+jIk0ffF26F/uWh/gZO59hj
+Tu6cGAgZY5hxkofm+b4FdyC8dNgQUspPqs9iIqkMSjttzuihme2qdQg5cgl0F2Zp
+u7FTp/E8CsRX+MpVm/i+/0oXi9hspvEwfZcg1hpk3LdF2w3Ym+Wj/jlBiUbTC17K
+YSLQQk2WEWLbvhGLA/3Hp2auYm0h4PxyG9lp1RTkK6WJSz+Vjc/Y8V01Ml5l7pT5
+22eTksbqTeNcasCZkm7dEfAiuA222qS6OUZLzUkX9cBb6EXG/XIQ0qzY6c0UR/38
+qfU0aP1Z08mIwMhGfyn/QmYTcxMw2rov6eHt2tsemDFXNf3qj2dUvJn91nu4b0OQ
+3ddYB6mazfwCOqXeAzxv+POxuJvjUIx3MmIyQtQTvlNa0nzg89DNlAtBrRKDJVvS
+mRLEBT/mFTz6KPpdfVp+qdx+akAQ7YCpmRfBs1Am685b9azOs8+VQOl8rp4PpkU3
+T2rSCRpc7O6hW+YZYBwEMgJn0Qs5YXyiE8Js+k9QB5d20hGIJQAQ6hAyLLamHcj4
+K6KaBhycvsXvB27drkkofQOVEIV751McsgwC+cxS2DRaJf4udr20Pg/2Trc539kp
+anj/hT2auv3/rGGTfY9RLblp00eCjKazltsg3/DbQ5S34hSxnipfa7o6PACxqgAk
+qgZ0G5K/smgql5nppPpE8udS0utfDKgi7lCwlviIfKY/UjsQwRr3wh1L2NrjG1nY
+f7df0/WfVAc9+LA7QBVtKp68oh2wTCGQXdhgjwJgDMJp7xA/I1kd6tsjkXPjPNct
+tg1MZYL/jDjAEzC96ikhLCjbybLVmL3NJKC8Y5+kpxrIs7W4T+ZwTXwfgBUN58Kw
+ZHK7JSQzlBKmLlRbpYcjT+Ra5Mf78xA0ZsJ5D7yVoKYmMRfGfDAXQ4s3ri/EyC5h
+t4FeFvUdrr4fTu3FlxCAOhxV6rFG/pkjIe/o0JHEZpTvxnd9algrNCTu4D6EFJTW
+tQNfQY0mctQhtuMoqG51dB1jVRnZ+f+b7bzBnsesSzJNXKcrq8N0mgcZx0nNDn65
+Db32YOv28+JaID53Bq811tHtsybiuTCx+77oubUaH1it5xIMe7NzL9/gQAPkfn5r
+LnaDPGgPFEy6UaErrCOo10CkLq61VoCj8DgQz5fQ41OQrd0WbKYR5yqh/nTXpFus
+z3U=
+-----END ENCRYPTED PRIVATE KEY-----
+</key>
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-serve
+#
+# Note!
+# This option has been deprecated since version 2.4 and 
+# will be removed from later distributions.
+#
+#ns-cert-type server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+#
+# Don't forget to set the 'key-direction' Parameter if using
+# Inline Key. Usualy , sever has key direction '0', while client
+# has ke direction '1'.
+#
+key-direction 1
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+2e6c91c0db488d5f018432f60605fbba
+5ec1afd4522ddd28d917ade2c7515daf
+9a7a3104b523c929f10a2ccdd2197b83
+949e5644669ab0f82b62e08aa887252a
+cc20618f9f8c1b0eeded6ea92a392e79
+e477a890e2800cf0cf340ac6139cf7a6
+0cfc5c713a39e8b2c44347006bb90583
+8fe0bccf4feea50e7880ee7c7c510114
+e9613960f8af9096fc46d75886b1bdbd
+773b77d9044db17109a5615614797b98
+bdacaae155966bad69819d08f1c8cafa
+1cf102981e2188d155d26043b59538b9
+15c1d67430d6b67c9c313123fb7cb427
+29cc6972e63470c74c6bf2342fb57ba3
+50d3254df49d2158f4faf5bc38fa9d69
+1014d126eac903e30f6c97df69a3b665
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 1
+
+# Setting 'pull' on the client takes care to get the 'push' durectives
+# from the server
+pull

GA-Schloss/openvpn/crl.pem

@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIICBTCB7jANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUxDzANBgNVBAgT
+Bkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVu
+c2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBO
+LUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVp
+bnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUXDTE4MDMyMjE3MjQzMVoXDTI4MDMxOTE3
+MjQzMVowDQYJKoZIhvcNAQELBQADggEBAIgttSiPDGlBMvJoxR4hMTsRI6bQs6Sm
+QE3/eF6UkBYYXNVzLJCoyR5eDYXSLCx3uQGLkFKSLHR5+WUGIWzhd47dtL9SUdcG
+tmr3F5Fz6TFbRApomoh3luUSZoALnegpvvsYIBimtihEga2rZzfHWqZR5trrZliO
+MDzqgC4xLCks1NSNGpFkz5rI7bpr+Yomg8tSY01T3KGvE23mAOShuGJB1JWu1exJ
+8wHiLGBvrspdkkUoDrCRDLy8VaXpqUYnvnDdw2dkRPWoI9GlhkU2Gvyok7pezGMu
+2l9Waen+WAfWJ+WXuUJ5XlOLaXTj04ZoL1JUwYHv39ljqzoHNQkv5lw=
+-----END X509 CRL-----

GA-Schloss/openvpn/easy-rsa/build-ca

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-ca

GA-Schloss/openvpn/easy-rsa/build-dh

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-dh

GA-Schloss/openvpn/easy-rsa/build-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-inter

GA-Schloss/openvpn/easy-rsa/build-key

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key

GA-Schloss/openvpn/easy-rsa/build-key-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pass

GA-Schloss/openvpn/easy-rsa/build-key-pkcs12

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-pkcs12

GA-Schloss/openvpn/easy-rsa/build-key-server

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-key-server

GA-Schloss/openvpn/easy-rsa/build-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req

GA-Schloss/openvpn/easy-rsa/build-req-pass

@@ -0,0 +1 @@
+/usr/share/easy-rsa/build-req-pass

GA-Schloss/openvpn/easy-rsa/clean-all

@@ -0,0 +1 @@
+/usr/share/easy-rsa/clean-all

GA-Schloss/openvpn/easy-rsa/inherit-inter

@@ -0,0 +1 @@
+/usr/share/easy-rsa/inherit-inter

GA-Schloss/openvpn/easy-rsa/list-crl

@@ -0,0 +1 @@
+/usr/share/easy-rsa/list-crl

GA-Schloss/openvpn/easy-rsa/openssl-0.9.6.cnf

@@ -0,0 +1,268 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

GA-Schloss/openvpn/easy-rsa/openssl-0.9.8.cnf

@@ -0,0 +1,293 @@
+# For use with easy-rsa version 2.0
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines                 = engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

GA-Schloss/openvpn/easy-rsa/openssl-1.0.0.cnf

@@ -0,0 +1,288 @@
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+engines			= engine_section
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 3650			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= $ENV::KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::KEY_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::KEY_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::KEY_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::KEY_ORG
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::KEY_EMAIL
+emailAddress_max		= 40
+
+# JY -- added for batch mode
+organizationalUnitName_default = $ENV::KEY_OU
+commonName_default = $ENV::KEY_CN
+name_default = $ENV::KEY_NAME
+
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "Easy-RSA Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+# JY ADDED -- Make a cert with nsCertType set to "server"
+basicConstraints=CA:FALSE
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+#
+# If you are using PKCS#11
+# Install engine_pkcs11 of opensc (www.opensc.org)
+# And uncomment the following
+# verify that dynamic_path points to the correct location
+#
+#pkcs11 = pkcs11_section
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+PIN = $ENV::PKCS11_PIN
+init = 0

GA-Schloss/openvpn/easy-rsa/openssl.cnf

@@ -0,0 +1 @@
+openssl-1.0.0.cnf

GA-Schloss/openvpn/easy-rsa/pkitool

@@ -0,0 +1 @@
+/usr/share/easy-rsa/pkitool

GA-Schloss/openvpn/easy-rsa/revoke-full

@@ -0,0 +1 @@
+/usr/share/easy-rsa/revoke-full

GA-Schloss/openvpn/easy-rsa/sign-req

@@ -0,0 +1 @@
+/usr/share/easy-rsa/sign-req

GA-Schloss/openvpn/easy-rsa/vars

@@ -0,0 +1,95 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+##export EASY_RSA="`pwd`"
+export BASE_DIR="/etc/openvpn"
+export EASY_RSA="$BASE_DIR/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+##export KEY_DIR="$EASY_RSA/keys"
+export KEY_DIR="$BASE_DIR/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+##export CA_EXPIRE=3650
+export CA_EXPIRE=10957
+
+# In how many days should certificates expire?
+##export KEY_EXPIRE=3650
+export KEY_EXPIRE=7305
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+##export KEY_COUNTRY="US"
+export KEY_COUNTRY="DE"
+##export KEY_PROVINCE="CA"
+export KEY_PROVINCE="Hessen"
+##export KEY_CITY="SanFrancisco"
+export KEY_CITY="Stockhausen"
+##export KEY_ORG="Fort-Funston"
+export KEY_ORG="GA Altenschlirf"
+##export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL="it@gemeinschaft-altenschlirf.de"
+##export KEY_OU="MyOrganizationalUnit"
+export KEY_OU="Network Services"
+
+# X509 Subject Field
+##export KEY_NAME="EasyRSA"
+export KEY_NAME="VPN GA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+## export KEY_CN="CommonName"
+export KEY_CN="VPN-GA-ca"
+
+export KEY_ALTNAMES="VPN GA"

GA-Schloss/openvpn/easy-rsa/whichopensslcnf

@@ -0,0 +1 @@
+/usr/share/easy-rsa/whichopensslcnf

GA-Schloss/openvpn/keys/01.pem

@@ -0,0 +1,101 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 15:46:37 2015 GMT
+            Not After : Oct  9 15:46:37 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=server/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:be:0c:c2:ab:db:2f:7f:ba:ff:65:4c:17:07:46:
+                    61:5e:56:85:8b:8f:d4:13:05:8b:be:9b:a2:d8:3a:
+                    68:b4:5f:c1:31:fa:27:4e:cd:15:8c:d5:9d:76:ca:
+                    ca:3d:4d:90:f4:16:51:4b:b2:50:12:0d:73:cc:b7:
+                    66:7c:87:39:ae:2a:20:38:80:bc:45:51:40:16:3f:
+                    1e:93:99:ad:4f:e9:6c:d7:1f:fe:be:36:2b:63:58:
+                    84:47:1a:c0:31:2f:9c:37:6d:9d:ba:10:c4:c2:4a:
+                    93:0a:d5:4e:70:00:46:13:6f:bd:1a:02:6a:11:06:
+                    69:3a:a8:ad:72:94:63:2d:c9:12:1a:1a:4b:e9:67:
+                    e9:64:8c:df:de:70:df:ac:7b:4a:1f:5a:3a:30:f7:
+                    19:51:04:73:8a:ce:7f:b1:cb:8c:ab:97:b8:15:b6:
+                    e1:5c:c1:9c:c7:91:cc:52:fe:c7:33:71:1a:b1:2a:
+                    99:c9:c4:ef:3e:dd:5d:eb:1e:5b:fc:f9:04:c2:0b:
+                    68:5e:69:24:8d:68:59:db:70:3e:b9:b8:75:69:d3:
+                    67:af:0b:b3:1d:d7:42:6c:08:24:5a:d9:18:18:b7:
+                    bb:f5:b6:f2:73:da:14:7b:3f:56:7d:79:df:da:09:
+                    1a:52:c1:2c:e1:f8:7c:5a:3b:fb:44:d2:f4:2d:43:
+                    13:d9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                6C:63:B8:00:5F:EA:CD:9C:61:19:41:5B:5A:56:AB:4A:A2:E1:C3:13
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         92:dc:23:54:f7:13:0a:b8:0f:dd:89:fc:33:4a:98:1b:de:fa:
+         4e:2e:bb:6f:e1:37:ec:75:f9:6b:40:00:cb:3f:bd:d9:52:31:
+         df:2a:29:8a:4d:15:0a:87:73:15:31:1a:4b:d5:66:d1:a0:60:
+         11:13:0f:c3:36:62:89:ed:be:5b:8d:dd:3c:f9:15:4a:a4:0f:
+         d7:9f:09:5a:ce:aa:a4:be:8a:b4:99:09:d4:16:fb:6c:23:74:
+         b4:01:57:a5:2d:18:0d:f7:b8:87:ee:3e:e8:22:5d:10:85:a6:
+         4b:e6:18:4a:de:aa:5f:0b:4c:12:ea:f8:71:c8:dd:94:21:da:
+         c5:85:8e:0a:da:bc:bc:9c:5c:13:65:b5:36:71:04:da:d5:97:
+         46:b1:19:60:17:50:eb:eb:02:1b:fe:22:dc:cf:c8:7d:4c:61:
+         27:eb:f1:5b:c5:54:78:eb:64:b9:d5:6d:cd:2d:29:21:33:7e:
+         6a:29:60:25:a0:88:94:5e:0a:a6:ed:ac:d9:c1:b7:ff:9e:1b:
+         bc:e1:8f:aa:b1:a4:b7:a7:f6:d7:e8:9e:49:f4:22:9b:bd:10:
+         30:56:55:9a:d7:c7:6f:78:e6:04:5e:5c:2e:ae:3a:3b:4b:9e:
+         92:e1:09:46:42:8c:d4:7d:dc:72:87:0a:7f:5b:70:32:2c:a5:
+         f8:0d:27:af
+-----BEGIN CERTIFICATE-----
+MIIFmjCCBIKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTU0NjM3
+WhcNMzUxMDA5MTU0NjM3WjCBuzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMGc2VydmVyMQ8w
+DQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1h
+bHRlbnNjaGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
+DMKr2y9/uv9lTBcHRmFeVoWLj9QTBYu+m6LYOmi0X8Ex+idOzRWM1Z12yso9TZD0
+FlFLslASDXPMt2Z8hzmuKiA4gLxFUUAWPx6Tma1P6WzXH/6+NitjWIRHGsAxL5w3
+bZ26EMTCSpMK1U5wAEYTb70aAmoRBmk6qK1ylGMtyRIaGkvpZ+lkjN/ecN+se0of
+Wjow9xlRBHOKzn+xy4yrl7gVtuFcwZzHkcxS/sczcRqxKpnJxO8+3V3rHlv8+QTC
+C2heaSSNaFnbcD65uHVp02evC7Md10JsCCRa2RgYt7v1tvJz2hR7P1Z9ed/aCRpS
+wSzh+HxaO/tE0vQtQxPZAgMBAAGjggGiMIIBnjAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNl
+cnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUbGO4AF/qzZxhGUFbWlarSqLhwxMw
+gfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO40V5zjeYDShXlVmhgcSkgcEwgb4xCzAJ
+BgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDASBgNVBAcTC1N0b2NraGF1c2Vu
+MRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAXBgNVBAsTEE5ldHdvcmsgU2Vy
+dmljZXMxEjAQBgNVBAMTCVZQTi1HQS1jYTEPMA0GA1UEKRMGVlBOIEdBMS4wLAYJ
+KoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQtYWx0ZW5zY2hsaXJmLmRlggkA1cWr
+yyKN05swEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMBEGA1UdEQQK
+MAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOCAQEAktwjVPcTCrgP3Yn8M0qYG976
+Ti67b+E37HX5a0AAyz+92VIx3yopik0VCodzFTEaS9Vm0aBgERMPwzZiie2+W43d
+PPkVSqQP158JWs6qpL6KtJkJ1Bb7bCN0tAFXpS0YDfe4h+4+6CJdEIWmS+YYSt6q
+XwtMEur4ccjdlCHaxYWOCtq8vJxcE2W1NnEE2tWXRrEZYBdQ6+sCG/4i3M/IfUxh
+J+vxW8VUeOtkudVtzS0pITN+ailgJaCIlF4Kpu2s2cG3/54bvOGPqrGkt6f21+ie
+SfQim70QMFZVmtfHb3jmBF5cLq46O0uekuEJRkKM1H3ccocKf1twMiyl+A0nrw==
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/02.pem

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 15:48:51 2015 GMT
+            Not After : Oct  9 15:48:51 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=chris/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c2:55:cc:8d:85:d0:e6:9b:70:86:aa:59:b4:d3:
+                    a1:bd:0a:42:e8:42:4d:de:b7:4c:fc:c1:42:9c:dc:
+                    01:fd:6b:c8:5a:0f:3f:d9:29:6c:fe:4e:5c:77:9e:
+                    ad:42:ce:db:ea:55:e6:aa:c0:3b:81:90:a9:b7:0b:
+                    07:9a:0e:4e:c6:79:13:a3:f0:5e:c8:b2:b7:aa:49:
+                    16:f0:58:ed:04:fc:22:e3:e1:64:68:53:f2:ca:c0:
+                    98:24:00:83:5e:80:14:d4:02:83:21:85:e7:f4:77:
+                    a1:c7:a1:cc:3d:75:af:cd:c4:df:72:63:83:7b:f6:
+                    77:bd:4f:b5:ec:82:93:c4:c0:2f:ba:66:3b:9b:90:
+                    b9:ef:48:a7:43:77:88:32:8e:11:4c:e1:d5:91:e2:
+                    ee:fd:f6:6a:67:e9:cd:24:fb:34:70:92:4c:80:85:
+                    a5:41:34:db:22:f6:c5:18:82:30:60:53:e1:8c:84:
+                    a5:de:9d:41:5d:ac:db:d8:c1:f6:aa:84:72:ee:38:
+                    73:49:26:e3:9f:58:ff:b0:63:b6:79:92:6f:20:e2:
+                    d4:f0:96:96:8e:51:1d:bf:98:c5:38:48:c5:52:bd:
+                    dd:ae:1c:4c:c7:04:25:82:df:1d:a0:8d:05:d3:7a:
+                    31:db:46:a4:c6:1a:0c:91:e8:05:8a:d5:8b:35:02:
+                    b6:ed
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                A3:D8:CF:8D:23:44:DB:48:37:2E:C1:70:7F:80:39:59:B8:B6:42:F0
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         73:75:c5:a6:45:7d:6e:25:7d:d0:c2:1a:cc:09:aa:55:ce:1a:
+         a4:c6:b5:34:3e:72:a6:8e:92:25:20:19:3e:4c:5b:63:db:23:
+         cb:5d:d5:30:7e:81:17:98:ec:dc:97:d9:af:8e:2b:75:80:32:
+         17:bf:50:e7:e2:09:fc:f7:22:f3:91:24:55:47:34:f2:9d:92:
+         9e:79:ae:e0:ab:a4:4f:27:32:4a:81:57:f6:5c:63:6f:45:0f:
+         dc:c9:39:b9:3a:c0:3d:9b:80:24:b8:3a:12:3f:12:03:af:51:
+         f4:68:ef:05:01:b2:c9:b9:a9:3b:8b:e6:7f:cd:dd:eb:45:96:
+         98:94:d9:3c:f6:f7:a7:5d:6a:04:78:4b:d6:14:59:68:bf:9b:
+         06:95:b8:c9:6e:de:ea:69:69:dc:81:57:fa:ed:cb:fd:50:74:
+         8f:99:16:7f:78:b7:6a:42:65:cf:2f:6b:3a:d8:56:b1:88:13:
+         05:53:49:e5:cc:b9:73:5c:21:62:1c:c7:bd:6b:10:10:9b:00:
+         19:7a:a4:11:ad:a1:21:e4:71:d6:b6:0e:9e:50:72:6e:df:43:
+         7f:c8:42:94:66:1b:1c:a5:b0:07:d1:3b:85:7f:07:e8:65:b2:
+         74:ba:c2:04:e9:fb:3e:c7:d2:c7:74:4e:0d:bc:09:89:49:0b:
+         dc:c2:af:47
+-----BEGIN CERTIFICATE-----
+MIIFfjCCBGagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTU0ODUx
+WhcNMzUxMDA5MTU0ODUxWjCBujELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEOMAwGA1UEAxMFY2hyaXMxDzAN
+BgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0LWFs
+dGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJV
+zI2F0OabcIaqWbTTob0KQuhCTd63TPzBQpzcAf1ryFoPP9kpbP5OXHeerULO2+pV
+5qrAO4GQqbcLB5oOTsZ5E6PwXsiyt6pJFvBY7QT8IuPhZGhT8srAmCQAg16AFNQC
+gyGF5/R3ocehzD11r83E33Jjg3v2d71PteyCk8TAL7pmO5uQue9Ip0N3iDKOEUzh
+1ZHi7v32amfpzST7NHCSTICFpUE02yL2xRiCMGBT4YyEpd6dQV2s29jB9qqEcu44
+c0km459Y/7BjtnmSbyDi1PCWlo5RHb+YxThIxVK93a4cTMcEJYLfHaCNBdN6MdtG
+pMYaDJHoBYrVizUCtu0CAwEAAaOCAYcwggGDMAkGA1UdEwQCMAAwLQYJYIZIAYb4
+QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+o9jPjSNE20g3LsFwf4A5Wbi2QvAwgfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO40V5
+zjeYDShXlVmhgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4x
+FDASBgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYx
+GTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1HQS1jYTEP
+MA0GA1UEKRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQt
+YWx0ZW5zY2hsaXJmLmRlggkA1cWryyKN05swEwYDVR0lBAwwCgYIKwYBBQUHAwIw
+CwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBWNocmlzMA0GCSqGSIb3DQEBCwUAA4IB
+AQBzdcWmRX1uJX3QwhrMCapVzhqkxrU0PnKmjpIlIBk+TFtj2yPLXdUwfoEXmOzc
+l9mvjit1gDIXv1Dn4gn89yLzkSRVRzTynZKeea7gq6RPJzJKgVf2XGNvRQ/cyTm5
+OsA9m4AkuDoSPxIDr1H0aO8FAbLJuak7i+Z/zd3rRZaYlNk89venXWoEeEvWFFlo
+v5sGlbjJbt7qaWncgVf67cv9UHSPmRZ/eLdqQmXPL2s62FaxiBMFU0nlzLlzXCFi
+HMe9axAQmwAZeqQRraEh5HHWtg6eUHJu30N/yEKUZhscpbAH0TuFfwfoZbJ0usIE
+6fs+x9LHdE4NvAmJSQvcwq9H
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/03.pem

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 15:54:15 2015 GMT
+            Not After : Oct  9 15:54:15 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=wadmin/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b6:f8:b1:f2:dd:fd:65:5f:86:7e:3f:39:d0:f2:
+                    ca:b4:f5:64:ea:5a:79:9f:cc:14:7b:ed:7a:3f:be:
+                    8d:ba:6a:d6:89:92:1a:26:c4:11:4e:86:10:8c:71:
+                    d4:f9:d1:bd:d7:65:2f:56:81:1e:38:81:61:fd:62:
+                    f4:5b:3c:c8:34:9d:00:47:ee:16:a0:52:a9:ca:df:
+                    09:d0:94:c1:7d:cd:f7:a7:0c:7a:ce:d1:4a:c5:99:
+                    56:29:32:f9:b4:fb:d3:4a:36:1d:ff:b7:9f:50:c8:
+                    ca:2d:a0:31:77:8b:09:fa:15:08:fe:42:f4:3e:dd:
+                    98:cb:bb:19:d2:d0:57:50:a9:4d:93:dd:91:39:3e:
+                    4f:38:32:6d:b8:99:f9:ea:93:47:28:82:e9:75:f5:
+                    4b:c2:55:3b:65:ae:5d:f6:4c:d2:c6:9d:18:86:eb:
+                    4d:83:36:e4:ab:c1:66:cf:77:f7:0b:fa:3d:9b:1f:
+                    40:2b:28:01:c0:88:c7:bc:18:83:26:b7:41:5e:9e:
+                    8c:d2:fe:e9:39:d4:ec:2b:be:4d:7e:fd:a0:dc:04:
+                    b4:00:e4:ca:85:59:01:55:a8:d3:48:be:41:12:7c:
+                    8e:ee:79:8d:a7:89:ad:ab:71:a8:d0:d1:a9:ce:9f:
+                    7e:a4:2a:17:26:18:90:bf:13:d9:f1:a3:be:a6:b9:
+                    09:51
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                B9:71:69:E0:F6:17:0F:A6:D3:C4:AF:28:C6:A5:B1:E9:58:2F:6C:86
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:wadmin
+    Signature Algorithm: sha256WithRSAEncryption
+         99:1d:d1:a2:eb:8c:d5:89:c3:1f:0a:8f:10:85:99:92:f6:58:
+         da:99:b3:d3:01:9a:b4:7c:b2:9b:61:9e:7f:dd:41:24:ec:75:
+         19:82:35:aa:2b:74:14:29:55:6c:74:08:d0:18:95:8f:b9:1e:
+         12:1e:80:78:58:b5:e0:b0:f5:08:17:d9:36:e9:42:a1:a6:cc:
+         7a:be:92:a7:f3:9b:6b:2f:d8:db:4b:50:ca:dd:f2:de:90:d9:
+         2a:2e:8d:81:76:7e:a0:2e:28:a0:3d:e6:fc:31:4b:d7:b4:6d:
+         7f:a0:f9:f1:6f:d8:ea:7d:a2:e0:a6:2e:db:52:96:2c:7a:b6:
+         10:5a:15:bb:07:34:88:5f:74:d2:6c:e6:7e:f1:7f:20:47:56:
+         be:78:be:1e:37:35:79:c1:a9:0d:bf:df:11:7d:09:97:c7:93:
+         9c:27:11:5b:b4:99:fe:fc:77:2b:39:52:7c:a7:d5:85:1c:71:
+         b9:4f:45:ce:48:bf:04:8e:25:87:3b:ad:55:54:ea:4c:2c:38:
+         8f:14:c2:49:d1:62:c4:d5:bc:4d:94:5f:4f:8f:bf:19:25:f0:
+         20:f9:2d:3c:ca:18:d2:7c:2f:f9:ca:a4:fd:3e:7a:67:74:d9:
+         fc:b6:74:e9:40:61:7d:5f:1e:97:a3:d4:2a:11:53:a5:e6:08:
+         b4:4c:56:bb
+-----BEGIN CERTIFICATE-----
+MIIFgDCCBGigAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTU1NDE1
+WhcNMzUxMDA5MTU1NDE1WjCBuzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMGd2FkbWluMQ8w
+DQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1h
+bHRlbnNjaGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
++LHy3f1lX4Z+PznQ8sq09WTqWnmfzBR77Xo/vo26ataJkhomxBFOhhCMcdT50b3X
+ZS9WgR44gWH9YvRbPMg0nQBH7hagUqnK3wnQlMF9zfenDHrO0UrFmVYpMvm0+9NK
+Nh3/t59QyMotoDF3iwn6FQj+QvQ+3ZjLuxnS0FdQqU2T3ZE5Pk84Mm24mfnqk0co
+gul19UvCVTtlrl32TNLGnRiG602DNuSrwWbPd/cL+j2bH0ArKAHAiMe8GIMmt0Fe
+nozS/uk51Owrvk1+/aDcBLQA5MqFWQFVqNNIvkESfI7ueY2nia2rcajQ0anOn36k
+KhcmGJC/E9nxo76muQlRAgMBAAGjggGIMIIBhDAJBgNVHRMEAjAAMC0GCWCGSAGG
++EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FLlxaeD2Fw+m08SvKMalselYL2yGMIHzBgNVHSMEgeswgeiAFDWf2w2GQPllDuNF
+ec43mA0oV5VZoYHEpIHBMIG+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2Vu
+MRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEYMBYGA1UEChMPR0EgQWx0ZW5zY2hsaXJm
+MRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlWUE4tR0EtY2Ex
+DzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0
+LWFsdGVuc2NobGlyZi5kZYIJANXFq8sijdObMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MAsGA1UdDwQEAwIHgDARBgNVHREECjAIggZ3YWRtaW4wDQYJKoZIhvcNAQELBQAD
+ggEBAJkd0aLrjNWJwx8KjxCFmZL2WNqZs9MBmrR8spthnn/dQSTsdRmCNaordBQp
+VWx0CNAYlY+5HhIegHhYteCw9QgX2TbpQqGmzHq+kqfzm2sv2NtLUMrd8t6Q2Sou
+jYF2fqAuKKA95vwxS9e0bX+g+fFv2Op9ouCmLttSlix6thBaFbsHNIhfdNJs5n7x
+fyBHVr54vh43NXnBqQ2/3xF9CZfHk5wnEVu0mf78dys5Unyn1YUccblPRc5IvwSO
+JYc7rVVU6kwsOI8UwknRYsTVvE2UX0+Pvxkl8CD5LTzKGNJ8L/nKpP0+emd02fy2
+dOlAYX1fHpej1CoRU6XmCLRMVrs=
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/04.pem

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 16:07:53 2015 GMT
+            Not After : Oct  9 16:07:53 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=gw-ckubu/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ae:f7:e7:94:71:eb:8e:4b:16:f5:41:b5:00:33:
+                    54:da:9c:11:54:a3:e3:14:0f:f4:1d:e3:32:20:94:
+                    48:fd:46:d8:b2:76:12:3b:23:3c:a2:f2:e4:81:9a:
+                    e5:85:ab:c3:dd:38:c5:e0:ca:ee:af:11:12:f1:8f:
+                    78:3a:78:a5:3f:b9:ea:4e:8e:da:3e:e6:77:d5:ce:
+                    cb:56:3a:ca:bf:97:d6:a5:65:49:15:ce:e0:7b:5a:
+                    f9:c2:96:8a:70:18:be:3b:4f:20:bd:c5:b9:b5:46:
+                    07:f1:54:ad:76:56:47:f1:83:ee:7c:8a:9d:e9:42:
+                    23:a1:a7:b6:fb:76:c3:05:ad:dd:a8:fe:c8:fa:15:
+                    f4:9f:3a:30:dd:4d:c0:50:33:0b:19:f6:51:cb:9f:
+                    70:53:c7:7c:80:c5:69:7a:4c:bb:06:ec:46:e4:6e:
+                    77:18:77:7c:14:58:46:49:9a:ac:1f:a6:46:5f:f7:
+                    1c:71:33:a4:25:f4:82:92:96:56:fd:af:6b:c4:5a:
+                    0e:ef:d3:e6:68:36:c8:e8:8c:1c:75:12:f8:3e:34:
+                    2e:64:dd:a3:bc:b3:7e:2c:e8:56:55:5b:1a:b3:46:
+                    e4:06:d7:b3:f8:19:44:a3:0e:2d:92:0f:c8:64:76:
+                    af:e7:83:fb:62:a1:3a:91:56:fa:47:63:c2:c3:c5:
+                    7b:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                77:17:1E:55:4D:99:B1:B1:C4:AC:7D:4D:89:39:79:47:93:A3:F7:D9
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         41:4d:2c:2d:3c:df:39:83:ed:10:3d:3f:17:bf:16:10:16:ff:
+         4f:79:db:44:15:d2:9f:e1:1e:49:5a:2b:12:23:48:72:bd:6f:
+         52:7f:75:5c:e1:b7:36:19:82:08:1b:60:c5:48:98:a9:da:55:
+         20:ca:f0:b7:c8:ea:8a:b5:3e:af:17:7d:8c:e0:d4:be:1a:09:
+         43:3b:27:17:59:ba:59:34:1f:6f:b6:3a:c3:be:9a:3f:5e:1b:
+         fc:75:2b:b0:13:d0:48:b2:82:45:fa:97:84:6c:fe:a5:20:d1:
+         a2:e9:6f:e9:eb:53:47:5a:63:b5:0a:5b:ed:67:24:71:6f:86:
+         27:a8:e9:88:12:bf:6c:dd:73:fb:32:6e:a7:b6:d5:fb:eb:dd:
+         23:c1:9a:1a:7b:fc:70:18:ec:b5:ed:e5:33:fd:c1:8b:06:ad:
+         ad:ee:de:e6:d6:b8:54:e0:4a:ef:1a:02:4e:3f:d3:ca:1e:48:
+         05:ad:88:e6:8c:77:81:5c:b6:c7:b1:f7:fe:4e:ad:74:6e:1c:
+         a2:0d:bd:21:b0:0a:19:8b:56:d5:88:6a:51:b5:f6:90:f9:e0:
+         b4:ad:79:c3:cb:f0:be:fe:79:be:4b:39:44:29:e8:82:d9:79:
+         93:3b:c7:5b:36:0a:0e:a8:44:e3:ed:df:e2:0d:de:1c:a2:9b:
+         dd:cd:96:30
+-----BEGIN CERTIFICATE-----
+MIIFhDCCBGygAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTYwNzUz
+WhcNMzUxMDA5MTYwNzUzWjCBvTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczERMA8GA1UEAxMIZ3ctY2t1YnUx
+DzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0
+LWFsdGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AK7355Rx645LFvVBtQAzVNqcEVSj4xQP9B3jMiCUSP1G2LJ2EjsjPKLy5IGa5YWr
+w904xeDK7q8REvGPeDp4pT+56k6O2j7md9XOy1Y6yr+X1qVlSRXO4Hta+cKWinAY
+vjtPIL3FubVGB/FUrXZWR/GD7nyKnelCI6Gntvt2wwWt3aj+yPoV9J86MN1NwFAz
+Cxn2UcufcFPHfIDFaXpMuwbsRuRudxh3fBRYRkmarB+mRl/3HHEzpCX0gpKWVv2v
+a8RaDu/T5mg2yOiMHHUS+D40LmTdo7yzfizoVlVbGrNG5AbXs/gZRKMOLZIPyGR2
+r+eD+2KhOpFW+kdjwsPFe0ECAwEAAaOCAYowggGGMAkGA1UdEwQCMAAwLQYJYIZI
+AYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUdxceVU2ZsbHErH1NiTl5R5Oj99kwgfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO
+40V5zjeYDShXlVmhgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNz
+ZW4xFDASBgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxp
+cmYxGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1HQS1j
+YTEPMA0GA1UEKRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hh
+ZnQtYWx0ZW5zY2hsaXJmLmRlggkA1cWryyKN05swEwYDVR0lBAwwCgYIKwYBBQUH
+AwIwCwYDVR0PBAQDAgeAMBMGA1UdEQQMMAqCCGd3LWNrdWJ1MA0GCSqGSIb3DQEB
+CwUAA4IBAQBBTSwtPN85g+0QPT8XvxYQFv9PedtEFdKf4R5JWisSI0hyvW9Sf3Vc
+4bc2GYIIG2DFSJip2lUgyvC3yOqKtT6vF32M4NS+GglDOycXWbpZNB9vtjrDvpo/
+Xhv8dSuwE9BIsoJF+peEbP6lINGi6W/p61NHWmO1ClvtZyRxb4YnqOmIEr9s3XP7
+Mm6nttX7690jwZoae/xwGOy17eUz/cGLBq2t7t7m1rhU4ErvGgJOP9PKHkgFrYjm
+jHeBXLbHsff+Tq10bhyiDb0hsAoZi1bViGpRtfaQ+eC0rXnDy/C+/nm+SzlEKeiC
+2XmTO8dbNgoOqETj7d/iDd4copvdzZYw
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/05.pem

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 16:27:27 2015 GMT
+            Not After : Oct  9 16:27:27 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=gw-nh/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:be:07:2f:b4:84:d8:b2:81:07:71:2f:e2:03:49:
+                    36:37:7c:1e:c0:25:7d:56:ca:e8:cc:22:d3:8d:f3:
+                    04:87:7d:2b:7c:ad:e3:28:ce:69:45:d9:5e:c1:bd:
+                    eb:72:a5:66:b0:73:30:d0:62:c4:44:54:e1:16:cf:
+                    82:82:d4:c1:87:ae:ff:f2:c3:0a:c8:cc:cf:c3:9f:
+                    c0:b7:0f:32:38:61:53:76:3e:24:b9:0e:37:85:68:
+                    ff:1c:fd:d8:39:c0:f8:da:23:cf:3c:30:c1:3d:68:
+                    5c:6b:f6:31:04:7d:11:67:bd:de:33:ee:b5:8a:69:
+                    92:10:46:eb:1b:52:1f:7b:8f:e7:46:7a:9d:70:39:
+                    ce:cf:2f:26:1b:fb:f5:1b:2b:af:6b:c1:18:64:21:
+                    6e:3d:b0:de:28:e9:30:e2:3b:a5:fd:d5:c0:80:8e:
+                    4c:08:80:53:0a:04:93:6e:b8:e7:66:8d:f3:19:df:
+                    0d:8c:da:40:ce:3f:23:a7:8e:18:8e:9a:76:fb:2e:
+                    52:b3:da:14:da:69:c2:07:09:2a:db:70:37:1b:f5:
+                    fa:c5:31:3f:0e:d6:07:30:63:da:1c:0a:fb:2e:45:
+                    3c:58:6b:48:9b:fb:f1:50:70:7a:3a:3d:bd:a7:31:
+                    8b:04:22:97:27:ff:cd:20:2a:e6:58:7b:57:14:bf:
+                    7d:3b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                4A:3F:A6:14:BC:62:49:79:F5:0C:48:73:5C:C9:5A:1E:A0:36:BB:E8
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-nh
+    Signature Algorithm: sha256WithRSAEncryption
+         75:a5:dd:59:e4:3d:33:1c:ca:6f:8b:7f:97:cb:cf:4e:12:af:
+         cf:c7:7d:a8:f4:d4:95:38:30:e5:1b:ff:f5:20:0e:ef:b7:25:
+         75:c7:44:3e:9a:78:e4:fe:6d:9a:5b:a1:cc:6e:4d:7e:cb:a7:
+         c7:95:fa:7f:e7:c2:38:e1:9c:2e:79:7b:61:b0:d9:6e:2c:dd:
+         28:4e:31:d5:66:45:c8:74:06:fc:c9:4d:a8:96:25:04:a5:2f:
+         45:f1:64:13:50:41:e1:86:d7:4e:4e:38:69:d6:00:e4:24:d6:
+         65:38:17:50:ee:d5:d8:f8:bd:80:07:e2:d1:b4:ed:d9:d3:a5:
+         a4:ba:37:50:6e:bb:48:30:9e:e7:93:1d:2e:89:da:b6:b0:04:
+         f6:1b:48:38:e2:66:3a:c0:82:e0:a2:00:60:cb:05:93:13:85:
+         cc:aa:e1:a1:c7:a3:7f:d9:96:46:e9:d8:da:c8:0d:c9:da:19:
+         12:98:56:46:ff:9f:ae:ec:82:fb:df:67:ae:72:63:68:76:e0:
+         d3:00:2c:8c:ee:26:c8:31:ad:b7:c7:44:4d:00:6d:c9:dc:e3:
+         73:74:9f:24:be:5a:1c:9f:5d:3f:34:ce:b5:af:8b:00:63:0f:
+         26:d2:42:2a:7e:13:f6:2c:33:6c:8c:0d:e7:3b:87:aa:f7:ec:
+         fa:da:2c:d4
+-----BEGIN CERTIFICATE-----
+MIIFfjCCBGagAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTYyNzI3
+WhcNMzUxMDA5MTYyNzI3WjCBujELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEOMAwGA1UEAxMFZ3ctbmgxDzAN
+BgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0LWFs
+dGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4H
+L7SE2LKBB3Ev4gNJNjd8HsAlfVbK6Mwi043zBId9K3yt4yjOaUXZXsG963KlZrBz
+MNBixERU4RbPgoLUwYeu//LDCsjMz8OfwLcPMjhhU3Y+JLkON4Vo/xz92DnA+Noj
+zzwwwT1oXGv2MQR9EWe93jPutYppkhBG6xtSH3uP50Z6nXA5zs8vJhv79Rsrr2vB
+GGQhbj2w3ijpMOI7pf3VwICOTAiAUwoEk26452aN8xnfDYzaQM4/I6eOGI6advsu
+UrPaFNppwgcJKttwNxv1+sUxPw7WBzBj2hwK+y5FPFhrSJv78VBwejo9vacxiwQi
+lyf/zSAq5lh7VxS/fTsCAwEAAaOCAYcwggGDMAkGA1UdEwQCMAAwLQYJYIZIAYb4
+QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+Sj+mFLxiSXn1DEhzXMlaHqA2u+gwgfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO40V5
+zjeYDShXlVmhgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4x
+FDASBgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYx
+GTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1HQS1jYTEP
+MA0GA1UEKRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQt
+YWx0ZW5zY2hsaXJmLmRlggkA1cWryyKN05swEwYDVR0lBAwwCgYIKwYBBQUHAwIw
+CwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBWd3LW5oMA0GCSqGSIb3DQEBCwUAA4IB
+AQB1pd1Z5D0zHMpvi3+Xy89OEq/Px32o9NSVODDlG//1IA7vtyV1x0Q+mnjk/m2a
+W6HMbk1+y6fHlfp/58I44ZwueXthsNluLN0oTjHVZkXIdAb8yU2oliUEpS9F8WQT
+UEHhhtdOTjhp1gDkJNZlOBdQ7tXY+L2AB+LRtO3Z06WkujdQbrtIMJ7nkx0uidq2
+sAT2G0g44mY6wILgogBgywWTE4XMquGhx6N/2ZZG6djayA3J2hkSmFZG/5+u7IL7
+32eucmNoduDTACyM7ibIMa23x0RNAG3J3ONzdJ8kvlocn10/NM61r4sAYw8m0kIq
+fhP2LDNsjA3nO4eq9+z62izU
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/06.pem

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Nov 26 19:57:11 2015 GMT
+            Not After : Nov 26 19:57:11 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=madmin/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d9:35:1c:5e:da:a9:31:86:bb:22:31:76:a9:51:
+                    18:4a:ed:5a:9e:e8:fd:16:85:32:a8:0b:91:87:e3:
+                    92:12:12:a7:06:da:c5:c9:48:9b:fa:94:81:36:63:
+                    d3:11:25:0b:3d:3d:fc:94:3b:e3:91:1a:e1:cf:d0:
+                    53:88:0e:9e:79:5d:6e:18:6d:a0:71:8e:ec:f3:3e:
+                    50:08:4d:73:7c:23:d0:af:ff:ae:c1:ad:5b:99:cd:
+                    bf:f2:04:43:09:79:83:f2:ac:10:0e:0c:0d:ec:b6:
+                    81:f9:65:75:3c:ea:c2:52:2a:32:1b:a8:d1:af:c7:
+                    85:66:a7:73:af:14:dd:95:41:a0:ed:52:79:44:ce:
+                    b7:0b:3e:19:80:ef:71:b2:15:6e:7a:96:0f:10:2f:
+                    50:8a:f8:90:f6:8f:6a:fe:b5:21:ef:78:95:0e:94:
+                    2f:aa:f7:16:b4:73:f2:62:32:8a:8c:c7:e6:d5:bf:
+                    fc:78:e1:fc:43:d4:d0:93:08:26:8e:f6:a8:31:2b:
+                    4f:6e:cd:88:ae:14:e7:0d:c5:ec:49:09:7a:16:6e:
+                    10:d5:83:04:a3:e3:1f:b0:c4:1e:55:65:10:60:5a:
+                    c8:72:e0:9b:c6:b4:26:39:5d:69:55:0e:de:5c:75:
+                    f9:ea:2f:be:9e:61:b1:59:f4:b0:47:03:a4:43:99:
+                    c1:99
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                E9:A6:ED:67:0C:62:23:7A:B3:23:F4:D7:93:5B:63:76:C9:4A:94:A7
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:madmin
+    Signature Algorithm: sha256WithRSAEncryption
+         1b:67:ed:5b:7b:f6:b5:bf:83:3b:7e:22:4f:0c:82:c2:07:94:
+         2a:78:50:f8:85:a5:8f:83:d7:88:8c:99:fe:8a:2d:00:9c:93:
+         f6:9a:96:67:ca:ed:4d:81:06:4a:c3:5f:85:5c:b6:31:c4:5c:
+         78:28:fd:72:07:72:5b:84:ac:6e:58:b6:98:57:04:cd:5d:d5:
+         f1:36:f7:39:d2:79:bf:b8:66:48:25:e5:37:27:77:af:0f:e2:
+         0c:9d:53:e3:eb:1f:62:a2:ea:17:16:6e:75:25:28:c0:d3:b0:
+         fd:8d:79:b8:9a:1a:1e:c0:7f:b7:d6:70:ce:b0:6a:8e:30:2b:
+         a5:c8:70:bd:a5:df:f7:b8:a3:8a:b7:96:da:b0:6a:03:a3:31:
+         02:cf:7d:1d:49:39:88:26:dc:39:f3:2c:f9:c5:4a:13:f8:28:
+         d0:a0:1f:59:2d:ea:62:22:ef:cd:6d:95:c8:a9:11:55:da:30:
+         da:38:d5:92:d5:94:60:12:9e:a8:d9:cb:3e:c6:90:21:04:a3:
+         97:b7:5a:1f:77:d5:4f:95:ab:4f:b6:3d:bc:6a:6c:5c:1e:5e:
+         16:9b:28:2e:1c:6a:20:64:8d:f3:42:e5:b0:a4:0d:59:b5:5d:
+         e8:4f:31:04:78:1c:86:f9:8d:38:0c:28:ab:94:c1:bd:bd:be:
+         84:f4:2d:d6
+-----BEGIN CERTIFICATE-----
+MIIFgDCCBGigAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMTI2MTk1NzEx
+WhcNMzUxMTI2MTk1NzExWjCBuzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMGbWFkbWluMQ8w
+DQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1h
+bHRlbnNjaGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ
+NRxe2qkxhrsiMXapURhK7Vqe6P0WhTKoC5GH45ISEqcG2sXJSJv6lIE2Y9MRJQs9
+PfyUO+ORGuHP0FOIDp55XW4YbaBxjuzzPlAITXN8I9Cv/67BrVuZzb/yBEMJeYPy
+rBAODA3stoH5ZXU86sJSKjIbqNGvx4Vmp3OvFN2VQaDtUnlEzrcLPhmA73GyFW56
+lg8QL1CK+JD2j2r+tSHveJUOlC+q9xa0c/JiMoqMx+bVv/x44fxD1NCTCCaO9qgx
+K09uzYiuFOcNxexJCXoWbhDVgwSj4x+wxB5VZRBgWshy4JvGtCY5XWlVDt5cdfnq
+L76eYbFZ9LBHA6RDmcGZAgMBAAGjggGIMIIBhDAJBgNVHRMEAjAAMC0GCWCGSAGG
++EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FOmm7WcMYiN6syP015NbY3bJSpSnMIHzBgNVHSMEgeswgeiAFDWf2w2GQPllDuNF
+ec43mA0oV5VZoYHEpIHBMIG+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2Vu
+MRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEYMBYGA1UEChMPR0EgQWx0ZW5zY2hsaXJm
+MRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlWUE4tR0EtY2Ex
+DzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0
+LWFsdGVuc2NobGlyZi5kZYIJANXFq8sijdObMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MAsGA1UdDwQEAwIHgDARBgNVHREECjAIggZtYWRtaW4wDQYJKoZIhvcNAQELBQAD
+ggEBABtn7Vt79rW/gzt+Ik8MgsIHlCp4UPiFpY+D14iMmf6KLQCck/aalmfK7U2B
+BkrDX4VctjHEXHgo/XIHcluErG5YtphXBM1d1fE29znSeb+4Zkgl5Tcnd68P4gyd
+U+PrH2Ki6hcWbnUlKMDTsP2NebiaGh7Af7fWcM6wao4wK6XIcL2l3/e4o4q3ltqw
+agOjMQLPfR1JOYgm3DnzLPnFShP4KNCgH1kt6mIi781tlcipEVXaMNo41ZLVlGAS
+nqjZyz7GkCEEo5e3Wh931U+Vq0+2PbxqbFweXhabKC4caiBkjfNC5bCkDVm1XehP
+MQR4HIb5jTgMKKuUwb29voT0LdY=
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/ca.crt

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFKjCCBBKgAwIBAgIJANXFq8sijdObMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEY
+MBYGA1UEChMPR0EgQWx0ZW5zY2hsaXJmMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZp
+Y2VzMRIwEAYDVQQDEwlWUE4tR0EtY2ExDzANBgNVBCkTBlZQTiBHQTEuMCwGCSqG
+SIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0LWFsdGVuc2NobGlyZi5kZTAeFw0xNTEw
+MDkxNTQwMzBaFw00NTEwMDgxNTQwMzBaMIG+MQswCQYDVQQGEwJERTEPMA0GA1UE
+CBMGSGVzc2VuMRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEYMBYGA1UEChMPR0EgQWx0
+ZW5zY2hsaXJmMRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlW
+UE4tR0EtY2ExDzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2Vt
+ZWluc2NoYWZ0LWFsdGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKLTHSHgX6/Ibr3AlmJfQ3k3yTvaD031Ps3c+bsXgOQEPNO4x7er
+8R47osA7FHNKI8ob7jnX/xJSJcsE2B1zsYpceW7IN/Mmmz0eZyIr7B0tu2dFixxC
+t4Vi4dBTh8ZvEaTZ3YUzROBc/YnWFyq3NFZ0DLdJBX+lFXAYg7qVyD7RCB1Yrwxq
+rJFYK28qeIi4WHfHQICZ1dBlf7qpnL76MjfzjjiTTs4MZwjYRT2RJaPOhnNzPaeF
+c11kP8T+ER46TqYbmBuImpoOntca002opJxw9iXoYJRLYYfhs4XS654iApGbG0vc
+2Kd7uH+QyWElW19EDmeDRJM6Bc0LUu1rKtkCAwEAAaOCAScwggEjMB0GA1UdDgQW
+BBQ1n9sNhkD5ZQ7jRXnON5gNKFeVWTCB8wYDVR0jBIHrMIHogBQ1n9sNhkD5ZQ7j
+RXnON5gNKFeVWaGBxKSBwTCBvjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAGA1UEAxMJVlBOLUdBLWNh
+MQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFm
+dC1hbHRlbnNjaGxpcmYuZGWCCQDVxavLIo3TmzAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQCXp1hi923vehUa/Gd9Ze9UobRo0kPCLxgQkPOotUPAX+Dp
+BDJOIHzoijORN4LmtQV+UNbRGsGU+Mwbejx1b4NHrFtj6KaCbCdB3bumcSmfFbaJ
+QM+qvMtQYXx1NnFnoV6PYD9ZjfsY0AaVi5FB/eHnP5xuGzmbq7gPgG5sz2RO5jcR
+1jO26hbrOINfYplu/NNQqBfRJPwyPFjHcCD/wWE63fnue3A5Oj6jUcuNLbOAHJEy
+Pu37BPHNzjnTUdOe9scXp3WMCJXOtdxoZkfHfGKXYhz//XwX6X/hJMzOZ2K+kUHC
+NfKwQ6snmDzycXtx0EqsYjzGgxbOR0qJbK/pJhii
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCi0x0h4F+vyG69
+wJZiX0N5N8k72g9N9T7N3Pm7F4DkBDzTuMe3q/EeO6LAOxRzSiPKG+451/8SUiXL
+BNgdc7GKXHluyDfzJps9HmciK+wdLbtnRYscQreFYuHQU4fGbxGk2d2FM0TgXP2J
+1hcqtzRWdAy3SQV/pRVwGIO6lcg+0QgdWK8MaqyRWCtvKniIuFh3x0CAmdXQZX+6
+qZy++jI38444k07ODGcI2EU9kSWjzoZzcz2nhXNdZD/E/hEeOk6mG5gbiJqaDp7X
+GtNNqKSccPYl6GCUS2GH4bOF0uueIgKRmxtL3Nine7h/kMlhJVtfRA5ng0STOgXN
+C1LtayrZAgMBAAECggEAXi+szGnUMATLOmxrEWB10WrZtwt+iuPwfnjy5KzF3CAv
+Z3Gd5btKcOiiTnxeagpbBZB+j2tImzp1riiRMwg3jQfNHq4m3zpX1lT956BsprxL
+iYOK4sAdFMWMRkvrYHfjRu7X2zM7BmYEK3VyVT1AwznCGUveKGZALmWf3ZDDEsI/
+saDKiIfMPL5E/4oYLW52Y5W/u7elkp6iTbRAFUatm/a3HsKIMmlk/BVfdWePgAU9
+/jYM0IN2ujG+d5zGE0EH46a4+tBHV6ciuDv7eMz/ok9DeLRcZp+AEFXs5RoNYTLV
+mbfLGOn1wLKneRC9sPETfLiyDg6Jt+eGefL0vr7lmQKBgQDMWXWNy2YzLLw4CFag
+UR/5jNiLlfRSinku4N/1fxpA3wNdF/YPZirlGmM5XsWxRxzaiFBZUPh2ScE4FjeF
+68Lv3haswxVJ9Bxi9NxXoLaW1MYocbsqIWg4ewXbvmdPpwtGUdxEhq6IvWSLoUAd
+Z9nCD0W0zCY8Q36b3CH5QZl2YwKBgQDL+sVgNV+UCTn0k/TChEoiNZq4M7rbRjgF
+utshj2ClVUoebPNd7Bc1zbQbgS4YBtHo1TB1Td1dr2GMz/264q5KQviA2z6PklUv
+/VF150KEhsenMwlZAM48RRiw7gNehPpawuczrzogCElVjKUXMo3eSYzUYcH5sgEk
+G1YwE2IQkwKBgQCMxZfYrWTjHg8vXncmi5xGUkOerReZgPEIXTuLKBsS007C483L
+P+uO1gXCsMnpXP7AgKUxUjlHa3mixJNNO2OX0Fu4ec+BmZuwg9QCvaDq+PrlQ6vW
+0xqzxfP8NAeBdKass5nUzx8O7cGE+vlrCG6XY+P2L6irXSesARKaXhl01wKBgQCy
+rOy91KLvapGQsxXgWb8SbkAkAHQ6ZSznoAEZSZ2P1cECG8+mQwslvxV4TlTRCRBQ
+UoaLCnTQ/rKFhR+t16hyNm21edc4LidezRfRHoz+x40V4bfbdcAxvRjeyu66meMv
+I7EgbeqNapTKUlO+mTL6NxUcaLFghtNHDIcXv7LT7wKBgAY6qGB42RFmlZBhCzBO
+FAjLF3oxyf32bcAPLx7bHFQFyZcnuEOVK9ZVThSIkW9uidrd+QJ1mixBIw8HVbI+
+7TVX9KnFXx8FIlqTS+foKaOUmeazrB3bTF/xeQhvKFveRZnpgWvxur6Jueh/9D3p
+iGGxP0SeYuAWBX6AjMcFZ2OK
+-----END PRIVATE KEY-----

GA-Schloss/openvpn/keys/chris.crt

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 15:48:51 2015 GMT
+            Not After : Oct  9 15:48:51 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=chris/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c2:55:cc:8d:85:d0:e6:9b:70:86:aa:59:b4:d3:
+                    a1:bd:0a:42:e8:42:4d:de:b7:4c:fc:c1:42:9c:dc:
+                    01:fd:6b:c8:5a:0f:3f:d9:29:6c:fe:4e:5c:77:9e:
+                    ad:42:ce:db:ea:55:e6:aa:c0:3b:81:90:a9:b7:0b:
+                    07:9a:0e:4e:c6:79:13:a3:f0:5e:c8:b2:b7:aa:49:
+                    16:f0:58:ed:04:fc:22:e3:e1:64:68:53:f2:ca:c0:
+                    98:24:00:83:5e:80:14:d4:02:83:21:85:e7:f4:77:
+                    a1:c7:a1:cc:3d:75:af:cd:c4:df:72:63:83:7b:f6:
+                    77:bd:4f:b5:ec:82:93:c4:c0:2f:ba:66:3b:9b:90:
+                    b9:ef:48:a7:43:77:88:32:8e:11:4c:e1:d5:91:e2:
+                    ee:fd:f6:6a:67:e9:cd:24:fb:34:70:92:4c:80:85:
+                    a5:41:34:db:22:f6:c5:18:82:30:60:53:e1:8c:84:
+                    a5:de:9d:41:5d:ac:db:d8:c1:f6:aa:84:72:ee:38:
+                    73:49:26:e3:9f:58:ff:b0:63:b6:79:92:6f:20:e2:
+                    d4:f0:96:96:8e:51:1d:bf:98:c5:38:48:c5:52:bd:
+                    dd:ae:1c:4c:c7:04:25:82:df:1d:a0:8d:05:d3:7a:
+                    31:db:46:a4:c6:1a:0c:91:e8:05:8a:d5:8b:35:02:
+                    b6:ed
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                A3:D8:CF:8D:23:44:DB:48:37:2E:C1:70:7F:80:39:59:B8:B6:42:F0
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:chris
+    Signature Algorithm: sha256WithRSAEncryption
+         73:75:c5:a6:45:7d:6e:25:7d:d0:c2:1a:cc:09:aa:55:ce:1a:
+         a4:c6:b5:34:3e:72:a6:8e:92:25:20:19:3e:4c:5b:63:db:23:
+         cb:5d:d5:30:7e:81:17:98:ec:dc:97:d9:af:8e:2b:75:80:32:
+         17:bf:50:e7:e2:09:fc:f7:22:f3:91:24:55:47:34:f2:9d:92:
+         9e:79:ae:e0:ab:a4:4f:27:32:4a:81:57:f6:5c:63:6f:45:0f:
+         dc:c9:39:b9:3a:c0:3d:9b:80:24:b8:3a:12:3f:12:03:af:51:
+         f4:68:ef:05:01:b2:c9:b9:a9:3b:8b:e6:7f:cd:dd:eb:45:96:
+         98:94:d9:3c:f6:f7:a7:5d:6a:04:78:4b:d6:14:59:68:bf:9b:
+         06:95:b8:c9:6e:de:ea:69:69:dc:81:57:fa:ed:cb:fd:50:74:
+         8f:99:16:7f:78:b7:6a:42:65:cf:2f:6b:3a:d8:56:b1:88:13:
+         05:53:49:e5:cc:b9:73:5c:21:62:1c:c7:bd:6b:10:10:9b:00:
+         19:7a:a4:11:ad:a1:21:e4:71:d6:b6:0e:9e:50:72:6e:df:43:
+         7f:c8:42:94:66:1b:1c:a5:b0:07:d1:3b:85:7f:07:e8:65:b2:
+         74:ba:c2:04:e9:fb:3e:c7:d2:c7:74:4e:0d:bc:09:89:49:0b:
+         dc:c2:af:47
+-----BEGIN CERTIFICATE-----
+MIIFfjCCBGagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTU0ODUx
+WhcNMzUxMDA5MTU0ODUxWjCBujELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEOMAwGA1UEAxMFY2hyaXMxDzAN
+BgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0LWFs
+dGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJV
+zI2F0OabcIaqWbTTob0KQuhCTd63TPzBQpzcAf1ryFoPP9kpbP5OXHeerULO2+pV
+5qrAO4GQqbcLB5oOTsZ5E6PwXsiyt6pJFvBY7QT8IuPhZGhT8srAmCQAg16AFNQC
+gyGF5/R3ocehzD11r83E33Jjg3v2d71PteyCk8TAL7pmO5uQue9Ip0N3iDKOEUzh
+1ZHi7v32amfpzST7NHCSTICFpUE02yL2xRiCMGBT4YyEpd6dQV2s29jB9qqEcu44
+c0km459Y/7BjtnmSbyDi1PCWlo5RHb+YxThIxVK93a4cTMcEJYLfHaCNBdN6MdtG
+pMYaDJHoBYrVizUCtu0CAwEAAaOCAYcwggGDMAkGA1UdEwQCMAAwLQYJYIZIAYb4
+QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+o9jPjSNE20g3LsFwf4A5Wbi2QvAwgfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO40V5
+zjeYDShXlVmhgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4x
+FDASBgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYx
+GTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1HQS1jYTEP
+MA0GA1UEKRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQt
+YWx0ZW5zY2hsaXJmLmRlggkA1cWryyKN05swEwYDVR0lBAwwCgYIKwYBBQUHAwIw
+CwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBWNocmlzMA0GCSqGSIb3DQEBCwUAA4IB
+AQBzdcWmRX1uJX3QwhrMCapVzhqkxrU0PnKmjpIlIBk+TFtj2yPLXdUwfoEXmOzc
+l9mvjit1gDIXv1Dn4gn89yLzkSRVRzTynZKeea7gq6RPJzJKgVf2XGNvRQ/cyTm5
+OsA9m4AkuDoSPxIDr1H0aO8FAbLJuak7i+Z/zd3rRZaYlNk89venXWoEeEvWFFlo
+v5sGlbjJbt7qaWncgVf67cv9UHSPmRZ/eLdqQmXPL2s62FaxiBMFU0nlzLlzXCFi
+HMe9axAQmwAZeqQRraEh5HHWtg6eUHJu30N/yEKUZhscpbAH0TuFfwfoZbJ0usIE
+6fs+x9LHdE4NvAmJSQvcwq9H
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/chris.csr

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDADCCAegCAQAwgboxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDAS
+BgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAX
+BgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDjAMBgNVBAMTBWNocmlzMQ8wDQYDVQQp
+EwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNj
+aGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCVcyNhdDm
+m3CGqlm006G9CkLoQk3et0z8wUKc3AH9a8haDz/ZKWz+Tlx3nq1CztvqVeaqwDuB
+kKm3CweaDk7GeROj8F7IsreqSRbwWO0E/CLj4WRoU/LKwJgkAINegBTUAoMhhef0
+d6HHocw9da/NxN9yY4N79ne9T7XsgpPEwC+6ZjubkLnvSKdDd4gyjhFM4dWR4u79
+9mpn6c0k+zRwkkyAhaVBNNsi9sUYgjBgU+GMhKXenUFdrNvYwfaqhHLuOHNJJuOf
+WP+wY7Z5km8g4tTwlpaOUR2/mMU4SMVSvd2uHEzHBCWC3x2gjQXTejHbRqTGGgyR
+6AWK1Ys1ArbtAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEALQQyO03pfqcxjaL6
+bti4kEDOqIfTtFvfEYGEl+PIRfdAbBvwCC8678FjW3UmZfIVd6RAWPjaecpb0eBL
+XSOmINJ2kPAMX1nuSUO54GlTfqhbjjpM4moyU9izd5rEg7sjH8M/HhRQcMtI7hWo
+kfiuRrthvnTb1rJBPrpVGpY/RvtNMszDj4RW8DibdJ6P7WpSsapT2DgmjZRsLOcA
+ibdd0fwUkD/qDsAaufPA64CEXCy+RM4fRbIVuqLzn2tbeRFlgZQHCrDtE6SMZatQ
+L+Mlh5WmkRTvPXdoFG1puWUqIBexEucDq4/WzVLqyOdMFvnVZe/aLsBSl4Wpl6yK
+pXsrWw==
+-----END CERTIFICATE REQUEST-----

GA-Schloss/openvpn/keys/chris.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI+jIr9p0kDOwCAggA
+MBQGCCqGSIb3DQMHBAioBIsOmRuGwQSCBMhBAGgoiZwsFZ/DnpLs6FB/yLIXK4Fg
+3ui9yocjEvIYIQpXzQkl/imfk7Kh0Q30MCr+c4y3djQDVgNIGo6lWWWCDoIBbaSq
+gki2iacoHOdQyZn6/1e5yAcFzqBXfGZRw4gUGa45ohAo9y1Tjn1cfdoNXvHzh4mp
+hv/k5sTPsr7WmUBfSHnxKch9tL4lN6KLCYHn9s4aDpJgu5O3aYG7bPxEvtRKvNjX
+RyXoiGMeiNAnWC0qR1cL9Jld7RyudB4TDAvNzzKaZqKR/DX16b7WYr9gISUWJ4mH
+rZ+YGwW0oaTjFQUL2gKSR9273nERV3sOwDDDLLpzBgkT8J/yoivT2yYcmQ7dniqP
+pUvWbbOAOsXnfmzzail12PrEQ8sgfJQH/4VyzbpAGg+vc/4B+tz7V/DBxrkbJgHN
+AwVpkPfLhBbrhM4x4Jt5mKhMnOrmq2ZeWpfOYVgRMNcohOd78RxGT4TYTIviYwYQ
+emi2huIjDfRcUS+pa+WPtj+9PKg8uv7E0b+TgIuP9/1q437SIzMllyFycBChegrp
+6XNoNXn75wLl37gtiFLpMAGJlIqiL3nCdiOtxe+zmPgF0zBHhJZgwb1tGLZqkErU
+FNKljcu9OHRK89+8En9YscLh2KBD64sUvNJMIOmnqo+H5yZEJ+lSHpRIdjC+uLZI
+sDqdz+MEG8Yb5yfkspy8sZB1mOSYUs5t35H6OtHK4KBoYKfll8nwOpUKRFDfBHgg
+v+sI2RC+vmSPbl4XRdjCG1lr6d68v44PWIxEwKvrXxLDs3oKxAr3RyrB8XW/5qzx
+shOxX+xrzJjqSsxpAwhIhDK1gmn0/mm2qLz01hDswX1eVZI9kF2Bc32SlqIlBh+V
+DPAEsODiwLwtWNzNtFn0Nh1gAOF4Urj8CKqDzYBnBssG5S8rZ0mgjea7k83uY+5G
+Qa+EW90/G37QguN1iQI51otBuwNCkv3IPGx6tCRcND4V3vK19IjCNv1yMJxx1p5z
+/ZalztyXgBYmfBYkdolrqs6XdTADHH6kCtyVj0CK89ZBQMdRa3O/b/eSXQE+xGJG
+QzzfFk5GSmWt5qllNd7SeyHMc7Hl3y+u/zCZXl7UkO8QRSC8lS/b6fR2bVqW6QQ0
+Bg9pZA8luVqkHH6dNbaqZuoF3ZI8uL/cMQ6YPi8cg3ypXX4BdJK2XvSvnbhRye6t
+f3W160SO4HnW7hZzN4KC1vh3dmF+9St5gkVHYa8UauHXsevH+T1HiLH3g+BwqP7X
+GAexij7qZilsd4o0ntgbdmGeIJr4QcHJFRcjhg1rRM9r528GhoJKJeB1BznCSWB0
+E2q12IknYLeB+h8j6vqNvGgkY8jkFtwmuSJ/KWui3wLEggTTuVE4niAYGkSiXtQZ
+qaamSD3Yrfttg+WJDdnSs6Akn4PUTBB6uyPmv3j0Bzcb1LC9rsFYGK+urtSze9Lm
+qWVlsbo/r3Mj9+ennAlfTcXQkqLw8qOGwEyVMGMjw8NR3FPfKyorRBuUZ1l23mta
+PAl/oud5ALVYoGTqx3QLb2/54wqG29yi9nhKaImn2SyFKQ3fNbwwOzt8RS2PVEed
+NYJnbR2stA0Bwk5W3jXBDt1WmJu7bEcpmDJ8a8a6m8xtTDnGSAL+Yfe0x/InMNxQ
+ubI=
+-----END ENCRYPTED PRIVATE KEY-----

GA-Schloss/openvpn/keys/crl.pem

@@ -0,0 +1 @@
+../crl.pem

GA-Schloss/openvpn/keys/dh2048.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAmEpXz6H2VOdJJfAGOqCpVkxgbcXG/FIjSbfIRMllYCdwTh5HiDxR
+kAaQCELrknCs1RbdBORzBYVhX6ESJkCqpJGkvroTSRHMUFspOntrW1ag4PwV1RRP
+g6V9Rqbq8tTxdbQQA1IkCjCTdlzyNA2TRlEUb0fLqnAnnt1W8zPpfWJTQUl1pxVh
+HoCDhFZdKgVZ81IY3B8CFHLI22T7dRy/5CzAG0A+8R20PeSQDwxnmKK5byIuhjCU
+wgghYThhyPZ6fCpHX1DLryQSvXV63wIY8Nz9vnqcacYK1E+LN/jNbGYC6nAC0Z2s
+eRpvGNoI2KCVAzvxCJJhuTadqmEW3fhvwwIBAg==
+-----END DH PARAMETERS-----

GA-Schloss/openvpn/keys/gw-ckubu.crt

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 16:07:53 2015 GMT
+            Not After : Oct  9 16:07:53 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=gw-ckubu/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ae:f7:e7:94:71:eb:8e:4b:16:f5:41:b5:00:33:
+                    54:da:9c:11:54:a3:e3:14:0f:f4:1d:e3:32:20:94:
+                    48:fd:46:d8:b2:76:12:3b:23:3c:a2:f2:e4:81:9a:
+                    e5:85:ab:c3:dd:38:c5:e0:ca:ee:af:11:12:f1:8f:
+                    78:3a:78:a5:3f:b9:ea:4e:8e:da:3e:e6:77:d5:ce:
+                    cb:56:3a:ca:bf:97:d6:a5:65:49:15:ce:e0:7b:5a:
+                    f9:c2:96:8a:70:18:be:3b:4f:20:bd:c5:b9:b5:46:
+                    07:f1:54:ad:76:56:47:f1:83:ee:7c:8a:9d:e9:42:
+                    23:a1:a7:b6:fb:76:c3:05:ad:dd:a8:fe:c8:fa:15:
+                    f4:9f:3a:30:dd:4d:c0:50:33:0b:19:f6:51:cb:9f:
+                    70:53:c7:7c:80:c5:69:7a:4c:bb:06:ec:46:e4:6e:
+                    77:18:77:7c:14:58:46:49:9a:ac:1f:a6:46:5f:f7:
+                    1c:71:33:a4:25:f4:82:92:96:56:fd:af:6b:c4:5a:
+                    0e:ef:d3:e6:68:36:c8:e8:8c:1c:75:12:f8:3e:34:
+                    2e:64:dd:a3:bc:b3:7e:2c:e8:56:55:5b:1a:b3:46:
+                    e4:06:d7:b3:f8:19:44:a3:0e:2d:92:0f:c8:64:76:
+                    af:e7:83:fb:62:a1:3a:91:56:fa:47:63:c2:c3:c5:
+                    7b:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                77:17:1E:55:4D:99:B1:B1:C4:AC:7D:4D:89:39:79:47:93:A3:F7:D9
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-ckubu
+    Signature Algorithm: sha256WithRSAEncryption
+         41:4d:2c:2d:3c:df:39:83:ed:10:3d:3f:17:bf:16:10:16:ff:
+         4f:79:db:44:15:d2:9f:e1:1e:49:5a:2b:12:23:48:72:bd:6f:
+         52:7f:75:5c:e1:b7:36:19:82:08:1b:60:c5:48:98:a9:da:55:
+         20:ca:f0:b7:c8:ea:8a:b5:3e:af:17:7d:8c:e0:d4:be:1a:09:
+         43:3b:27:17:59:ba:59:34:1f:6f:b6:3a:c3:be:9a:3f:5e:1b:
+         fc:75:2b:b0:13:d0:48:b2:82:45:fa:97:84:6c:fe:a5:20:d1:
+         a2:e9:6f:e9:eb:53:47:5a:63:b5:0a:5b:ed:67:24:71:6f:86:
+         27:a8:e9:88:12:bf:6c:dd:73:fb:32:6e:a7:b6:d5:fb:eb:dd:
+         23:c1:9a:1a:7b:fc:70:18:ec:b5:ed:e5:33:fd:c1:8b:06:ad:
+         ad:ee:de:e6:d6:b8:54:e0:4a:ef:1a:02:4e:3f:d3:ca:1e:48:
+         05:ad:88:e6:8c:77:81:5c:b6:c7:b1:f7:fe:4e:ad:74:6e:1c:
+         a2:0d:bd:21:b0:0a:19:8b:56:d5:88:6a:51:b5:f6:90:f9:e0:
+         b4:ad:79:c3:cb:f0:be:fe:79:be:4b:39:44:29:e8:82:d9:79:
+         93:3b:c7:5b:36:0a:0e:a8:44:e3:ed:df:e2:0d:de:1c:a2:9b:
+         dd:cd:96:30
+-----BEGIN CERTIFICATE-----
+MIIFhDCCBGygAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTYwNzUz
+WhcNMzUxMDA5MTYwNzUzWjCBvTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczERMA8GA1UEAxMIZ3ctY2t1YnUx
+DzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0
+LWFsdGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AK7355Rx645LFvVBtQAzVNqcEVSj4xQP9B3jMiCUSP1G2LJ2EjsjPKLy5IGa5YWr
+w904xeDK7q8REvGPeDp4pT+56k6O2j7md9XOy1Y6yr+X1qVlSRXO4Hta+cKWinAY
+vjtPIL3FubVGB/FUrXZWR/GD7nyKnelCI6Gntvt2wwWt3aj+yPoV9J86MN1NwFAz
+Cxn2UcufcFPHfIDFaXpMuwbsRuRudxh3fBRYRkmarB+mRl/3HHEzpCX0gpKWVv2v
+a8RaDu/T5mg2yOiMHHUS+D40LmTdo7yzfizoVlVbGrNG5AbXs/gZRKMOLZIPyGR2
+r+eD+2KhOpFW+kdjwsPFe0ECAwEAAaOCAYowggGGMAkGA1UdEwQCMAAwLQYJYIZI
+AYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUdxceVU2ZsbHErH1NiTl5R5Oj99kwgfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO
+40V5zjeYDShXlVmhgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNz
+ZW4xFDASBgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxp
+cmYxGTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1HQS1j
+YTEPMA0GA1UEKRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hh
+ZnQtYWx0ZW5zY2hsaXJmLmRlggkA1cWryyKN05swEwYDVR0lBAwwCgYIKwYBBQUH
+AwIwCwYDVR0PBAQDAgeAMBMGA1UdEQQMMAqCCGd3LWNrdWJ1MA0GCSqGSIb3DQEB
+CwUAA4IBAQBBTSwtPN85g+0QPT8XvxYQFv9PedtEFdKf4R5JWisSI0hyvW9Sf3Vc
+4bc2GYIIG2DFSJip2lUgyvC3yOqKtT6vF32M4NS+GglDOycXWbpZNB9vtjrDvpo/
+Xhv8dSuwE9BIsoJF+peEbP6lINGi6W/p61NHWmO1ClvtZyRxb4YnqOmIEr9s3XP7
+Mm6nttX7690jwZoae/xwGOy17eUz/cGLBq2t7t7m1rhU4ErvGgJOP9PKHkgFrYjm
+jHeBXLbHsff+Tq10bhyiDb0hsAoZi1bViGpRtfaQ+eC0rXnDy/C+/nm+SzlEKeiC
+2XmTO8dbNgoOqETj7d/iDd4copvdzZYw
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/gw-ckubu.csr

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDAzCCAesCAQAwgb0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDAS
+BgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAX
+BgNVBAsTEE5ldHdvcmsgU2VydmljZXMxETAPBgNVBAMTCGd3LWNrdWJ1MQ8wDQYD
+VQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1hbHRl
+bnNjaGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu9+eU
+ceuOSxb1QbUAM1TanBFUo+MUD/Qd4zIglEj9RtiydhI7Izyi8uSBmuWFq8PdOMXg
+yu6vERLxj3g6eKU/uepOjto+5nfVzstWOsq/l9alZUkVzuB7WvnClopwGL47TyC9
+xbm1RgfxVK12Vkfxg+58ip3pQiOhp7b7dsMFrd2o/sj6FfSfOjDdTcBQMwsZ9lHL
+n3BTx3yAxWl6TLsG7EbkbncYd3wUWEZJmqwfpkZf9xxxM6Ql9IKSllb9r2vEWg7v
+0+ZoNsjojBx1Evg+NC5k3aO8s34s6FZVWxqzRuQG17P4GUSjDi2SD8hkdq/ng/ti
+oTqRVvpHY8LDxXtBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEABTwNV3bioK+L
+xQPEZiKN82VZn6E/ChjvF9triY7aS8wckX0sFzkKNGUl7pxlv12hm13Bq97DUtJW
+n4es+x5XJbIdg45FBwtlM9eX1N54lOp3tTWOF+YQD2Wfdz1tpUOnizulNZIhRVp+
+HF/ikbl+VDDyEC6x0mr8MA1l5zISxzIwwroOUbA9+hb+1Uf3IDJwfwdvRANaQhYv
+7YrqsRjbACs03ST/bwn70f0Lhq4lwBXxdPTVVd9UzyCPYZLIw07Bznd54nhR6dwQ
+pnYM93xDIT6yVQjnCU91Nqd4iLxOWdMIJUyrtjrAg7crWTLlcFIUCOrrU8qhrJze
+5iYIZBGXWg==
+-----END CERTIFICATE REQUEST-----

GA-Schloss/openvpn/keys/gw-ckubu.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5AUTsVDif7oCAggA
+MBQGCCqGSIb3DQMHBAg12+MbxEoyygSCBMgCrl75V6WYOCdXaXmPDePYFZnY1rms
+O7VBq16osPoJCUbnowfDlWyj73kM0kypBQPK1l9ZtXiC50BgbjPS16CeeAZNvFyr
+/1glAmHv4wKArmzF8GL98vEDsKbnBV9nFnPe1YV+Rq4QqeSiOmnWJOqoFbpYDJiO
+f2Io1g9DgoYYjMhvvjMk/mG4Oa6aOueMDYBFQ17NCNwXDj65HI685SiMEYzksQEW
+GcerSML5Q9PDwbaiH+xs1AVp3MEa65PDj3KW7jcB8LenSAzodXo6dhzJelSgv2Bo
+Q769n14ZetOK0Mv/o4blxQAPsbfknKylg/tvGIkFt38mH3PBJeXCNElyWHZJD6BR
+xZah53ajLQa6XXhV2LOj+qKjgvIH4lwb10nr+eL3VdXKPXdMrGQUHHx59Z5zGnwK
+qoRvKOtx/Lk56c+ycjCo0MJW4QddxB8rBmMEduUcI+jIk0ffF26F/uWh/gZO59hj
+Tu6cGAgZY5hxkofm+b4FdyC8dNgQUspPqs9iIqkMSjttzuihme2qdQg5cgl0F2Zp
+u7FTp/E8CsRX+MpVm/i+/0oXi9hspvEwfZcg1hpk3LdF2w3Ym+Wj/jlBiUbTC17K
+YSLQQk2WEWLbvhGLA/3Hp2auYm0h4PxyG9lp1RTkK6WJSz+Vjc/Y8V01Ml5l7pT5
+22eTksbqTeNcasCZkm7dEfAiuA222qS6OUZLzUkX9cBb6EXG/XIQ0qzY6c0UR/38
+qfU0aP1Z08mIwMhGfyn/QmYTcxMw2rov6eHt2tsemDFXNf3qj2dUvJn91nu4b0OQ
+3ddYB6mazfwCOqXeAzxv+POxuJvjUIx3MmIyQtQTvlNa0nzg89DNlAtBrRKDJVvS
+mRLEBT/mFTz6KPpdfVp+qdx+akAQ7YCpmRfBs1Am685b9azOs8+VQOl8rp4PpkU3
+T2rSCRpc7O6hW+YZYBwEMgJn0Qs5YXyiE8Js+k9QB5d20hGIJQAQ6hAyLLamHcj4
+K6KaBhycvsXvB27drkkofQOVEIV751McsgwC+cxS2DRaJf4udr20Pg/2Trc539kp
+anj/hT2auv3/rGGTfY9RLblp00eCjKazltsg3/DbQ5S34hSxnipfa7o6PACxqgAk
+qgZ0G5K/smgql5nppPpE8udS0utfDKgi7lCwlviIfKY/UjsQwRr3wh1L2NrjG1nY
+f7df0/WfVAc9+LA7QBVtKp68oh2wTCGQXdhgjwJgDMJp7xA/I1kd6tsjkXPjPNct
+tg1MZYL/jDjAEzC96ikhLCjbybLVmL3NJKC8Y5+kpxrIs7W4T+ZwTXwfgBUN58Kw
+ZHK7JSQzlBKmLlRbpYcjT+Ra5Mf78xA0ZsJ5D7yVoKYmMRfGfDAXQ4s3ri/EyC5h
+t4FeFvUdrr4fTu3FlxCAOhxV6rFG/pkjIe/o0JHEZpTvxnd9algrNCTu4D6EFJTW
+tQNfQY0mctQhtuMoqG51dB1jVRnZ+f+b7bzBnsesSzJNXKcrq8N0mgcZx0nNDn65
+Db32YOv28+JaID53Bq811tHtsybiuTCx+77oubUaH1it5xIMe7NzL9/gQAPkfn5r
+LnaDPGgPFEy6UaErrCOo10CkLq61VoCj8DgQz5fQ41OQrd0WbKYR5yqh/nTXpFus
+z3U=
+-----END ENCRYPTED PRIVATE KEY-----

GA-Schloss/openvpn/keys/gw-nh.crt

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 16:27:27 2015 GMT
+            Not After : Oct  9 16:27:27 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=gw-nh/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:be:07:2f:b4:84:d8:b2:81:07:71:2f:e2:03:49:
+                    36:37:7c:1e:c0:25:7d:56:ca:e8:cc:22:d3:8d:f3:
+                    04:87:7d:2b:7c:ad:e3:28:ce:69:45:d9:5e:c1:bd:
+                    eb:72:a5:66:b0:73:30:d0:62:c4:44:54:e1:16:cf:
+                    82:82:d4:c1:87:ae:ff:f2:c3:0a:c8:cc:cf:c3:9f:
+                    c0:b7:0f:32:38:61:53:76:3e:24:b9:0e:37:85:68:
+                    ff:1c:fd:d8:39:c0:f8:da:23:cf:3c:30:c1:3d:68:
+                    5c:6b:f6:31:04:7d:11:67:bd:de:33:ee:b5:8a:69:
+                    92:10:46:eb:1b:52:1f:7b:8f:e7:46:7a:9d:70:39:
+                    ce:cf:2f:26:1b:fb:f5:1b:2b:af:6b:c1:18:64:21:
+                    6e:3d:b0:de:28:e9:30:e2:3b:a5:fd:d5:c0:80:8e:
+                    4c:08:80:53:0a:04:93:6e:b8:e7:66:8d:f3:19:df:
+                    0d:8c:da:40:ce:3f:23:a7:8e:18:8e:9a:76:fb:2e:
+                    52:b3:da:14:da:69:c2:07:09:2a:db:70:37:1b:f5:
+                    fa:c5:31:3f:0e:d6:07:30:63:da:1c:0a:fb:2e:45:
+                    3c:58:6b:48:9b:fb:f1:50:70:7a:3a:3d:bd:a7:31:
+                    8b:04:22:97:27:ff:cd:20:2a:e6:58:7b:57:14:bf:
+                    7d:3b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                4A:3F:A6:14:BC:62:49:79:F5:0C:48:73:5C:C9:5A:1E:A0:36:BB:E8
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:gw-nh
+    Signature Algorithm: sha256WithRSAEncryption
+         75:a5:dd:59:e4:3d:33:1c:ca:6f:8b:7f:97:cb:cf:4e:12:af:
+         cf:c7:7d:a8:f4:d4:95:38:30:e5:1b:ff:f5:20:0e:ef:b7:25:
+         75:c7:44:3e:9a:78:e4:fe:6d:9a:5b:a1:cc:6e:4d:7e:cb:a7:
+         c7:95:fa:7f:e7:c2:38:e1:9c:2e:79:7b:61:b0:d9:6e:2c:dd:
+         28:4e:31:d5:66:45:c8:74:06:fc:c9:4d:a8:96:25:04:a5:2f:
+         45:f1:64:13:50:41:e1:86:d7:4e:4e:38:69:d6:00:e4:24:d6:
+         65:38:17:50:ee:d5:d8:f8:bd:80:07:e2:d1:b4:ed:d9:d3:a5:
+         a4:ba:37:50:6e:bb:48:30:9e:e7:93:1d:2e:89:da:b6:b0:04:
+         f6:1b:48:38:e2:66:3a:c0:82:e0:a2:00:60:cb:05:93:13:85:
+         cc:aa:e1:a1:c7:a3:7f:d9:96:46:e9:d8:da:c8:0d:c9:da:19:
+         12:98:56:46:ff:9f:ae:ec:82:fb:df:67:ae:72:63:68:76:e0:
+         d3:00:2c:8c:ee:26:c8:31:ad:b7:c7:44:4d:00:6d:c9:dc:e3:
+         73:74:9f:24:be:5a:1c:9f:5d:3f:34:ce:b5:af:8b:00:63:0f:
+         26:d2:42:2a:7e:13:f6:2c:33:6c:8c:0d:e7:3b:87:aa:f7:ec:
+         fa:da:2c:d4
+-----BEGIN CERTIFICATE-----
+MIIFfjCCBGagAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTYyNzI3
+WhcNMzUxMDA5MTYyNzI3WjCBujELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEOMAwGA1UEAxMFZ3ctbmgxDzAN
+BgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0LWFs
+dGVuc2NobGlyZi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4H
+L7SE2LKBB3Ev4gNJNjd8HsAlfVbK6Mwi043zBId9K3yt4yjOaUXZXsG963KlZrBz
+MNBixERU4RbPgoLUwYeu//LDCsjMz8OfwLcPMjhhU3Y+JLkON4Vo/xz92DnA+Noj
+zzwwwT1oXGv2MQR9EWe93jPutYppkhBG6xtSH3uP50Z6nXA5zs8vJhv79Rsrr2vB
+GGQhbj2w3ijpMOI7pf3VwICOTAiAUwoEk26452aN8xnfDYzaQM4/I6eOGI6advsu
+UrPaFNppwgcJKttwNxv1+sUxPw7WBzBj2hwK+y5FPFhrSJv78VBwejo9vacxiwQi
+lyf/zSAq5lh7VxS/fTsCAwEAAaOCAYcwggGDMAkGA1UdEwQCMAAwLQYJYIZIAYb4
+QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+Sj+mFLxiSXn1DEhzXMlaHqA2u+gwgfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO40V5
+zjeYDShXlVmhgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4x
+FDASBgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYx
+GTAXBgNVBAsTEE5ldHdvcmsgU2VydmljZXMxEjAQBgNVBAMTCVZQTi1HQS1jYTEP
+MA0GA1UEKRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQt
+YWx0ZW5zY2hsaXJmLmRlggkA1cWryyKN05swEwYDVR0lBAwwCgYIKwYBBQUHAwIw
+CwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBWd3LW5oMA0GCSqGSIb3DQEBCwUAA4IB
+AQB1pd1Z5D0zHMpvi3+Xy89OEq/Px32o9NSVODDlG//1IA7vtyV1x0Q+mnjk/m2a
+W6HMbk1+y6fHlfp/58I44ZwueXthsNluLN0oTjHVZkXIdAb8yU2oliUEpS9F8WQT
+UEHhhtdOTjhp1gDkJNZlOBdQ7tXY+L2AB+LRtO3Z06WkujdQbrtIMJ7nkx0uidq2
+sAT2G0g44mY6wILgogBgywWTE4XMquGhx6N/2ZZG6djayA3J2hkSmFZG/5+u7IL7
+32eucmNoduDTACyM7ibIMa23x0RNAG3J3ONzdJ8kvlocn10/NM61r4sAYw8m0kIq
+fhP2LDNsjA3nO4eq9+z62izU
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/gw-nh.csr

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDADCCAegCAQAwgboxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDAS
+BgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAX
+BgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDjAMBgNVBAMTBWd3LW5oMQ8wDQYDVQQp
+EwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNj
+aGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+By+0hNiy
+gQdxL+IDSTY3fB7AJX1WyujMItON8wSHfSt8reMozmlF2V7BvetypWawczDQYsRE
+VOEWz4KC1MGHrv/ywwrIzM/Dn8C3DzI4YVN2PiS5DjeFaP8c/dg5wPjaI888MME9
+aFxr9jEEfRFnvd4z7rWKaZIQRusbUh97j+dGep1wOc7PLyYb+/UbK69rwRhkIW49
+sN4o6TDiO6X91cCAjkwIgFMKBJNuuOdmjfMZ3w2M2kDOPyOnjhiOmnb7LlKz2hTa
+acIHCSrbcDcb9frFMT8O1gcwY9ocCvsuRTxYa0ib+/FQcHo6Pb2nMYsEIpcn/80g
+KuZYe1cUv307AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAe4iSoHDP3XIYoKQS
+XqGBRcSZfZDfGvT03SKa8gMJKasntjqMN8YncQLoWMbRptsFTX7SW4Nfy5G8Qs3B
+fLa5fI1wDOLn6sGknL1di/kAVZMrBZKeEQosKSOXIGIxw2RPqgMkZgjIv2Zkn6jD
+Vj7Bwi9Et9X/QYE5YUbtFBy9YkH88low1ptyveSuUwH5taUNZGrmdSn7ERTzdCk7
+uwJipg09g+jHsLwnO1nEc5ndLk+cnKQ1wpuInh7ASWF0cxV6/73BW6pfTWuvIiGz
+C9xMImTW/FQ3YChGLP/LSNx1q4YMLe7GiKjO0CMpNkzQjv1xqL7BkLuAGFl8G1bR
+68kU2Q==
+-----END CERTIFICATE REQUEST-----

GA-Schloss/openvpn/keys/gw-nh.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfFEEBI5TU4wCAggA
+MBQGCCqGSIb3DQMHBAhOg8WplS3B4QSCBMjncG99GrUpu5n9rRr6cYp05VeUieib
+tSzfHncSSq91g5Fpi6+iGSp49FCtCVP9g6KnNy8EukBe2msGHKdQz1sWBvn2ElZs
+Qm06cMWwPx4s1sgeGYOWRc/rHEKyKHn1Y8DjjqvThsg11LfajeQsd7G0MxKQKTt7
+x9kTB5JudITa/ADSRGvV9tiCPiFgLu6Nriva4spVP3lh9LmCbJIY52915PpZtTD5
+wNYA1x7J3w74tubhykNGH1dz5SQwt8vatYXEGkhSHGUnGCrPkW1QlACo7MkgEXe/
+tUf2FqSrOcnOtOtD2srlUZbZO/k2N3pIlzKjM2UXtxVS4iBrEHNalIfxCRnIFuVx
+MhR8y5uQdiNwPPDOZfpiYsSGJpjJx57yi9Ii2Bs7oEXfTPTum5Y5cRyH5lN//3ek
+AN4zsCmTUPwHc2GVlcte9gpiWQvZ0hO4tl50kjtSzMFRHEARE7Ne0yrRE2YYxXQ1
+FQkbXiLPHnRkFsvNsiu0hFtX9BvXRFgC7jeYj+EHyaxbFPn4HqRaLO63A+BrA0xX
+GXiVLP12WcHmAKFcHRC1bCAzCKFlroXyohyhEneSnF92wVqq048QkRqBUyYy9sw7
+IBxVMpFrKsn2F8L/4G6wK203Z4pXyxS36PnbuQcO7HhAA/ddpObvlR0APrSiOUO0
+wjwE6sUe6cL9HAC7qK5G8ueEcaNOSfi0AMiJXAl3viLoPsdcnb2f6QYaq3DSc91r
+cWbzuHWLQodfT4+4Ua3G861MLjy2a3O2yikZqfZUiXMKUKwYXM5HyfD8SxMQP+E4
+b0CYLRrMattgJErgU/kOtRMeyZM9WxY+vzOyRnKP8IKHdcGZl0q7WYWVlG4jsEuj
+OQPKHFlNb/0+Z7x0Na8x9YzQvdpGB4/sDica2f3iSyA+khnmM75k1Pz1KbFwHfe7
+Bwmz0HvOeXepydmru/UDMR0mHWVYDrxUzOEE7fdM2pr0/xO+9pwVlTIugAg9wben
+MBMYtxZiPKIAvGu42IpmXZC+Z9BcuVMDoAhKv5IGxE1wWhashhMR3eOKGgEsRQ8V
+BKNSYzBVen9XlKb32xB74xgcokv1suczERUfn5JyDt7xltSTPRola0HjwvLzXYiz
+ncgGlOmhcuHCRqIH03GlPXPIonqYcAZoCcp0YBhoWQHWRBqTwIIRRRVLewIs+zUZ
+/B5shBdQfVoFC+6BL39qDuF9hlk9JSzUek8agVP2Lrpf5jRbo4S7/joxPj/he4N8
+LLkeqvrqBJ9BkIpXUIca90a5bp5PR5KLjlLvQFljZQ0pW90l0jGH3LxvTRAxYnGe
+rK3J9fnJkj3jOxCnJ6INQPNi1RBORO4JFZzLpVEmM4dVM5OcmraYV9HieUGTQAF0
+qM++6cCWKlF3NbIHYfuRZMxLXLB2mhn++XTchHnbQeAFw8k/KwEx9Ajo5C548I38
+Ja5KnEKXhQ5D5Q9MHANyq6oJPKkVhN2alv/pEFoupngbr3NiNgIKdUKJC9JLDFnA
+5QkKgpwt9S7RKnp1HWiAbwCFbG5/acN/kyQtL9vCdiDuUrJ6Po+FIfbgollZRn46
+xQ/U3NdiQvdM51JAvwgXNJhgzgSOMvGghj65neh2m4HZl1dTq6qGI1vnLEC5Cag8
+a1s=
+-----END ENCRYPTED PRIVATE KEY-----

GA-Schloss/openvpn/keys/index.txt

@@ -0,0 +1,6 @@
+V	351009154637Z		01	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=server/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009154851Z		02	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=chris/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009155415Z		03	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=wadmin/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009160753Z		04	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=gw-ckubu/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009162727Z		05	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=gw-nh/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351126195711Z		06	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=madmin/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de

GA-Schloss/openvpn/keys/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

GA-Schloss/openvpn/keys/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

GA-Schloss/openvpn/keys/index.txt.old

@@ -0,0 +1,5 @@
+V	351009154637Z		01	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=server/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009154851Z		02	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=chris/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009155415Z		03	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=wadmin/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009160753Z		04	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=gw-ckubu/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+V	351009162727Z		05	unknown	/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=gw-nh/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de

GA-Schloss/openvpn/keys/madmin.crt

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Nov 26 19:57:11 2015 GMT
+            Not After : Nov 26 19:57:11 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=madmin/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d9:35:1c:5e:da:a9:31:86:bb:22:31:76:a9:51:
+                    18:4a:ed:5a:9e:e8:fd:16:85:32:a8:0b:91:87:e3:
+                    92:12:12:a7:06:da:c5:c9:48:9b:fa:94:81:36:63:
+                    d3:11:25:0b:3d:3d:fc:94:3b:e3:91:1a:e1:cf:d0:
+                    53:88:0e:9e:79:5d:6e:18:6d:a0:71:8e:ec:f3:3e:
+                    50:08:4d:73:7c:23:d0:af:ff:ae:c1:ad:5b:99:cd:
+                    bf:f2:04:43:09:79:83:f2:ac:10:0e:0c:0d:ec:b6:
+                    81:f9:65:75:3c:ea:c2:52:2a:32:1b:a8:d1:af:c7:
+                    85:66:a7:73:af:14:dd:95:41:a0:ed:52:79:44:ce:
+                    b7:0b:3e:19:80:ef:71:b2:15:6e:7a:96:0f:10:2f:
+                    50:8a:f8:90:f6:8f:6a:fe:b5:21:ef:78:95:0e:94:
+                    2f:aa:f7:16:b4:73:f2:62:32:8a:8c:c7:e6:d5:bf:
+                    fc:78:e1:fc:43:d4:d0:93:08:26:8e:f6:a8:31:2b:
+                    4f:6e:cd:88:ae:14:e7:0d:c5:ec:49:09:7a:16:6e:
+                    10:d5:83:04:a3:e3:1f:b0:c4:1e:55:65:10:60:5a:
+                    c8:72:e0:9b:c6:b4:26:39:5d:69:55:0e:de:5c:75:
+                    f9:ea:2f:be:9e:61:b1:59:f4:b0:47:03:a4:43:99:
+                    c1:99
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                E9:A6:ED:67:0C:62:23:7A:B3:23:F4:D7:93:5B:63:76:C9:4A:94:A7
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:madmin
+    Signature Algorithm: sha256WithRSAEncryption
+         1b:67:ed:5b:7b:f6:b5:bf:83:3b:7e:22:4f:0c:82:c2:07:94:
+         2a:78:50:f8:85:a5:8f:83:d7:88:8c:99:fe:8a:2d:00:9c:93:
+         f6:9a:96:67:ca:ed:4d:81:06:4a:c3:5f:85:5c:b6:31:c4:5c:
+         78:28:fd:72:07:72:5b:84:ac:6e:58:b6:98:57:04:cd:5d:d5:
+         f1:36:f7:39:d2:79:bf:b8:66:48:25:e5:37:27:77:af:0f:e2:
+         0c:9d:53:e3:eb:1f:62:a2:ea:17:16:6e:75:25:28:c0:d3:b0:
+         fd:8d:79:b8:9a:1a:1e:c0:7f:b7:d6:70:ce:b0:6a:8e:30:2b:
+         a5:c8:70:bd:a5:df:f7:b8:a3:8a:b7:96:da:b0:6a:03:a3:31:
+         02:cf:7d:1d:49:39:88:26:dc:39:f3:2c:f9:c5:4a:13:f8:28:
+         d0:a0:1f:59:2d:ea:62:22:ef:cd:6d:95:c8:a9:11:55:da:30:
+         da:38:d5:92:d5:94:60:12:9e:a8:d9:cb:3e:c6:90:21:04:a3:
+         97:b7:5a:1f:77:d5:4f:95:ab:4f:b6:3d:bc:6a:6c:5c:1e:5e:
+         16:9b:28:2e:1c:6a:20:64:8d:f3:42:e5:b0:a4:0d:59:b5:5d:
+         e8:4f:31:04:78:1c:86:f9:8d:38:0c:28:ab:94:c1:bd:bd:be:
+         84:f4:2d:d6
+-----BEGIN CERTIFICATE-----
+MIIFgDCCBGigAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMTI2MTk1NzEx
+WhcNMzUxMTI2MTk1NzExWjCBuzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMGbWFkbWluMQ8w
+DQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1h
+bHRlbnNjaGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ
+NRxe2qkxhrsiMXapURhK7Vqe6P0WhTKoC5GH45ISEqcG2sXJSJv6lIE2Y9MRJQs9
+PfyUO+ORGuHP0FOIDp55XW4YbaBxjuzzPlAITXN8I9Cv/67BrVuZzb/yBEMJeYPy
+rBAODA3stoH5ZXU86sJSKjIbqNGvx4Vmp3OvFN2VQaDtUnlEzrcLPhmA73GyFW56
+lg8QL1CK+JD2j2r+tSHveJUOlC+q9xa0c/JiMoqMx+bVv/x44fxD1NCTCCaO9qgx
+K09uzYiuFOcNxexJCXoWbhDVgwSj4x+wxB5VZRBgWshy4JvGtCY5XWlVDt5cdfnq
+L76eYbFZ9LBHA6RDmcGZAgMBAAGjggGIMIIBhDAJBgNVHRMEAjAAMC0GCWCGSAGG
++EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FOmm7WcMYiN6syP015NbY3bJSpSnMIHzBgNVHSMEgeswgeiAFDWf2w2GQPllDuNF
+ec43mA0oV5VZoYHEpIHBMIG+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2Vu
+MRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEYMBYGA1UEChMPR0EgQWx0ZW5zY2hsaXJm
+MRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlWUE4tR0EtY2Ex
+DzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0
+LWFsdGVuc2NobGlyZi5kZYIJANXFq8sijdObMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MAsGA1UdDwQEAwIHgDARBgNVHREECjAIggZtYWRtaW4wDQYJKoZIhvcNAQELBQAD
+ggEBABtn7Vt79rW/gzt+Ik8MgsIHlCp4UPiFpY+D14iMmf6KLQCck/aalmfK7U2B
+BkrDX4VctjHEXHgo/XIHcluErG5YtphXBM1d1fE29znSeb+4Zkgl5Tcnd68P4gyd
+U+PrH2Ki6hcWbnUlKMDTsP2NebiaGh7Af7fWcM6wao4wK6XIcL2l3/e4o4q3ltqw
+agOjMQLPfR1JOYgm3DnzLPnFShP4KNCgH1kt6mIi781tlcipEVXaMNo41ZLVlGAS
+nqjZyz7GkCEEo5e3Wh931U+Vq0+2PbxqbFweXhabKC4caiBkjfNC5bCkDVm1XehP
+MQR4HIb5jTgMKKuUwb29voT0LdY=
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/madmin.csr

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDATCCAekCAQAwgbsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDAS
+BgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAX
+BgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBm1hZG1pbjEPMA0GA1UE
+KRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQtYWx0ZW5z
+Y2hsaXJmLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TUcXtqp
+MYa7IjF2qVEYSu1anuj9FoUyqAuRh+OSEhKnBtrFyUib+pSBNmPTESULPT38lDvj
+kRrhz9BTiA6eeV1uGG2gcY7s8z5QCE1zfCPQr/+uwa1bmc2/8gRDCXmD8qwQDgwN
+7LaB+WV1POrCUioyG6jRr8eFZqdzrxTdlUGg7VJ5RM63Cz4ZgO9xshVuepYPEC9Q
+iviQ9o9q/rUh73iVDpQvqvcWtHPyYjKKjMfm1b/8eOH8Q9TQkwgmjvaoMStPbs2I
+rhTnDcXsSQl6Fm4Q1YMEo+MfsMQeVWUQYFrIcuCbxrQmOV1pVQ7eXHX56i++nmGx
+WfSwRwOkQ5nBmQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAHRLYmGOPJ95FLAh
+oaA71mlotuX2B7N49V3OQmIXr4oMPMZwGLTPA7tKEA8falp2riTaz7kS2pAY1pG0
+v84Suy8J1P34Po5FOsxL92lmumnPfttGBjOE5djVhXw5ES/MnJIR9aZq2dGJvOF8
+Bi4Ys4nurGdCvHLwBQdO/4WL7lf34lM01z3+DaNwhKkD5eQMgACVO0ALIZ7WKbh/
+UaRnB9RlTd8oerkohivVWyaiNryIWLZDL7lUCu9QIfc4eVPbROsYGoiQ9GUnS4It
+zLBXelPWQi9odlwe8fZ1F+GxETzZuFtcP+ecigqX9OwnaBf15yZ/gxZiAj7cRMBm
+LrCUjSA=
+-----END CERTIFICATE REQUEST-----

GA-Schloss/openvpn/keys/madmin.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIVWFb2HHiFsoCAggA
+MBQGCCqGSIb3DQMHBAg/ZPMf/AEB0QSCBMivNQy6fm7MNypg5I1upqmCZpEkDaP8
+lxPZWWDfv+quEGgEWWCxgfsEAIgHLRFtQtjBzpGMA0VK6IR1Anvlab+HcapXeYEb
+fmUlc9JSpuJNPQdFruBP+QzE2W/X4Fz3pOUSjMjBIEA/p2XAdd1NcYKifdDRX7xR
+AYsiH7JSqyVA5b1h8urSwb63Cqb/dQE+GEWJvvBd7bxdbcVlSzATaM3C3zQQMR6Z
+Xx7W6jhAR/1yvpLSMpZixBi7F1Ox7zUUS8Ppu6m5y3GJGQ9eduz/gWLzWeOov/cV
+LoS3Dny8CmDX9c6NIgZPmupDOTfMEaDSa0EqRDRXjJJRo5gGxCvFs0CCZxEY90CR
+s+g8ULFWwWndYmFDn2bHEPA8uPgvrddVh/I2k2A5WROjoIbmq51waA++V4S2/ZDX
++6vf2SvMg7uFbhVex4eAoqyxC7hRH8BCTrDuV/p99w/opbHi062LE4qF/QH3Agl0
+O4kNwzk6XBwIMp57kAagGV6UUwFWJYUSHwY1IOULQ/EUk8lkBz5GlDy2RO7LJYGi
+snCUm/JYHW+HlflguAN+Jafo1MTjGOH1As88bt1qOBhYDBhYKmAQdMzJN4zfhw6l
+ykXtderJYaBVc8BedRDbibMGjMif7/mSZzZi/c/xBFhg8YPoqrvz9yUI+Us4WSgx
+Rk6GBN2s1sBn2JMDF7ofjD6oE96eWC60eTOD6qEyQTcCjLMO0GRL/71JDOw9Q/aE
+ssR5mRxKfBhy/vApT8QR2RfQ/7LUuoNbedv+xCoy20p6vBBt9a4+qvX5YhkdVt2S
+MY5ebZgeVSTWECwXB2w+TFDO00L6Kxe25DBMGw+sogefzk3pC8I9vhGJ48glWQVx
+9sV0ILpVjnpuPveK7OgYQMj88hzpl1/GWqGjf9ZD7NcOhCKpOIuxMPeKXTZmG9HS
+qmjvC/G4pVpUh8s3zxTMtmckzEkd1uK1MlEh+V59O6zNeEO291cqwnoSiojkbeHi
+smU/9IddaBUbsLyDNCYSbP9aDQdQocAPis3TTDMsp7WnUopBUcefgd3f+spe/QAW
+1DM5ezQb2Fqc/t+Gzxq3ZF+2rQ+3sgWuO9+Qr9rNNjWTA3/h4UCAGzE0nBM+xacl
+r1effXLK/+i32PNcyDK37inS/Ysi25CItkKVJeWCLFDo4HYtbI3vrE+LJrEGoG/z
+91rpeojEAh2MM43h6AzAV/BK7TuOXGHM/AqMDFqCOnGk27GNcsvAHrZ1ZprdCwdP
+HzuDyt3IEKuOmWWiUM4VWlctq5ydg0nkDEl3AnqigjeYzCD2tb8iHE95E1COo3Xi
+Kt8OBCSKhgu5i2HbgQEUTvB5B5IouBW+gHK1fxNGZErcU1feBNwheU3UbJHVAB0G
+4nzgC43Uy5IE6Bb8y3s9fWYlaQ8gVAfSeDKAWE65meO2hz2FjbY3NwA8UJ1k6PMY
+sE6+a/VBAvKw5B7/oZNRAdZd5SVN6WQiX65FyBXVlvTCpd7jNNrh9ExTBPbqi7Nx
+4Kh2YoWsJBpFKNcUNIrdryewqJQO+rN26by9S/b8I5q+y61TMygyeKXccFGj8Rfh
+Jj7f+bcO8PXQFRGVzhVMBCOJ2RBP1hHBQSZ3sl9R+BCyf3MYD+SpgpY1e7BIUr0b
+Lb8=
+-----END ENCRYPTED PRIVATE KEY-----

GA-Schloss/openvpn/keys/serial

@@ -0,0 +1 @@
+07

GA-Schloss/openvpn/keys/serial.old

@@ -0,0 +1 @@
+06

GA-Schloss/openvpn/keys/server.crt

@@ -0,0 +1,101 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 15:46:37 2015 GMT
+            Not After : Oct  9 15:46:37 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=server/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:be:0c:c2:ab:db:2f:7f:ba:ff:65:4c:17:07:46:
+                    61:5e:56:85:8b:8f:d4:13:05:8b:be:9b:a2:d8:3a:
+                    68:b4:5f:c1:31:fa:27:4e:cd:15:8c:d5:9d:76:ca:
+                    ca:3d:4d:90:f4:16:51:4b:b2:50:12:0d:73:cc:b7:
+                    66:7c:87:39:ae:2a:20:38:80:bc:45:51:40:16:3f:
+                    1e:93:99:ad:4f:e9:6c:d7:1f:fe:be:36:2b:63:58:
+                    84:47:1a:c0:31:2f:9c:37:6d:9d:ba:10:c4:c2:4a:
+                    93:0a:d5:4e:70:00:46:13:6f:bd:1a:02:6a:11:06:
+                    69:3a:a8:ad:72:94:63:2d:c9:12:1a:1a:4b:e9:67:
+                    e9:64:8c:df:de:70:df:ac:7b:4a:1f:5a:3a:30:f7:
+                    19:51:04:73:8a:ce:7f:b1:cb:8c:ab:97:b8:15:b6:
+                    e1:5c:c1:9c:c7:91:cc:52:fe:c7:33:71:1a:b1:2a:
+                    99:c9:c4:ef:3e:dd:5d:eb:1e:5b:fc:f9:04:c2:0b:
+                    68:5e:69:24:8d:68:59:db:70:3e:b9:b8:75:69:d3:
+                    67:af:0b:b3:1d:d7:42:6c:08:24:5a:d9:18:18:b7:
+                    bb:f5:b6:f2:73:da:14:7b:3f:56:7d:79:df:da:09:
+                    1a:52:c1:2c:e1:f8:7c:5a:3b:fb:44:d2:f4:2d:43:
+                    13:d9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                6C:63:B8:00:5F:EA:CD:9C:61:19:41:5B:5A:56:AB:4A:A2:E1:C3:13
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         92:dc:23:54:f7:13:0a:b8:0f:dd:89:fc:33:4a:98:1b:de:fa:
+         4e:2e:bb:6f:e1:37:ec:75:f9:6b:40:00:cb:3f:bd:d9:52:31:
+         df:2a:29:8a:4d:15:0a:87:73:15:31:1a:4b:d5:66:d1:a0:60:
+         11:13:0f:c3:36:62:89:ed:be:5b:8d:dd:3c:f9:15:4a:a4:0f:
+         d7:9f:09:5a:ce:aa:a4:be:8a:b4:99:09:d4:16:fb:6c:23:74:
+         b4:01:57:a5:2d:18:0d:f7:b8:87:ee:3e:e8:22:5d:10:85:a6:
+         4b:e6:18:4a:de:aa:5f:0b:4c:12:ea:f8:71:c8:dd:94:21:da:
+         c5:85:8e:0a:da:bc:bc:9c:5c:13:65:b5:36:71:04:da:d5:97:
+         46:b1:19:60:17:50:eb:eb:02:1b:fe:22:dc:cf:c8:7d:4c:61:
+         27:eb:f1:5b:c5:54:78:eb:64:b9:d5:6d:cd:2d:29:21:33:7e:
+         6a:29:60:25:a0:88:94:5e:0a:a6:ed:ac:d9:c1:b7:ff:9e:1b:
+         bc:e1:8f:aa:b1:a4:b7:a7:f6:d7:e8:9e:49:f4:22:9b:bd:10:
+         30:56:55:9a:d7:c7:6f:78:e6:04:5e:5c:2e:ae:3a:3b:4b:9e:
+         92:e1:09:46:42:8c:d4:7d:dc:72:87:0a:7f:5b:70:32:2c:a5:
+         f8:0d:27:af
+-----BEGIN CERTIFICATE-----
+MIIFmjCCBIKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTU0NjM3
+WhcNMzUxMDA5MTU0NjM3WjCBuzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMGc2VydmVyMQ8w
+DQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1h
+bHRlbnNjaGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
+DMKr2y9/uv9lTBcHRmFeVoWLj9QTBYu+m6LYOmi0X8Ex+idOzRWM1Z12yso9TZD0
+FlFLslASDXPMt2Z8hzmuKiA4gLxFUUAWPx6Tma1P6WzXH/6+NitjWIRHGsAxL5w3
+bZ26EMTCSpMK1U5wAEYTb70aAmoRBmk6qK1ylGMtyRIaGkvpZ+lkjN/ecN+se0of
+Wjow9xlRBHOKzn+xy4yrl7gVtuFcwZzHkcxS/sczcRqxKpnJxO8+3V3rHlv8+QTC
+C2heaSSNaFnbcD65uHVp02evC7Md10JsCCRa2RgYt7v1tvJz2hR7P1Z9ed/aCRpS
+wSzh+HxaO/tE0vQtQxPZAgMBAAGjggGiMIIBnjAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNl
+cnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUbGO4AF/qzZxhGUFbWlarSqLhwxMw
+gfMGA1UdIwSB6zCB6IAUNZ/bDYZA+WUO40V5zjeYDShXlVmhgcSkgcEwgb4xCzAJ
+BgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDASBgNVBAcTC1N0b2NraGF1c2Vu
+MRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAXBgNVBAsTEE5ldHdvcmsgU2Vy
+dmljZXMxEjAQBgNVBAMTCVZQTi1HQS1jYTEPMA0GA1UEKRMGVlBOIEdBMS4wLAYJ
+KoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQtYWx0ZW5zY2hsaXJmLmRlggkA1cWr
+yyKN05swEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMBEGA1UdEQQK
+MAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOCAQEAktwjVPcTCrgP3Yn8M0qYG976
+Ti67b+E37HX5a0AAyz+92VIx3yopik0VCodzFTEaS9Vm0aBgERMPwzZiie2+W43d
+PPkVSqQP158JWs6qpL6KtJkJ1Bb7bCN0tAFXpS0YDfe4h+4+6CJdEIWmS+YYSt6q
+XwtMEur4ccjdlCHaxYWOCtq8vJxcE2W1NnEE2tWXRrEZYBdQ6+sCG/4i3M/IfUxh
+J+vxW8VUeOtkudVtzS0pITN+ailgJaCIlF4Kpu2s2cG3/54bvOGPqrGkt6f21+ie
+SfQim70QMFZVmtfHb3jmBF5cLq46O0uekuEJRkKM1H3ccocKf1twMiyl+A0nrw==
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/server.csr

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDATCCAekCAQAwgbsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDAS
+BgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAX
+BgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBnNlcnZlcjEPMA0GA1UE
+KRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQtYWx0ZW5z
+Y2hsaXJmLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgzCq9sv
+f7r/ZUwXB0ZhXlaFi4/UEwWLvpui2DpotF/BMfonTs0VjNWddsrKPU2Q9BZRS7JQ
+Eg1zzLdmfIc5riogOIC8RVFAFj8ek5mtT+ls1x/+vjYrY1iERxrAMS+cN22duhDE
+wkqTCtVOcABGE2+9GgJqEQZpOqitcpRjLckSGhpL6WfpZIzf3nDfrHtKH1o6MPcZ
+UQRzis5/scuMq5e4FbbhXMGcx5HMUv7HM3EasSqZycTvPt1d6x5b/PkEwgtoXmkk
+jWhZ23A+ubh1adNnrwuzHddCbAgkWtkYGLe79bbyc9oUez9WfXnf2gkaUsEs4fh8
+Wjv7RNL0LUMT2QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAA8po3xtTV2ncixm
+RYLsqAVziil/1PyPZxep9OXZK22gac+rpWh8BG/tfApMcnAArSxAx6cIyU3cADqt
+7NYCrvAT1NHsPiL1AbQwfuhxBRdYRax668kSMeUtTuzafuULLNwtdtIvsamW7hBu
+73BeQxSG1pyIv0rlkShvsIcXr4AbnpO3tt/LV3Cf+LpRcy3HvRywkqWQB/7ET/c8
+R53XLnLpe+f8uq9eQSOZOEyntG7J3Pbwmy1iBd6I8o3EUyGzKcjTsealBui4QZ/T
+DY/FM/BcRP+jkvuW3M9p0cdDJyKb/YOM6e0aNAFZidwchRHucbk8U81XMX/Lp4eb
+SCAFcc4=
+-----END CERTIFICATE REQUEST-----

GA-Schloss/openvpn/keys/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+DMKr2y9/uv9l
+TBcHRmFeVoWLj9QTBYu+m6LYOmi0X8Ex+idOzRWM1Z12yso9TZD0FlFLslASDXPM
+t2Z8hzmuKiA4gLxFUUAWPx6Tma1P6WzXH/6+NitjWIRHGsAxL5w3bZ26EMTCSpMK
+1U5wAEYTb70aAmoRBmk6qK1ylGMtyRIaGkvpZ+lkjN/ecN+se0ofWjow9xlRBHOK
+zn+xy4yrl7gVtuFcwZzHkcxS/sczcRqxKpnJxO8+3V3rHlv8+QTCC2heaSSNaFnb
+cD65uHVp02evC7Md10JsCCRa2RgYt7v1tvJz2hR7P1Z9ed/aCRpSwSzh+HxaO/tE
+0vQtQxPZAgMBAAECggEBAIhxStXtH9XZIADOtv2/FqqO/YOr9/rMEX7/59LLZF6T
+HHXP/aaCcIVS26DsiHOom3fSCf2JgBjl1YxU41xmDRAwKD/IlOJDKfqOyFn5i8cC
+c+SikNZot4+0fgs6dl8ZqlLU/NcXsNs4hQbTC2Q3nhfYMfBZaWLdsnCtpxDK3cWB
+BVu6kD5/535WUdSrOWm5Cn8pnqZDKHGp92hzkiF8tL+HChuihgxgGBZulHFv2our
+SyEOuG72guAnRB8YKbYsS/CidJH3t8rpHf8RkkmWMybLeuzxReEZk+bmLZwC7wCg
+Gx0atAyB1uj0RZyr+5izWXnY+zOkRnKM1e+PiwDHFwECgYEA++8fnEhBMlISOrhB
+J4GbV7tov2X9x3YCHeuAd3/50pucrWQVbAkL2F9kYLjLP4HMQKqC33OinOuJfrkU
+KBmfi+6xPShRxpIjzVkvdWUgkbpJeMtfWOJ+meMAHTRdO+vqGZgmBSelYeO9PYVU
+OFfOuiZbvbcz900rHoIWrsEStWECgYEAwR31p0LTr9yWgzQTpNYTaUG5jFXBkB3i
+8Kc0gtDijeLuXGsD5DUuKp3uD8l4YoIIDojFEWiy4Fy0/C1dVHM3xTjB9VgS13I/
+/Wl428TQlGEM4YTMkxDDaKw7y51rRq7g3SMSa212FYqOz1JQ4uR4I842MMtpyAH8
+lNn+IVkA+XkCgYBOLq0OoNWquhFyK4/8pJoCpeQh0ZLp/VM22ciqTQrIMwZyQKbt
+Ofl1ElViNrbMZIlwX/nxQj9qlyW6L9FziFAc6twR8JtAFkYKCe1SbymmT7tRQzu5
+p8BGHU4BwihU2idx/ed+ngkS0cv+dYvnWEiNOC4sN9hmnIoPE6vaW4xkwQKBgCRB
+i60rTrLlpxxa2pVH270XKc6/CugTtFeaDLHCpcYdpMKVFNXzZgd6PweXu5JC92BD
+LTxne63DufbeTXddaksMrN1y+5aXTIw3EQmxmbdBwTlVxVKXAxjTvSYtF8bdbjoW
+K48frdu9d7JUsfrnCecu/92JUwLJ3LHVe3CnVReBAoGBAOA2oIXTin1nl7gHDaTO
+S/oWzZGaDNXhC3Jbx58wTTtm0l7WgIWRoQN0sxjHMcwjM9WWRyN+D2RG8eANXSsZ
+O4w42OE1bCY9AXWsV24t0wfRZogRmjmIMIQdMrFogBdDHT+qL05bkLLqZ501npEy
+HvQbWGaqr5d/BS1tWF6WO10K
+-----END PRIVATE KEY-----

GA-Schloss/openvpn/keys/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+2e6c91c0db488d5f018432f60605fbba
+5ec1afd4522ddd28d917ade2c7515daf
+9a7a3104b523c929f10a2ccdd2197b83
+949e5644669ab0f82b62e08aa887252a
+cc20618f9f8c1b0eeded6ea92a392e79
+e477a890e2800cf0cf340ac6139cf7a6
+0cfc5c713a39e8b2c44347006bb90583
+8fe0bccf4feea50e7880ee7c7c510114
+e9613960f8af9096fc46d75886b1bdbd
+773b77d9044db17109a5615614797b98
+bdacaae155966bad69819d08f1c8cafa
+1cf102981e2188d155d26043b59538b9
+15c1d67430d6b67c9c313123fb7cb427
+29cc6972e63470c74c6bf2342fb57ba3
+50d3254df49d2158f4faf5bc38fa9d69
+1014d126eac903e30f6c97df69a3b665
+-----END OpenVPN Static key V1-----

GA-Schloss/openvpn/keys/wadmin.crt

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Validity
+            Not Before: Oct  9 15:54:15 2015 GMT
+            Not After : Oct  9 15:54:15 2035 GMT
+        Subject: C=DE, ST=Hessen, L=Stockhausen, O=GA Altenschlirf, OU=Network Services, CN=wadmin/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b6:f8:b1:f2:dd:fd:65:5f:86:7e:3f:39:d0:f2:
+                    ca:b4:f5:64:ea:5a:79:9f:cc:14:7b:ed:7a:3f:be:
+                    8d:ba:6a:d6:89:92:1a:26:c4:11:4e:86:10:8c:71:
+                    d4:f9:d1:bd:d7:65:2f:56:81:1e:38:81:61:fd:62:
+                    f4:5b:3c:c8:34:9d:00:47:ee:16:a0:52:a9:ca:df:
+                    09:d0:94:c1:7d:cd:f7:a7:0c:7a:ce:d1:4a:c5:99:
+                    56:29:32:f9:b4:fb:d3:4a:36:1d:ff:b7:9f:50:c8:
+                    ca:2d:a0:31:77:8b:09:fa:15:08:fe:42:f4:3e:dd:
+                    98:cb:bb:19:d2:d0:57:50:a9:4d:93:dd:91:39:3e:
+                    4f:38:32:6d:b8:99:f9:ea:93:47:28:82:e9:75:f5:
+                    4b:c2:55:3b:65:ae:5d:f6:4c:d2:c6:9d:18:86:eb:
+                    4d:83:36:e4:ab:c1:66:cf:77:f7:0b:fa:3d:9b:1f:
+                    40:2b:28:01:c0:88:c7:bc:18:83:26:b7:41:5e:9e:
+                    8c:d2:fe:e9:39:d4:ec:2b:be:4d:7e:fd:a0:dc:04:
+                    b4:00:e4:ca:85:59:01:55:a8:d3:48:be:41:12:7c:
+                    8e:ee:79:8d:a7:89:ad:ab:71:a8:d0:d1:a9:ce:9f:
+                    7e:a4:2a:17:26:18:90:bf:13:d9:f1:a3:be:a6:b9:
+                    09:51
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                B9:71:69:E0:F6:17:0F:A6:D3:C4:AF:28:C6:A5:B1:E9:58:2F:6C:86
+            X509v3 Authority Key Identifier: 
+                keyid:35:9F:DB:0D:86:40:F9:65:0E:E3:45:79:CE:37:98:0D:28:57:95:59
+                DirName:/C=DE/ST=Hessen/L=Stockhausen/O=GA Altenschlirf/OU=Network Services/CN=VPN-GA-ca/name=VPN GA/emailAddress=it@gemeinschaft-altenschlirf.de
+                serial:D5:C5:AB:CB:22:8D:D3:9B
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:wadmin
+    Signature Algorithm: sha256WithRSAEncryption
+         99:1d:d1:a2:eb:8c:d5:89:c3:1f:0a:8f:10:85:99:92:f6:58:
+         da:99:b3:d3:01:9a:b4:7c:b2:9b:61:9e:7f:dd:41:24:ec:75:
+         19:82:35:aa:2b:74:14:29:55:6c:74:08:d0:18:95:8f:b9:1e:
+         12:1e:80:78:58:b5:e0:b0:f5:08:17:d9:36:e9:42:a1:a6:cc:
+         7a:be:92:a7:f3:9b:6b:2f:d8:db:4b:50:ca:dd:f2:de:90:d9:
+         2a:2e:8d:81:76:7e:a0:2e:28:a0:3d:e6:fc:31:4b:d7:b4:6d:
+         7f:a0:f9:f1:6f:d8:ea:7d:a2:e0:a6:2e:db:52:96:2c:7a:b6:
+         10:5a:15:bb:07:34:88:5f:74:d2:6c:e6:7e:f1:7f:20:47:56:
+         be:78:be:1e:37:35:79:c1:a9:0d:bf:df:11:7d:09:97:c7:93:
+         9c:27:11:5b:b4:99:fe:fc:77:2b:39:52:7c:a7:d5:85:1c:71:
+         b9:4f:45:ce:48:bf:04:8e:25:87:3b:ad:55:54:ea:4c:2c:38:
+         8f:14:c2:49:d1:62:c4:d5:bc:4d:94:5f:4f:8f:bf:19:25:f0:
+         20:f9:2d:3c:ca:18:d2:7c:2f:f9:ca:a4:fd:3e:7a:67:74:d9:
+         fc:b6:74:e9:40:61:7d:5f:1e:97:a3:d4:2a:11:53:a5:e6:08:
+         b4:4c:56:bb
+-----BEGIN CERTIFICATE-----
+MIIFgDCCBGigAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkhlc3NlbjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoT
+D0dBIEFsdGVuc2NobGlyZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczESMBAG
+A1UEAxMJVlBOLUdBLWNhMQ8wDQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEW
+H2l0QGdlbWVpbnNjaGFmdC1hbHRlbnNjaGxpcmYuZGUwHhcNMTUxMDA5MTU1NDE1
+WhcNMzUxMDA5MTU1NDE1WjCBuzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3Nl
+bjEUMBIGA1UEBxMLU3RvY2toYXVzZW4xGDAWBgNVBAoTD0dBIEFsdGVuc2NobGly
+ZjEZMBcGA1UECxMQTmV0d29yayBTZXJ2aWNlczEPMA0GA1UEAxMGd2FkbWluMQ8w
+DQYDVQQpEwZWUE4gR0ExLjAsBgkqhkiG9w0BCQEWH2l0QGdlbWVpbnNjaGFmdC1h
+bHRlbnNjaGxpcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
++LHy3f1lX4Z+PznQ8sq09WTqWnmfzBR77Xo/vo26ataJkhomxBFOhhCMcdT50b3X
+ZS9WgR44gWH9YvRbPMg0nQBH7hagUqnK3wnQlMF9zfenDHrO0UrFmVYpMvm0+9NK
+Nh3/t59QyMotoDF3iwn6FQj+QvQ+3ZjLuxnS0FdQqU2T3ZE5Pk84Mm24mfnqk0co
+gul19UvCVTtlrl32TNLGnRiG602DNuSrwWbPd/cL+j2bH0ArKAHAiMe8GIMmt0Fe
+nozS/uk51Owrvk1+/aDcBLQA5MqFWQFVqNNIvkESfI7ueY2nia2rcajQ0anOn36k
+KhcmGJC/E9nxo76muQlRAgMBAAGjggGIMIIBhDAJBgNVHRMEAjAAMC0GCWCGSAGG
++EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FLlxaeD2Fw+m08SvKMalselYL2yGMIHzBgNVHSMEgeswgeiAFDWf2w2GQPllDuNF
+ec43mA0oV5VZoYHEpIHBMIG+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2Vu
+MRQwEgYDVQQHEwtTdG9ja2hhdXNlbjEYMBYGA1UEChMPR0EgQWx0ZW5zY2hsaXJm
+MRkwFwYDVQQLExBOZXR3b3JrIFNlcnZpY2VzMRIwEAYDVQQDEwlWUE4tR0EtY2Ex
+DzANBgNVBCkTBlZQTiBHQTEuMCwGCSqGSIb3DQEJARYfaXRAZ2VtZWluc2NoYWZ0
+LWFsdGVuc2NobGlyZi5kZYIJANXFq8sijdObMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MAsGA1UdDwQEAwIHgDARBgNVHREECjAIggZ3YWRtaW4wDQYJKoZIhvcNAQELBQAD
+ggEBAJkd0aLrjNWJwx8KjxCFmZL2WNqZs9MBmrR8spthnn/dQSTsdRmCNaordBQp
+VWx0CNAYlY+5HhIegHhYteCw9QgX2TbpQqGmzHq+kqfzm2sv2NtLUMrd8t6Q2Sou
+jYF2fqAuKKA95vwxS9e0bX+g+fFv2Op9ouCmLttSlix6thBaFbsHNIhfdNJs5n7x
+fyBHVr54vh43NXnBqQ2/3xF9CZfHk5wnEVu0mf78dys5Unyn1YUccblPRc5IvwSO
+JYc7rVVU6kwsOI8UwknRYsTVvE2UX0+Pvxkl8CD5LTzKGNJ8L/nKpP0+emd02fy2
+dOlAYX1fHpej1CoRU6XmCLRMVrs=
+-----END CERTIFICATE-----

GA-Schloss/openvpn/keys/wadmin.csr

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDATCCAekCAQAwgbsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDAS
+BgNVBAcTC1N0b2NraGF1c2VuMRgwFgYDVQQKEw9HQSBBbHRlbnNjaGxpcmYxGTAX
+BgNVBAsTEE5ldHdvcmsgU2VydmljZXMxDzANBgNVBAMTBndhZG1pbjEPMA0GA1UE
+KRMGVlBOIEdBMS4wLAYJKoZIhvcNAQkBFh9pdEBnZW1laW5zY2hhZnQtYWx0ZW5z
+Y2hsaXJmLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtvix8t39
+ZV+Gfj850PLKtPVk6lp5n8wUe+16P76NumrWiZIaJsQRToYQjHHU+dG912UvVoEe
+OIFh/WL0WzzINJ0AR+4WoFKpyt8J0JTBfc33pwx6ztFKxZlWKTL5tPvTSjYd/7ef
+UMjKLaAxd4sJ+hUI/kL0Pt2Yy7sZ0tBXUKlNk92ROT5PODJtuJn56pNHKILpdfVL
+wlU7Za5d9kzSxp0YhutNgzbkq8Fmz3f3C/o9mx9AKygBwIjHvBiDJrdBXp6M0v7p
+OdTsK75Nfv2g3AS0AOTKhVkBVajTSL5BEnyO7nmNp4mtq3Go0NGpzp9+pCoXJhiQ
+vxPZ8aO+prkJUQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBALEFfyQawpvGPUqd
+/8l/cvrmgTplTcoHOG+GR6VIeY8nMuOXtX28lQRyORStukZLAxqYgd4xBETYfFIX
+FNMtHeouUD716OLaiVrGX3Vi5gY86fL1Uw5Rssu4Chc3EF2bbbkhZDQSBSKldMwU
+xU2IIstX4HRy1a0IyXhQviU53NZinnAAw7w30mc5M8HRZxN3VI/cU0vObCCnly45
+u98I/e1ETpu2pUFtylKDo7TkmCI5dZIXlNzB5CqSupWXN4cDcpjwg1pdL2Xbp2Vv
+APev0quH5IJDrbcEoMHNLnELAnWvWFEni+VPzzLPwdhMCB960RkRV2PcmqwPVp2p
+8j3GLQE=
+-----END CERTIFICATE REQUEST-----

GA-Schloss/openvpn/keys/wadmin.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIzVaR+NyEkEkCAggA
+MBQGCCqGSIb3DQMHBAiFw7KoOWsYqgSCBMiuQLtxLOKWhpBuVPz4uoFiEen3XBj6
+vKSobxJ59Nam63+KYVJ9JmSY5kbvNQ6fUzLyui/UviG2yK+asxokiTQd7w+86ZAZ
+XtAw13gbdT5yodm3/Lja1IMBDszX+L+E54lTXUkr/xLKfb2A+y/dE/vq4YaWoGya
+AKMwZOqxD1JKTW2S+gLnP/9qaaavNCYoBqwve0T/VnphFyS6UlqvWtS2KHCncI7y
+YOHj+QiPbunqQilWoft3ZGQlBHwqUMCIVHr5xaJ/bYpKprSmnfFb2a7LZ9lsLFgL
+Bzi0EBrvAWILMbNE3h67scHMGNdGDm8XfAH90l2YyumEG3OyNbmN+ci4F1+dDElk
+GMeOjw4jw0ni12P2R9RfnB/CyxxdJw+SuFSf49wqcPfJFWll50sdrPGGPhcAGxbL
+SGfJhXqZ4V97Uh6lBZoYxiz0jeL5LzluUHvDHe1NcibZ/yDeAxW5wkCZ1FslPzXX
+NW+fEDFU0cTdOPdP1IerN5JNHc333XkpdGNfnRiMmB3c+1vOzTd56SblIS0C/kKO
+WzyZzesjSoI1xeKEEB74LPPexr++dIYGyyuaxC7t5o9QygRBOuWJ1AOr9dIJ7wsN
+lSNVlLPltkkKtirrpYt4XpHEOLWpI09zYeP7aPhHrxYT8OMQ/lIo+pEFRp+K4Fi2
+pMo5syDbLa53WRMdP7aSd79IvRxFPYjAcnTNjcXFsSsi8HeGQ5QBSL/DhbUUnM6R
+DUbFAJFBFQoYeEoPHtyJdWBsq0AKsIht61LcqRxWx+Dd6rVLf/1jaEUdFY51/N7Z
+KpCpE2Tbv2M5+FemApmlZy/LHMARuus+mwwfnUT9x2kZR9+O6ay5ArHpFBuZBca5
+ro4H3xOIVEU2fc+4ve0OEEZ5mQkizJIo71Dmi7xN1uTu+Cj8XjcW4l2ZHgONv25f
+5qqriu4SBwUyJ16rH3s3g9P+RN8XXaxvlqft6NT4vjwFWyB65qWiMAuLfsWjnlBZ
+D4xqrpk5SnWKbwcjxv2Yzuuhme3fAJ8fzHSEXbucgaNiU2DwdE6dDgX5VrYaGGHa
+aKm4wY/dSsk7a2E5DXb6W6ersf9e67DNZOnjDTMD/Iz6hnWMwH4G0Z78ipB2wKSB
+JhFoAMFnjnteGE33ti0LiGanmPzctF9g5kKlqUQoedvYKHbTop0/8X2EJKp6PRyk
+IVX2seHV2nNTc5CWXLuY4jhRl42NHtwWz/ZI0R8uF0Ue0rENB1EnQy+zC5Ytwu9E
+wq1q7mHJHoZvO0qsCO4C+WMq6Nl9lHrrZznAfAV2uPYlQ9ZfOe1s68ETVDugqs3n
+PG+HH8D/TpzSDXaoeoNfYiWkmwdpizVANmLHWF4bra/4WNOh4HEC7kZ7zZqA+m1T
+pAG0hceOe1DrMH2xemgtOee4/yuX7Jwf4dQA5aAqTAs5ZWMK6CGCAZohsMCODq+b
+0LUhFT/oBQlrtWq5YRq3NMZVIDhcJc2w6kPS8Gg2HT2JgchcixYnm8PiBR7QtOC1
+6YpBUxwDBAt/gBgZzVgEo0fl4A+FLj41GPv1MODhZ90G9jo9hi26c+v4He4pNEGw
+l5+27/bONC4cQAYLXSafYpXgphe3Pug9LFi1bFGdIAbl8zrJyxEl7SCOjrvpdK6v
+B1o=
+-----END ENCRYPTED PRIVATE KEY-----

GA-Schloss/openvpn/server-gw-ckubu.conf

@@ -0,0 +1,300 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1195
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+
+topology subnet
+route 192.168.63.0 255.255.255.0 10.1.11.1
+route 192.168.64.0 255.255.255.0 10.1.11.1
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap" if you are ethernet bridging.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca keys/ca.crt
+cert keys/server.crt
+key keys/server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys. 
+dh keys/dh2048.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.1.11.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist /etc/openvpn/ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.23.0 255.255.255.0"
+;push "route 192.168.81.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+client-config-dir /etc/openvpn/ccd/server-gw-ckubu
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# the TUN/TAP interface to the internet in
+# order for this to work properly).
+# CAVEAT: May break client's network config if
+# client's local DHCP server packets get routed
+# through the tunnel.  Solution: make sure
+# client's local DHCP server is reachable via
+# a more specific route than the default route
+# of 0.0.0.0/0.0.0.0.
+;push "redirect-gateway"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+;push "dhcp-option DNS 10.8.0.1"
+;push "dhcp-option WINS 10.8.0.1"
+;push "dhcp-option DNS 192.168.11.1"
+;push "dhcp-option DOMAIN ga.intra"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+tls-auth keys/ta.key 0
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status /var/log/openvpn/status-server-gw-ckubu.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+log         /var/log/openvpn/server-gw-ckubu.log
+;log-append  openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 4
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+#crl-verify /etc/openvpn/keys/crl.pem

GA-Schloss/openvpn/server-gw-nh.conf

@@ -0,0 +1,299 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1196
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+
+topology subnet
+route 192.168.81.0 255.255.255.0 10.2.11.1
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap" if you are ethernet bridging.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca keys/ca.crt
+cert keys/server.crt
+key keys/server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys. 
+dh keys/dh2048.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.2.11.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist /etc/openvpn/ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.23.0 255.255.255.0"
+;push "route 192.168.81.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+client-config-dir /etc/openvpn/ccd/server-gw-nh
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# the TUN/TAP interface to the internet in
+# order for this to work properly).
+# CAVEAT: May break client's network config if
+# client's local DHCP server packets get routed
+# through the tunnel.  Solution: make sure
+# client's local DHCP server is reachable via
+# a more specific route than the default route
+# of 0.0.0.0/0.0.0.0.
+;push "redirect-gateway"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+;push "dhcp-option DNS 10.8.0.1"
+;push "dhcp-option WINS 10.8.0.1"
+push "dhcp-option DNS 192.168.11.1"
+push "dhcp-option DOMAIN ga.intra"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+tls-auth keys/ta.key 0
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status /var/log/openvpn/status-server-gw-nh.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+log         /var/log/openvpn/server-gw-nh.log
+;log-append  openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 0
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+#crl-verify /etc/openvpn/keys/crl.pem

GA-Schloss/openvpn/server-home.conf

@@ -0,0 +1,315 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+
+topology subnet
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca  keys/ca.crt
+cert keys/server.crt
+key keys/server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys. 
+dh  keys/dh2048.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.0.11.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses.  You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.10.0 255.255.255.0"
+push "route 192.168.11.0 255.255.255.0"
+push "route 192.168.10.0 255.255.255.0"
+push "route 10.10.11.0 255.255.255.0"
+
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+client-config-dir /etc/openvpn/ccd/server-home
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+;push "redirect-gateway def1 bypass-dhcp"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+;push "dhcp-option DNS 208.67.222.222"
+;push "dhcp-option DNS 208.67.220.220"
+push "dhcp-option DNS 192.168.11.1"
+push "dhcp-option DOMAIN ga.intra"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+tls-auth keys/ta.key 0
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status /var/log/openvpn/status-server-home.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log         openvpn.log
+;log-append  openvpn.log
+log         /var/log/openvpn/server-home.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 4
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+
+# CRL (certificate revocation list) verification
+crl-verify /etc/openvpn/crl.pem

GA-Schloss/openvpn/update-resolv-conf

@@ -0,0 +1,58 @@
+#!/bin/bash
+# 
+# Parses DHCP options from openvpn to update resolv.conf
+# To use set as 'up' and 'down' script in your openvpn *.conf:
+# up /etc/openvpn/update-resolv-conf
+# down /etc/openvpn/update-resolv-conf
+#
+# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
+# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
+# 
+# Example envs set from openvpn:
+#
+#     foreign_option_1='dhcp-option DNS 193.43.27.132'
+#     foreign_option_2='dhcp-option DNS 193.43.27.133'
+#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+#
+
+[ -x /sbin/resolvconf ] || exit 0
+[ "$script_type" ] || exit 0
+[ "$dev" ] || exit 0
+
+split_into_parts()
+{
+	part1="$1"
+	part2="$2"
+	part3="$3"
+}
+
+case "$script_type" in
+  up)
+	NMSRVRS=""
+	SRCHS=""
+	for optionvarname in ${!foreign_option_*} ; do
+		option="${!optionvarname}"
+		echo "$option"
+		split_into_parts $option
+		if [ "$part1" = "dhcp-option" ] ; then
+			if [ "$part2" = "DNS" ] ; then
+				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
+			elif [ "$part2" = "DOMAIN" ] ; then
+				SRCHS="${SRCHS:+$SRCHS }$part3"
+			fi
+		fi
+	done
+	R=""
+	[ "$SRCHS" ] && R="search $SRCHS
+"
+	for NS in $NMSRVRS ; do
+        	R="${R}nameserver $NS
+"
+	done
+	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
+	;;
+  down)
+	/sbin/resolvconf -d "${dev}.openvpn"
+	;;
+esac
+