summaryrefslogtreecommitdiff
path: root/app/openvpn/sample
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2014-04-09 16:03:55 +0200
committerParménides GV <parmegv@sdf.org>2014-04-09 16:07:34 +0200
commit1684c8f398922065a97e7da4dac4ac6a33cc5218 (patch)
tree76a4b11ae0d7b217c088f3c2b8fc7e69a7b8ae0d /app/openvpn/sample
parentb9a2b085a8f508cd09e2639c70be845c992c4a3e (diff)
Back to the standard "app" module.
This return to "app" instead of "bitmask_android" is due to this reading: https://developer.android.com/sdk/installing/studio-build.html#projectStructure I'll have to tweak the final apk name in build.gradle.
Diffstat (limited to 'app/openvpn/sample')
-rw-r--r--app/openvpn/sample/Makefile.am34
-rw-r--r--app/openvpn/sample/sample-config-files/README6
-rw-r--r--app/openvpn/sample/sample-config-files/client.conf123
-rwxr-xr-xapp/openvpn/sample/sample-config-files/firewall.sh108
-rwxr-xr-xapp/openvpn/sample/sample-config-files/home.up2
-rw-r--r--app/openvpn/sample/sample-config-files/loopback-client25
-rw-r--r--app/openvpn/sample/sample-config-files/loopback-server26
-rwxr-xr-xapp/openvpn/sample/sample-config-files/office.up2
-rwxr-xr-xapp/openvpn/sample/sample-config-files/openvpn-shutdown.sh5
-rwxr-xr-xapp/openvpn/sample/sample-config-files/openvpn-startup.sh34
-rw-r--r--app/openvpn/sample/sample-config-files/server.conf299
-rw-r--r--app/openvpn/sample/sample-config-files/static-home.conf72
-rw-r--r--app/openvpn/sample/sample-config-files/static-office.conf69
-rw-r--r--app/openvpn/sample/sample-config-files/tls-home.conf83
-rw-r--r--app/openvpn/sample/sample-config-files/tls-office.conf83
-rw-r--r--app/openvpn/sample/sample-config-files/xinetd-client-config11
-rw-r--r--app/openvpn/sample/sample-config-files/xinetd-server-config25
-rw-r--r--app/openvpn/sample/sample-keys/README14
-rw-r--r--app/openvpn/sample/sample-keys/ca.crt19
-rw-r--r--app/openvpn/sample/sample-keys/ca.key15
-rw-r--r--app/openvpn/sample/sample-keys/client.crt65
-rw-r--r--app/openvpn/sample/sample-keys/client.key15
-rw-r--r--app/openvpn/sample/sample-keys/dh1024.pem5
-rw-r--r--app/openvpn/sample/sample-keys/pass.crt65
-rw-r--r--app/openvpn/sample/sample-keys/pass.key18
-rw-r--r--app/openvpn/sample/sample-keys/pkcs12.p12bin0 -> 2685 bytes
-rw-r--r--app/openvpn/sample/sample-keys/server.crt67
-rw-r--r--app/openvpn/sample/sample-keys/server.key15
-rw-r--r--app/openvpn/sample/sample-plugins/defer/README16
-rw-r--r--app/openvpn/sample/sample-plugins/defer/simple.c305
-rwxr-xr-xapp/openvpn/sample/sample-plugins/defer/simple.def6
-rwxr-xr-xapp/openvpn/sample/sample-plugins/defer/winbuild18
-rw-r--r--app/openvpn/sample/sample-plugins/log/log.c184
-rw-r--r--app/openvpn/sample/sample-plugins/log/log_v3.c247
-rwxr-xr-xapp/openvpn/sample/sample-plugins/log/winbuild18
-rw-r--r--app/openvpn/sample/sample-plugins/simple/README16
-rw-r--r--app/openvpn/sample/sample-plugins/simple/simple.c120
-rwxr-xr-xapp/openvpn/sample/sample-plugins/simple/simple.def6
-rwxr-xr-xapp/openvpn/sample/sample-plugins/simple/winbuild18
-rwxr-xr-xapp/openvpn/sample/sample-scripts/auth-pam.pl97
-rwxr-xr-xapp/openvpn/sample/sample-scripts/bridge-start39
-rwxr-xr-xapp/openvpn/sample/sample-scripts/bridge-stop18
-rwxr-xr-xapp/openvpn/sample/sample-scripts/ucn.pl11
-rwxr-xr-xapp/openvpn/sample/sample-scripts/verify-cn64
-rwxr-xr-xapp/openvpn/sample/sample-windows/sample.ovpn103
45 files changed, 2591 insertions, 0 deletions
diff --git a/app/openvpn/sample/Makefile.am b/app/openvpn/sample/Makefile.am
new file mode 100644
index 00000000..be30c88a
--- /dev/null
+++ b/app/openvpn/sample/Makefile.am
@@ -0,0 +1,34 @@
+#
+# OpenVPN -- An application to securely tunnel IP networks
+# over a single UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
+#
+
+MAINTAINERCLEANFILES = \
+ $(srcdir)/Makefile.in
+
+EXTRA_DIST = \
+ sample-plugins \
+ sample-config-files \
+ sample-windows \
+ sample-keys \
+ sample-scripts
+
+if WIN32
+sample_DATA = \
+ client.ovpn \
+ server.ovpn \
+ sample-windows/sample.ovpn
+
+client.ovpn: sample-config-files/client.conf
+ -rm -f client.ovpn
+ cp "$(srcdir)/sample-config-files/client.conf" client.ovpn
+server.ovpn: sample-config-files/server.conf
+ -rm -f server.ovpn
+ cp "$(srcdir)/sample-config-files/server.conf" server.ovpn
+endif
diff --git a/app/openvpn/sample/sample-config-files/README b/app/openvpn/sample/sample-config-files/README
new file mode 100644
index 00000000..d53ac79a
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/README
@@ -0,0 +1,6 @@
+Sample OpenVPN Configuration Files.
+
+These files are part of the OpenVPN HOWTO
+which is located at:
+
+http://openvpn.net/howto.html
diff --git a/app/openvpn/sample/sample-config-files/client.conf b/app/openvpn/sample/sample-config-files/client.conf
new file mode 100644
index 00000000..58b2038b
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/client.conf
@@ -0,0 +1,123 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server. #
+# #
+# This configuration can be used by multiple #
+# clients, however each client should have #
+# its own cert and key files. #
+# #
+# On Windows, you might want to rename this #
+# file so it has a .ovpn extension #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel
+# if you have more than one. On XP SP2,
+# you may need to disable the firewall
+# for the TAP adapter.
+;dev-node MyTap
+
+# Are we connecting to a TCP or
+# UDP server? Use the same setting as
+# on the server.
+;proto tcp
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote my-server-1 1194
+;remote my-server-2 1194
+
+# Choose a random host from the remote
+# list for load-balancing. Otherwise
+# try hosts in the order specified.
+;remote-random
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server. Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Downgrade privileges after initialization (non-Windows only)
+;user nobody
+;group nobody
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# If you are connecting through an
+# HTTP proxy to reach the actual OpenVPN
+# server, put the proxy server/IP and
+# port number here. See the man page
+# if your proxy server requires
+# authentication.
+;http-proxy-retry # retry on connection failures
+;http-proxy [proxy server] [proxy port #]
+
+# Wireless networks often produce a lot
+# of duplicate packets. Set this flag
+# to silence duplicate packet warnings.
+;mute-replay-warnings
+
+# SSL/TLS parms.
+# See the server config file for more
+# description. It's best to use
+# a separate .crt/.key file pair
+# for each client. A single ca
+# file can be used for all clients.
+ca ca.crt
+cert client.crt
+key client.key
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server". This is an
+# important precaution to protect against
+# a potential attack discussed here:
+# http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server". The build-key-server
+# script in the easy-rsa folder will do this.
+ns-cert-type server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+;tls-auth ta.key 1
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+;cipher x
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+
+# Set log file verbosity.
+verb 3
+
+# Silence repeating messages
+;mute 20
diff --git a/app/openvpn/sample/sample-config-files/firewall.sh b/app/openvpn/sample/sample-config-files/firewall.sh
new file mode 100755
index 00000000..19d75ee9
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/firewall.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# A Sample OpenVPN-aware firewall.
+
+# eth0 is connected to the internet.
+# eth1 is connected to a private subnet.
+
+# Change this subnet to correspond to your private
+# ethernet subnet. Home will use HOME_NET/24 and
+# Office will use OFFICE_NET/24.
+PRIVATE=10.0.0.0/24
+
+# Loopback address
+LOOP=127.0.0.1
+
+# Delete old iptables rules
+# and temporarily block all traffic.
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -F
+
+# Set default policies
+iptables -P OUTPUT ACCEPT
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+
+# Prevent external packets from using loopback addr
+iptables -A INPUT -i eth0 -s $LOOP -j DROP
+iptables -A FORWARD -i eth0 -s $LOOP -j DROP
+iptables -A INPUT -i eth0 -d $LOOP -j DROP
+iptables -A FORWARD -i eth0 -d $LOOP -j DROP
+
+# Anything coming from the Internet should have a real Internet address
+iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
+iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
+iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
+iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
+iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
+iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
+
+# Block outgoing NetBios (if you have windows machines running
+# on the private subnet). This will not affect any NetBios
+# traffic that flows over the VPN tunnel, but it will stop
+# local windows machines from broadcasting themselves to
+# the internet.
+iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
+iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
+iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
+iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
+
+# Check source address validity on packets going out to internet
+iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
+
+# Allow local loopback
+iptables -A INPUT -s $LOOP -j ACCEPT
+iptables -A INPUT -d $LOOP -j ACCEPT
+
+# Allow incoming pings (can be disabled)
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# Allow services such as www and ssh (can be disabled)
+iptables -A INPUT -p tcp --dport http -j ACCEPT
+iptables -A INPUT -p tcp --dport ssh -j ACCEPT
+
+# Allow incoming OpenVPN packets
+# Duplicate the line below for each
+# OpenVPN tunnel, changing --dport n
+# to match the OpenVPN UDP port.
+#
+# In OpenVPN, the port number is
+# controlled by the --port n option.
+# If you put this option in the config
+# file, you can remove the leading '--'
+#
+# If you taking the stateful firewall
+# approach (see the OpenVPN HOWTO),
+# then comment out the line below.
+
+iptables -A INPUT -p udp --dport 1194 -j ACCEPT
+
+# Allow packets from TUN/TAP devices.
+# When OpenVPN is run in a secure mode,
+# it will authenticate packets prior
+# to their arriving on a tun or tap
+# interface. Therefore, it is not
+# necessary to add any filters here,
+# unless you want to restrict the
+# type of packets which can flow over
+# the tunnel.
+
+iptables -A INPUT -i tun+ -j ACCEPT
+iptables -A FORWARD -i tun+ -j ACCEPT
+iptables -A INPUT -i tap+ -j ACCEPT
+iptables -A FORWARD -i tap+ -j ACCEPT
+
+# Allow packets from private subnets
+iptables -A INPUT -i eth1 -j ACCEPT
+iptables -A FORWARD -i eth1 -j ACCEPT
+
+# Keep state of connections from local machine and private subnets
+iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Masquerade local subnet
+iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
diff --git a/app/openvpn/sample/sample-config-files/home.up b/app/openvpn/sample/sample-config-files/home.up
new file mode 100755
index 00000000..9c347cc5
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/home.up
@@ -0,0 +1,2 @@
+#!/bin/sh
+route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
diff --git a/app/openvpn/sample/sample-config-files/loopback-client b/app/openvpn/sample/sample-config-files/loopback-client
new file mode 100644
index 00000000..d7f59e69
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/loopback-client
@@ -0,0 +1,25 @@
+# Perform a TLS loopback test -- client side.
+#
+# This test performs a TLS negotiation once every 10 seconds,
+# and will terminate after 2 minutes.
+#
+# From the root directory of the OpenVPN distribution,
+# after openvpn has been built, run:
+#
+# ./openvpn --config sample-config-files/loopback-client (In one window)
+# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
+
+rport 16000
+lport 16001
+remote localhost
+local localhost
+dev null
+verb 3
+reneg-sec 10
+tls-client
+ca sample-keys/ca.crt
+key sample-keys/client.key
+cert sample-keys/client.crt
+cipher DES-EDE3-CBC
+ping 1
+inactive 120 10000000
diff --git a/app/openvpn/sample/sample-config-files/loopback-server b/app/openvpn/sample/sample-config-files/loopback-server
new file mode 100644
index 00000000..9d21bcec
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/loopback-server
@@ -0,0 +1,26 @@
+# Perform a TLS loopback test -- server side.
+#
+# This test performs a TLS negotiation once every 10 seconds,
+# and will terminate after 2 minutes.
+#
+# From the root directory of the OpenVPN distribution,
+# after openvpn has been built, run:
+#
+# ./openvpn --config sample-config-files/loopback-client (In one window)
+# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
+
+rport 16001
+lport 16000
+remote localhost
+local localhost
+dev null
+verb 3
+reneg-sec 10
+tls-server
+dh sample-keys/dh1024.pem
+ca sample-keys/ca.crt
+key sample-keys/server.key
+cert sample-keys/server.crt
+cipher DES-EDE3-CBC
+ping 1
+inactive 120 10000000
diff --git a/app/openvpn/sample/sample-config-files/office.up b/app/openvpn/sample/sample-config-files/office.up
new file mode 100755
index 00000000..74a71a33
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/office.up
@@ -0,0 +1,2 @@
+#!/bin/sh
+route add -net 10.0.1.0 netmask 255.255.255.0 gw $5
diff --git a/app/openvpn/sample/sample-config-files/openvpn-shutdown.sh b/app/openvpn/sample/sample-config-files/openvpn-shutdown.sh
new file mode 100755
index 00000000..8ed2d1d5
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/openvpn-shutdown.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# stop all openvpn processes
+
+killall -TERM openvpn
diff --git a/app/openvpn/sample/sample-config-files/openvpn-startup.sh b/app/openvpn/sample/sample-config-files/openvpn-startup.sh
new file mode 100755
index 00000000..0ee006bc
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/openvpn-startup.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# A sample OpenVPN startup script
+# for Linux.
+
+# openvpn config file directory
+dir=/etc/openvpn
+
+# load the firewall
+$dir/firewall.sh
+
+# load TUN/TAP kernel module
+modprobe tun
+
+# enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# Invoke openvpn for each VPN tunnel
+# in daemon mode. Alternatively,
+# you could remove "--daemon" from
+# the command line and add "daemon"
+# to the config file.
+#
+# Each tunnel should run on a separate
+# UDP port. Use the "port" option
+# to control this. Like all of
+# OpenVPN's options, you can
+# specify "--port 8000" on the command
+# line or "port 8000" in the config
+# file.
+
+openvpn --cd $dir --daemon --config vpn1.conf
+openvpn --cd $dir --daemon --config vpn2.conf
+openvpn --cd $dir --daemon --config vpn2.conf
diff --git a/app/openvpn/sample/sample-config-files/server.conf b/app/openvpn/sample/sample-config-files/server.conf
new file mode 100644
index 00000000..f483b6bb
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/server.conf
@@ -0,0 +1,299 @@
+#################################################
+# Sample OpenVPN 2.0 config file for #
+# multi-client server. #
+# #
+# This file is for the server side #
+# of a many-clients <-> one-server #
+# OpenVPN configuration. #
+# #
+# OpenVPN also supports #
+# single-machine <-> single-machine #
+# configurations (See the Examples page #
+# on the web site for more info). #
+# #
+# This config should work on Windows #
+# or Linux/BSD systems. Remember on #
+# Windows to quote pathnames and use #
+# double backslashes, e.g.: #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+# #
+# Comments are preceded with '#' or ';' #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one. You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one. On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key). Each client
+# and the server must have their own cert and
+# key file. The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys. Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca ca.crt
+cert server.crt
+key server.key # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+# openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys.
+dh dh1024.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.8.0.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file. If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface. Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0. Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients. Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses. You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server. Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.10.0 255.255.255.0"
+;push "route 192.168.20.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir ccd
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+# iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN. This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+# ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients. There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+# group, and firewall the TUN/TAP interface
+# for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+# modify the firewall in response to access
+# from different clients. See man
+# page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+;push "redirect-gateway def1 bypass-dhcp"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses. CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+;push "dhcp-option DNS 208.67.222.222"
+;push "dhcp-option DNS 208.67.220.220"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+;client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names. This is recommended
+# only for testing purposes. For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+# openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC # Blowfish (default)
+;cipher AES-128-CBC # AES
+;cipher DES-EDE3-CBC # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+;user nobody
+;group nobody
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status openvpn-status.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it. Use one
+# or the other (but not both).
+;log openvpn.log
+;log-append openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 3
+
+# Silence repeating messages. At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
diff --git a/app/openvpn/sample/sample-config-files/static-home.conf b/app/openvpn/sample/sample-config-files/static-home.conf
new file mode 100644
index 00000000..c9666874
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/static-home.conf
@@ -0,0 +1,72 @@
+#
+# Sample OpenVPN configuration file for
+# home using a pre-shared static key.
+#
+# '#' or ';' may be used to delimit comments.
+
+# Use a dynamic tun device.
+# For Linux 2.2 or non-Linux OSes,
+# you may want to use an explicit
+# unit number such as "tun1".
+# OpenVPN also supports virtual
+# ethernet "tap" devices.
+dev tun
+
+# Our OpenVPN peer is the office gateway.
+remote 1.2.3.4
+
+# 10.1.0.2 is our local VPN endpoint (home).
+# 10.1.0.1 is our remote VPN endpoint (office).
+ifconfig 10.1.0.2 10.1.0.1
+
+# Our up script will establish routes
+# once the VPN is alive.
+up ./home.up
+
+# Our pre-shared static key
+secret static.key
+
+# OpenVPN 2.0 uses UDP port 1194 by default
+# (official port assignment by iana.org 11/04).
+# OpenVPN 1.x uses UDP port 5000 by default.
+# Each OpenVPN tunnel must use
+# a different port number.
+# lport or rport can be used
+# to denote different ports
+# for local and remote.
+; port 1194
+
+# Downgrade UID and GID to
+# "nobody" after initialization
+# for extra security.
+; user nobody
+; group nobody
+
+# If you built OpenVPN with
+# LZO compression, uncomment
+# out the following line.
+; comp-lzo
+
+# Send a UDP ping to remote once
+# every 15 seconds to keep
+# stateful firewall connection
+# alive. Uncomment this
+# out if you are using a stateful
+# firewall.
+; ping 15
+
+# Uncomment this section for a more reliable detection when a system
+# loses its connection. For example, dial-ups or laptops that
+# travel to other locations.
+; ping 15
+; ping-restart 45
+; ping-timer-rem
+; persist-tun
+; persist-key
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 3
diff --git a/app/openvpn/sample/sample-config-files/static-office.conf b/app/openvpn/sample/sample-config-files/static-office.conf
new file mode 100644
index 00000000..68030cc9
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/static-office.conf
@@ -0,0 +1,69 @@
+#
+# Sample OpenVPN configuration file for
+# office using a pre-shared static key.
+#
+# '#' or ';' may be used to delimit comments.
+
+# Use a dynamic tun device.
+# For Linux 2.2 or non-Linux OSes,
+# you may want to use an explicit
+# unit number such as "tun1".
+# OpenVPN also supports virtual
+# ethernet "tap" devices.
+dev tun
+
+# 10.1.0.1 is our local VPN endpoint (office).
+# 10.1.0.2 is our remote VPN endpoint (home).
+ifconfig 10.1.0.1 10.1.0.2
+
+# Our up script will establish routes
+# once the VPN is alive.
+up ./office.up
+
+# Our pre-shared static key
+secret static.key
+
+# OpenVPN 2.0 uses UDP port 1194 by default
+# (official port assignment by iana.org 11/04).
+# OpenVPN 1.x uses UDP port 5000 by default.
+# Each OpenVPN tunnel must use
+# a different port number.
+# lport or rport can be used
+# to denote different ports
+# for local and remote.
+; port 1194
+
+# Downgrade UID and GID to
+# "nobody" after initialization
+# for extra security.
+; user nobody
+; group nobody
+
+# If you built OpenVPN with
+# LZO compression, uncomment
+# out the following line.
+; comp-lzo
+
+# Send a UDP ping to remote once
+# every 15 seconds to keep
+# stateful firewall connection
+# alive. Uncomment this
+# out if you are using a stateful
+# firewall.
+; ping 15
+
+# Uncomment this section for a more reliable detection when a system
+# loses its connection. For example, dial-ups or laptops that
+# travel to other locations.
+; ping 15
+; ping-restart 45
+; ping-timer-rem
+; persist-tun
+; persist-key
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 3
diff --git a/app/openvpn/sample/sample-config-files/tls-home.conf b/app/openvpn/sample/sample-config-files/tls-home.conf
new file mode 100644
index 00000000..daa4ea1e
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/tls-home.conf
@@ -0,0 +1,83 @@
+#
+# Sample OpenVPN configuration file for
+# home using SSL/TLS mode and RSA certificates/keys.
+#
+# '#' or ';' may be used to delimit comments.
+
+# Use a dynamic tun device.
+# For Linux 2.2 or non-Linux OSes,
+# you may want to use an explicit
+# unit number such as "tun1".
+# OpenVPN also supports virtual
+# ethernet "tap" devices.
+dev tun
+
+# Our OpenVPN peer is the office gateway.
+remote 1.2.3.4
+
+# 10.1.0.2 is our local VPN endpoint (home).
+# 10.1.0.1 is our remote VPN endpoint (office).
+ifconfig 10.1.0.2 10.1.0.1
+
+# Our up script will establish routes
+# once the VPN is alive.
+up ./home.up
+
+# In SSL/TLS key exchange, Office will
+# assume server role and Home
+# will assume client role.
+tls-client
+
+# Certificate Authority file
+ca my-ca.crt
+
+# Our certificate/public key
+cert home.crt
+
+# Our private key
+key home.key
+
+# OpenVPN 2.0 uses UDP port 1194 by default
+# (official port assignment by iana.org 11/04).
+# OpenVPN 1.x uses UDP port 5000 by default.
+# Each OpenVPN tunnel must use
+# a different port number.
+# lport or rport can be used
+# to denote different ports
+# for local and remote.
+; port 1194
+
+# Downgrade UID and GID to
+# "nobody" after initialization
+# for extra security.
+; user nobody
+; group nobody
+
+# If you built OpenVPN with
+# LZO compression, uncomment
+# out the following line.
+; comp-lzo
+
+# Send a UDP ping to remote once
+# every 15 seconds to keep
+# stateful firewall connection
+# alive. Uncomment this
+# out if you are using a stateful
+# firewall.
+; ping 15
+
+# Uncomment this section for a more reliable detection when a system
+# loses its connection. For example, dial-ups or laptops that
+# travel to other locations.
+; ping 15
+; ping-restart 45
+; ping-timer-rem
+; persist-tun
+; persist-key
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 3
diff --git a/app/openvpn/sample/sample-config-files/tls-office.conf b/app/openvpn/sample/sample-config-files/tls-office.conf
new file mode 100644
index 00000000..f790f469
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/tls-office.conf
@@ -0,0 +1,83 @@
+#
+# Sample OpenVPN configuration file for
+# office using SSL/TLS mode and RSA certificates/keys.
+#
+# '#' or ';' may be used to delimit comments.
+
+# Use a dynamic tun device.
+# For Linux 2.2 or non-Linux OSes,
+# you may want to use an explicit
+# unit number such as "tun1".
+# OpenVPN also supports virtual
+# ethernet "tap" devices.
+dev tun
+
+# 10.1.0.1 is our local VPN endpoint (office).
+# 10.1.0.2 is our remote VPN endpoint (home).
+ifconfig 10.1.0.1 10.1.0.2
+
+# Our up script will establish routes
+# once the VPN is alive.
+up ./office.up
+
+# In SSL/TLS key exchange, Office will
+# assume server role and Home
+# will assume client role.
+tls-server
+
+# Diffie-Hellman Parameters (tls-server only)
+dh dh1024.pem
+
+# Certificate Authority file
+ca my-ca.crt
+
+# Our certificate/public key
+cert office.crt
+
+# Our private key
+key office.key
+
+# OpenVPN 2.0 uses UDP port 1194 by default
+# (official port assignment by iana.org 11/04).
+# OpenVPN 1.x uses UDP port 5000 by default.
+# Each OpenVPN tunnel must use
+# a different port number.
+# lport or rport can be used
+# to denote different ports
+# for local and remote.
+; port 1194
+
+# Downgrade UID and GID to
+# "nobody" after initialization
+# for extra security.
+; user nobody
+; group nobody
+
+# If you built OpenVPN with
+# LZO compression, uncomment
+# out the following line.
+; comp-lzo
+
+# Send a UDP ping to remote once
+# every 15 seconds to keep
+# stateful firewall connection
+# alive. Uncomment this
+# out if you are using a stateful
+# firewall.
+; ping 15
+
+# Uncomment this section for a more reliable detection when a system
+# loses its connection. For example, dial-ups or laptops that
+# travel to other locations.
+; ping 15
+; ping-restart 45
+; ping-timer-rem
+; persist-tun
+; persist-key
+
+# Verbosity level.
+# 0 -- quiet except for fatal errors.
+# 1 -- mostly quiet, but display non-fatal network errors.
+# 3 -- medium output, good for normal operation.
+# 9 -- verbose, good for troubleshooting
+verb 3
diff --git a/app/openvpn/sample/sample-config-files/xinetd-client-config b/app/openvpn/sample/sample-config-files/xinetd-client-config
new file mode 100644
index 00000000..03c5c1fa
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/xinetd-client-config
@@ -0,0 +1,11 @@
+# This OpenVPN config file
+# is the client side counterpart
+# of xinetd-server-config
+
+dev tun
+ifconfig 10.4.0.1 10.4.0.2
+remote my-server
+port 1194
+user nobody
+secret /root/openvpn/key
+inactive 600
diff --git a/app/openvpn/sample/sample-config-files/xinetd-server-config b/app/openvpn/sample/sample-config-files/xinetd-server-config
new file mode 100644
index 00000000..803a6f8f
--- /dev/null
+++ b/app/openvpn/sample/sample-config-files/xinetd-server-config
@@ -0,0 +1,25 @@
+# An xinetd configuration file for OpenVPN.
+#
+# This file should be renamed to openvpn or something suitably
+# descriptive and copied to the /etc/xinetd.d directory.
+# xinetd can then be made aware of this file by restarting
+# it or sending it a SIGHUP signal.
+#
+# For each potential incoming client, create a separate version
+# of this configuration file on a unique port number. Also note
+# that the key file and ifconfig endpoints should be unique for
+# each client. This configuration assumes that the OpenVPN
+# executable and key live in /root/openvpn. Change this to fit
+# your environment.
+
+service openvpn_1
+{
+ type = UNLISTED
+ port = 1194
+ socket_type = dgram
+ protocol = udp
+ wait = yes
+ user = root
+ server = /root/openvpn/openvpn
+ server_args = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user nobody
+}
diff --git a/app/openvpn/sample/sample-keys/README b/app/openvpn/sample/sample-keys/README
new file mode 100644
index 00000000..1cd473a1
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/README
@@ -0,0 +1,14 @@
+Sample RSA keys.
+
+See the examples section of the man page
+for usage examples.
+
+NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY.
+ DON'T USE THEM FOR ANY REAL WORK BECAUSE
+ THEY ARE TOTALLY INSECURE!
+
+ca.{crt,key} -- sample CA key/cert
+client.{crt,key} -- sample client key/cert
+server.{crt,key} -- sample server key/cert (nsCertType=server)
+pass.{crt,key} -- sample client key/cert with password-encrypted key
+ password = "password"
diff --git a/app/openvpn/sample/sample-keys/ca.crt b/app/openvpn/sample/sample-keys/ca.crt
new file mode 100644
index 00000000..e063ccce
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/ca.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
+MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
+NTE0NDA1NVoXDTE0MTEyMzE0NDA1NVowZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+Ak5BMRAwDgYDVQQHEwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAf
+BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAqPjWJnesPu6bR/iec4FMz3opVaPdBHxg+ORKNmrnVZPh0t8/
+ZT34KXkYoI9B82scurp8UlZVXG8JdUsz+yai8ti9+g7vcuyKUtcCIjn0HLgmdPu5
+gFX25lB0pXw+XIU031dOfPvtROdG5YZN5yCErgCy7TE7zntLnkEDuRmyU6cCAwEA
+AaOBwzCBwDAdBgNVHQ4EFgQUiaZg47rqPq/8ZH9MvYzSSI3gzEYwgZAGA1UdIwSB
+iDCBhYAUiaZg47rqPq/8ZH9MvYzSSI3gzEahaqRoMGYxCzAJBgNVBAYTAktHMQsw
+CQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQTi1U
+RVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CAQAwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBfJoiWYrYdjM0mKPEzUQk0nLYTovBP
+I0es/2rfGrin1zbcFY+4dhVBd1E/StebnG+CP8r7QeEIwu7x8gYDdOLLsZn+2vBL
+e4jNU1ClI6Q0L7jrzhhunQ5mAaZztVyYwFB15odYcdN2iO0tP7jtEsvrRqxICNy3
+8itzViPTf5W4sA==
+-----END CERTIFICATE-----
diff --git a/app/openvpn/sample/sample-keys/ca.key b/app/openvpn/sample/sample-keys/ca.key
new file mode 100644
index 00000000..b4bf792a
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCo+NYmd6w+7ptH+J5zgUzPeilVo90EfGD45Eo2audVk+HS3z9l
+PfgpeRigj0Hzaxy6unxSVlVcbwl1SzP7JqLy2L36Du9y7IpS1wIiOfQcuCZ0+7mA
+VfbmUHSlfD5chTTfV058++1E50blhk3nIISuALLtMTvOe0ueQQO5GbJTpwIDAQAB
+AoGAQuVREyWp4bhhbZr2UFBOco2ws6EOLWp4kdD/uI+WSoEjlHKiDJj+GJ1CrL5K
+o+4yD5MpCQf4/4FOQ0ukprfjJpDwDinTG6vzuWSLTHNiTgvksW3vy7IsNMJx97hT
+4D2QOOl9HhA50Qqg70teMPYXOgLRMVsdCIV7p7zDNy4nM+ECQQDX8m5ZcQmPtUDA
+38dPTfpL4U7kMB94FItJYH/Lk5kMW1/J33xymNhL+BHaG064ol9n2ubGW4XEO5t2
+qE1IOsVpAkEAyE/x/OBVSI1s75aYGlEwMd87p3qaDdtXT7WzujjRY7r8Y1ynkMU6
+GtMeneBX/lk4BY/6I+5bhAzce+hqhaXejwJBAL5Wg+c4GApf41xdogqHm7doNyYw
+OHyZ9w9NDDc+uGbI30xLPSCxEe0cEXgiG6foDpm2uzRZFTWaqHPU8pFYpAkCQGNX
+cpWM0/7VVK9Fqk1y8knpgfY/UWOJ4jU/0dCLGR0ywLSuYNPlXDmtdkOp3TnhGW14
+x/9F2NEWZ8pzq1B4wHUCQQC5ztD4m/rpiIpinoewUJODoeBJXYBKqx1+mdrALCq6
+ESvK1WRiusMaY3xmsdv4J2TB5iUPryELbn3jU12WGcQc
+-----END RSA PRIVATE KEY-----
diff --git a/app/openvpn/sample/sample-keys/client.crt b/app/openvpn/sample/sample-keys/client.crt
new file mode 100644
index 00000000..c0474461
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/client.crt
@@ -0,0 +1,65 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
+ Validity
+ Not Before: Nov 25 14:46:49 2004 GMT
+ Not After : Nov 23 14:46:49 2014 GMT
+ Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client/emailAddress=me@myhost.mydomain
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:d2:12:5c:c6:4d:13:34:ae:cf:fa:ab:fe:cb:de:
+ 8c:f1:4b:4a:95:28:60:87:82:2c:b8:c1:e5:8e:c6:
+ 5d:11:58:61:a4:a5:f1:42:d7:86:74:6c:9d:9c:7a:
+ f0:3a:5c:29:e6:53:3b:5e:6d:d8:f0:45:06:2c:23:
+ ee:09:bc:02:8f:0e:b8:d5:33:1f:c3:4a:11:02:48:
+ 0b:cc:4b:ad:6e:74:e0:a2:53:b1:d6:cc:89:b9:e2:
+ 6f:db:15:b3:19:1e:57:04:79:48:3a:da:76:31:fc:
+ bf:d3:34:21:e7:32:d8:9e:06:4e:be:f3:e3:79:b0:
+ 54:fd:d1:42:32:aa:3e:7a:c1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ 17:B7:3F:C7:62:A0:A9:FD:A4:31:0E:58:D7:D9:94:7B:4B:3F:CB:56
+ X509v3 Authority Key Identifier:
+ keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46
+ DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
+ serial:00
+
+ Signature Algorithm: md5WithRSAEncryption
+ 61:c6:d1:fa:24:0f:c7:be:09:3b:d8:04:17:63:31:17:07:f9:
+ 56:99:af:4c:67:fa:db:cb:94:cf:55:a5:7b:16:20:8b:42:64:
+ 13:23:62:45:28:93:5e:36:f7:db:02:95:a1:e9:fd:e3:0f:8d:
+ 73:a1:7b:0e:55:78:4d:a5:c4:b7:22:12:a0:ee:55:e0:b8:0e:
+ c9:9b:12:e3:b0:ef:9b:68:93:57:6e:6c:ad:16:68:8e:8d:30:
+ 33:fe:2a:1b:c3:03:8f:b6:0a:2d:0c:b1:3c:bb:f9:58:3f:8c:
+ 81:59:6b:14:dd:62:b5:c2:93:ed:5d:c6:19:0f:9b:4b:52:b3:
+ 7c:78
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
+MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
+NTE0NDY0OVoXDTE0MTEyMzE0NDY0OVowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50
+MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBANISXMZNEzSuz/qr/svejPFLSpUoYIeCLLjB5Y7GXRFY
+YaSl8ULXhnRsnZx68DpcKeZTO15t2PBFBiwj7gm8Ao8OuNUzH8NKEQJIC8xLrW50
+4KJTsdbMibnib9sVsxkeVwR5SDradjH8v9M0Iecy2J4GTr7z43mwVP3RQjKqPnrB
+AgMBAAGjge4wgeswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
+ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBe3P8dioKn9pDEOWNfZlHtL
+P8tWMIGQBgNVHSMEgYgwgYWAFImmYOO66j6v/GR/TL2M0kiN4MxGoWqkaDBmMQsw
+CQYDVQQGEwJLRzELMAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNV
+BAoTDE9wZW5WUE4tVEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9t
+YWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAGHG0fokD8e+CTvYBBdjMRcH+VaZr0xn
++tvLlM9VpXsWIItCZBMjYkUok14299sClaHp/eMPjXOhew5VeE2lxLciEqDuVeC4
+DsmbEuOw75tok1dubK0WaI6NMDP+KhvDA4+2Ci0MsTy7+Vg/jIFZaxTdYrXCk+1d
+xhkPm0tSs3x4
+-----END CERTIFICATE-----
diff --git a/app/openvpn/sample/sample-keys/client.key b/app/openvpn/sample/sample-keys/client.key
new file mode 100644
index 00000000..17b95091
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/client.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDSElzGTRM0rs/6q/7L3ozxS0qVKGCHgiy4weWOxl0RWGGkpfFC
+14Z0bJ2cevA6XCnmUztebdjwRQYsI+4JvAKPDrjVMx/DShECSAvMS61udOCiU7HW
+zIm54m/bFbMZHlcEeUg62nYx/L/TNCHnMtieBk6+8+N5sFT90UIyqj56wQIDAQAB
+AoGBAK8RoIGekCfym99DYYfTg9A/t/tQeAnWYaDj7oSrKbqf1lgZ91OGPEZgkoVr
+KzLnxf9uU+bhUs8CJx+4HdO8/L9rAJA+oD9QNuMp0elN4AKuEGE1Eq3a0e3cmgPI
++VIoXM6WVAGgK9I03Zu/UerYQ/DdXWGOIsKhFe8qyQoG9pKxAkEA9ld6O9MHQt3d
+JAjJkgCNn4psozxjrfLWy2huXd3H3CRqGMjLITDGzdkVSgXjHokBYroi0+TZTu4M
+ulJSJaWwBQJBANpO2DAexH2zRHw5Z6QyeEVxz7B3/FzU4GgJx9BH+FSBh+F0G5Ln
+ir5Vst8vZ/LGcgpYjHQLNAvZVgUjiQ4Y6I0CQGvwMJL+CHR4GmmroAblTyjU0n1D
+/Lk/anZ+L73Za7U+D28ErFzCrpmLwRRKOBYtGfpUbOZDpCQ9kj4hy/TLALECQCcL
+9ysUNbzt9Y/qjJkX1d9F7gn4TBEmmkTBixW76bTjvjQbGlt6Qpyso2O8DPGlgPxM
+vkJ7RoHgC7y7kGYPGnkCQBVxSNGIjLx4NQBgN4HD0y4+fars1PTUGnckBcS4npb9
+onLNyerBlWdBwbARyBS7WPIbyyf5VCrn3yIqWxaARO0=
+-----END RSA PRIVATE KEY-----
diff --git a/app/openvpn/sample/sample-keys/dh1024.pem b/app/openvpn/sample/sample-keys/dh1024.pem
new file mode 100644
index 00000000..7ce05f0c
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/dh1024.pem
@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh
+1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32
+9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC
+-----END DH PARAMETERS-----
diff --git a/app/openvpn/sample/sample-keys/pass.crt b/app/openvpn/sample/sample-keys/pass.crt
new file mode 100644
index 00000000..8bb7b17a
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/pass.crt
@@ -0,0 +1,65 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
+ Validity
+ Not Before: Nov 25 14:48:55 2004 GMT
+ Not After : Nov 23 14:48:55 2014 GMT
+ Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client-Password/emailAddress=me@myhost.mydomain
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:ca:b4:05:67:7b:51:c1:d2:fe:21:57:b1:a5:57:
+ 5c:c0:86:38:05:a8:91:cf:e7:a4:bd:7a:76:d8:3b:
+ cf:fe:f3:78:65:24:d6:72:7d:1b:6d:b6:da:04:f2:
+ a8:f6:b4:04:78:d2:24:a7:21:2f:ca:29:46:96:0f:
+ 0b:91:31:66:1e:4d:22:9a:5d:05:17:99:9c:a0:7e:
+ e0:2a:be:78:0c:a1:b9:d4:04:c4:ec:f8:61:79:62:
+ b5:52:2d:f5:41:af:db:9f:8c:ab:08:1b:b7:95:b8:
+ c1:f0:29:d3:da:fb:00:3f:8e:5c:27:e3:8d:fa:ee:
+ dc:b4:3b:0b:8b:e0:ab:c1:c1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ 40:57:F1:8C:9C:86:B2:DA:E0:3F:A7:B8:D7:85:43:45:07:8A:40:73
+ X509v3 Authority Key Identifier:
+ keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46
+ DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
+ serial:00
+
+ Signature Algorithm: md5WithRSAEncryption
+ a5:79:72:7f:a2:08:28:8e:66:da:e1:d0:be:bb:97:3d:65:9f:
+ ab:1e:19:ac:f1:66:44:14:8f:4e:7c:eb:ea:1e:2f:57:ea:44:
+ 46:4c:b9:56:5b:c0:0c:58:d2:45:87:26:6d:82:de:8c:64:b8:
+ 8b:22:61:61:c6:68:36:08:9d:5a:fd:2f:e5:21:e1:a2:0c:7f:
+ 3e:ca:e1:06:ea:9f:81:62:3d:a0:ce:f1:1e:0d:ab:86:89:ed:
+ 9a:89:34:32:c9:e9:6d:7d:f5:11:c3:5d:7e:a5:f7:f1:a6:83:
+ 77:1b:94:67:d9:0f:5c:ac:0e:08:4a:88:98:65:49:eb:66:9e:
+ 2d:28
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAqegAwIBAgIBAzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
+MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
+NTE0NDg1NVoXDTE0MTEyMzE0NDg1NVowczELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxHTAbBgNVBAMTFFRlc3QtQ2xpZW50
+LVBhc3N3b3JkMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMq0BWd7UcHS/iFXsaVXXMCGOAWokc/n
+pL16dtg7z/7zeGUk1nJ9G2222gTyqPa0BHjSJKchL8opRpYPC5ExZh5NIppdBReZ
+nKB+4Cq+eAyhudQExOz4YXlitVIt9UGv25+Mqwgbt5W4wfAp09r7AD+OXCfjjfru
+3LQ7C4vgq8HBAgMBAAGjge4wgeswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
+T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEBX8YychrLa
+4D+nuNeFQ0UHikBzMIGQBgNVHSMEgYgwgYWAFImmYOO66j6v/GR/TL2M0kiN4MxG
+oWqkaDBmMQswCQYDVQQGEwJLRzELMAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hL
+RUsxFTATBgNVBAoTDE9wZW5WUE4tVEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlo
+b3N0Lm15ZG9tYWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAKV5cn+iCCiOZtrh0L67
+lz1ln6seGazxZkQUj0586+oeL1fqREZMuVZbwAxY0kWHJm2C3oxkuIsiYWHGaDYI
+nVr9L+Uh4aIMfz7K4Qbqn4FiPaDO8R4Nq4aJ7ZqJNDLJ6W199RHDXX6l9/Gmg3cb
+lGfZD1ysDghKiJhlSetmni0o
+-----END CERTIFICATE-----
diff --git a/app/openvpn/sample/sample-keys/pass.key b/app/openvpn/sample/sample-keys/pass.key
new file mode 100644
index 00000000..4916364c
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/pass.key
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,959F7365DBBFDB77
+
+nGm57l+rR/8dAZOHL/1x/6dt11zUca7rphjsgw6XRnSf3M/CWmHvHVjApWcNLEs5
+SWNMp1xfUogtGzsKoMBbnlZLDA7RVHUYD6dVMyCpc64UjzT08LmdZhtQYLAKmlUC
+PT1VXS4Ae+SrqCPUqJkw1xP3kr0F1EVCXNu0nhOBAuuTGOS7PPEyW2N+k4nRHtsR
+IaPp8GCuIeoR6CdymTFTq6d/GeCiEcyrUM4BNrG4GtRRrURxxOrzQFEOS5sjBPSg
+Km1lwa6zBQFRLg9dKjRBL4teKuPY5Z2Nmpcml/aN4CkdkVEso4lW6/UHLE/joOMQ
+0MdpdYtu8wnt1WI/Z4immQfl3MF+QcPMkqXXzCEhGG/5SbAo89KC46UXvu1Z5OhS
+8XFHhvYBivOYWgZ3XUQqyZ0ulF60mFX7aE1Ph/eEbhWBHmU39hGjxzop1UoPwqLx
+ahvtfvCkR3ZeqlWO9SHzCA3MlrKwQ1p1UL6nG6AJhNN9jSevH6by+8wr07NBZOqX
+fJx+J/8EdVsUCFG2UJxPwM83ZSwAsvKRqph6CuWEl9ndUb7rw6khmRIoY0Iz3LbU
+1MlcDoJNcJas6lYDr1UeFSk86g0SiGCHXZIqsjyUgq6HIy4YrAYiQUthnlF8tp2Q
+nNQBPLo1GsHf0dC2MqKfDFASu7ST+Bl+yajHcIiUXvUJPxWbjkWYG9Q2p2ZBLzZD
+uqeRr66OKxTzUS4go/QbHDNsAulXl61gQIEOdZw5uy/Jl11kyAI6EQbzmehagKdH
+EshTgKp8ks62y0bBHgy3FMKyidJ5Hm58ZDhBxrwN0w+vhRoTGOepTA==
+-----END RSA PRIVATE KEY-----
diff --git a/app/openvpn/sample/sample-keys/pkcs12.p12 b/app/openvpn/sample/sample-keys/pkcs12.p12
new file mode 100644
index 00000000..253d4081
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/pkcs12.p12
Binary files differ
diff --git a/app/openvpn/sample/sample-keys/server.crt b/app/openvpn/sample/sample-keys/server.crt
new file mode 100644
index 00000000..28bb4d94
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/server.crt
@@ -0,0 +1,67 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
+ Validity
+ Not Before: Nov 25 14:42:22 2004 GMT
+ Not After : Nov 23 14:42:22 2014 GMT
+ Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server/emailAddress=me@myhost.mydomain
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:cb:4e:ac:f9:83:57:f6:69:d2:32:29:b4:bc:ad:
+ e6:f7:26:21:89:33:30:43:40:a3:35:d9:de:26:01:
+ d6:b4:f0:bc:0a:19:55:99:3b:f1:4c:91:60:b6:fd:
+ 74:34:8d:5a:c7:62:ec:ce:f2:d6:02:ce:57:32:f4:
+ 35:8c:71:a0:6d:65:2a:e7:80:ae:29:59:cf:36:73:
+ f8:7c:4a:73:90:fc:30:28:d5:46:7d:35:a4:4e:c9:
+ 9f:90:7b:e2:09:21:36:c5:a8:ec:85:82:9a:32:b4:
+ 91:3b:c1:d6:4f:9f:d1:f8:6f:68:f4:1d:d2:06:91:
+ 32:cc:9a:48:fd:cd:98:7f:2f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Cert Type:
+ SSL Server
+ Netscape Comment:
+ OpenSSL Generated Server Certificate
+ X509v3 Subject Key Identifier:
+ 69:11:FE:E7:9F:89:7B:71:34:69:C0:DC:82:F8:D0:5D:4D:FB:78:DF
+ X509v3 Authority Key Identifier:
+ keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46
+ DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
+ serial:00
+
+ Signature Algorithm: md5WithRSAEncryption
+ 35:5c:75:da:57:ef:b5:79:f2:a2:db:36:e4:75:e8:c7:bc:73:
+ 26:cf:30:36:4b:2e:51:46:37:60:2f:4e:2b:f6:71:a2:23:db:
+ 8e:d8:5c:d5:af:2e:22:28:dd:30:a8:89:66:3a:cc:5b:3c:0f:
+ 96:12:20:de:5e:41:52:74:35:ed:4c:26:40:19:ca:73:df:54:
+ b1:30:96:9c:a5:14:d0:38:28:3f:ab:30:07:d7:de:98:d2:7f:
+ 7f:90:b2:52:1d:e5:95:88:ed:ba:8a:6a:14:85:66:76:ec:75:
+ 30:e8:ae:94:f4:e1:76:fa:4b:0e:f1:53:d7:95:be:fb:69:fa:
+ 3d:32
+-----BEGIN CERTIFICATE-----
+MIIDUTCCArqgAwIBAgIBATANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
+MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
+NTE0NDIyMloXDTE0MTEyMzE0NDIyMlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVy
+MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAMtOrPmDV/Zp0jIptLyt5vcmIYkzMENAozXZ3iYB1rTw
+vAoZVZk78UyRYLb9dDSNWsdi7M7y1gLOVzL0NYxxoG1lKueArilZzzZz+HxKc5D8
+MCjVRn01pE7Jn5B74gkhNsWo7IWCmjK0kTvB1k+f0fhvaPQd0gaRMsyaSP3NmH8v
+AgMBAAGjggEJMIIBBTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglg
+hkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRl
+MB0GA1UdDgQWBBRpEf7nn4l7cTRpwNyC+NBdTft43zCBkAYDVR0jBIGIMIGFgBSJ
+pmDjuuo+r/xkf0y9jNJIjeDMRqFqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+Ak5BMRAwDgYDVQQHEwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAf
+BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIBADANBgkqhkiG9w0BAQQF
+AAOBgQA1XHXaV++1efKi2zbkdejHvHMmzzA2Sy5RRjdgL04r9nGiI9uO2FzVry4i
+KN0wqIlmOsxbPA+WEiDeXkFSdDXtTCZAGcpz31SxMJacpRTQOCg/qzAH196Y0n9/
+kLJSHeWViO26imoUhWZ27HUw6K6U9OF2+ksO8VPXlb77afo9Mg==
+-----END CERTIFICATE-----
diff --git a/app/openvpn/sample/sample-keys/server.key b/app/openvpn/sample/sample-keys/server.key
new file mode 100644
index 00000000..976acabf
--- /dev/null
+++ b/app/openvpn/sample/sample-keys/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDLTqz5g1f2adIyKbS8reb3JiGJMzBDQKM12d4mAda08LwKGVWZ
+O/FMkWC2/XQ0jVrHYuzO8tYCzlcy9DWMcaBtZSrngK4pWc82c/h8SnOQ/DAo1UZ9
+NaROyZ+Qe+IJITbFqOyFgpoytJE7wdZPn9H4b2j0HdIGkTLMmkj9zZh/LwIDAQAB
+AoGBAKP1ljA/iY/zNY447kZ/5NWKzd7tBk4mcbl7M9no/7O6tZtbZRoIKoi6cYoC
+C1ZabUyBbkNTud5XdCFmq0zRUjOWvoFMZ9VZfd2kRPvl4TGczBtJAq65b+EYMGui
+q6T9p61xPdtzu0vM+Ecj127pAMk5XcJyxu8XQK7lZWmG5UoJAkEA8CxXNZN+A3qD
+bMBPI3VdwKCNSjNVEQEnygMbNgw7VLdxPpspzZziqJEGdzsM4dsnOBwKxIWFLN2h
+lbGBOquAswJBANi0atGWM8VUxDjvqqHCTS9RUXWgnvYhee4/xraJBQPBSivjC9P0
+vKT7PjBHU6djtKSLKGaHn1vHqmyY7PCMjZUCQQCNVSqExqSzG1dXmdt4PErNXi2G
+6qo2dX2arTVIGu6XLdQgSWLSMm5XT/CEHWW5SyPLKwVTHFeATXQXCPvJML9tAkEA
+k0yXax0g1ZoXwufN4SQUmPw6Va03P/BjU/nP1ZVvbiz9gLVU/d7WN4J7tA9XomkY
+idv5OzAmtxkSE70jGSNAvQJAWhCf9+iHkzOHRyKKOYlh1DHUwDfSEp+hlZYg9H03
+P2sraQzUxgWDY/DIY63KvW78ny863baFz7onz21MYGgJXg==
+-----END RSA PRIVATE KEY-----
diff --git a/app/openvpn/sample/sample-plugins/defer/README b/app/openvpn/sample/sample-plugins/defer/README
new file mode 100644
index 00000000..d8990f8b
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/defer/README
@@ -0,0 +1,16 @@
+OpenVPN plugin examples.
+
+Examples provided:
+
+simple.c -- using the --auth-user-pass-verify callback,
+ test deferred authentication.
+
+To build:
+
+ ./build simple (Linux/BSD/etc.)
+ ./winbuild simple (MinGW on Windows)
+
+To use in OpenVPN, add to config file:
+
+ plugin simple.so (Linux/BSD/etc.)
+ plugin simple.dll (MinGW on Windows)
diff --git a/app/openvpn/sample/sample-plugins/defer/simple.c b/app/openvpn/sample/sample-plugins/defer/simple.c
new file mode 100644
index 00000000..65398657
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/defer/simple.c
@@ -0,0 +1,305 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will test deferred authentication and packet filtering.
+ *
+ * Will run on Windows or *nix.
+ *
+ * Sample usage:
+ *
+ * setenv test_deferred_auth 20
+ * setenv test_packet_filter 10
+ * plugin plugin/defer/simple.so
+ *
+ * This will enable deferred authentication to occur 20
+ * seconds after the normal TLS authentication process,
+ * and will cause a packet filter file to be generated 10
+ * seconds after the initial TLS negotiation, using
+ * {common-name}.pf as the source.
+ *
+ * Sample packet filter configuration:
+ *
+ * [CLIENTS DROP]
+ * +otherclient
+ * [SUBNETS DROP]
+ * +10.0.0.0/8
+ * -10.10.0.8
+ * [END]
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/* bool definitions */
+#define bool int
+#define true 1
+#define false 0
+
+/*
+ * Our context, where we keep our state.
+ */
+
+struct plugin_context {
+ int test_deferred_auth;
+ int test_packet_filter;
+};
+
+struct plugin_per_client_context {
+ int n_calls;
+ bool generated_pf_file;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+/* used for safe printf of possible NULL strings */
+static const char *
+np (const char *str)
+{
+ if (str)
+ return str;
+ else
+ return "[NULL]";
+}
+
+static int
+atoi_null0 (const char *str)
+{
+ if (str)
+ return atoi (str);
+ else
+ return 0;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ printf ("FUNC: openvpn_plugin_open_v1\n");
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ context->test_deferred_auth = atoi_null0 (get_env ("test_deferred_auth", envp));
+ printf ("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth);
+
+ context->test_packet_filter = atoi_null0 (get_env ("test_packet_filter", envp));
+ printf ("TEST_PACKET_FILTER %d\n", context->test_packet_filter);
+
+ /*
+ * Which callbacks to intercept.
+ */
+ *type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ENABLE_PF);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+static int
+auth_user_pass_verify (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
+{
+ if (context->test_deferred_auth)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ /* get auth_control_file filename from envp string array*/
+ const char *auth_control_file = get_env ("auth_control_file", envp);
+
+ printf ("DEFER u='%s' p='%s' acf='%s'\n",
+ np(username),
+ np(password),
+ np(auth_control_file));
+
+ /* Authenticate asynchronously in n seconds */
+ if (auth_control_file)
+ {
+ char buf[256];
+ int auth = 2;
+ sscanf (username, "%d", &auth);
+ snprintf (buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &",
+ context->test_deferred_auth,
+ auth_control_file,
+ auth,
+ pcc->n_calls < auth,
+ auth_control_file);
+ printf ("%s\n", buf);
+ system (buf);
+ pcc->n_calls++;
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+static int
+tls_final (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
+{
+ if (context->test_packet_filter)
+ {
+ if (!pcc->generated_pf_file)
+ {
+ const char *pff = get_env ("pf_file", envp);
+ const char *cn = get_env ("username", envp);
+ if (pff && cn)
+ {
+ char buf[256];
+ snprintf (buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &",
+ context->test_packet_filter, cn, pff, cn, pff);
+ printf ("%s\n", buf);
+ system (buf);
+ pcc->generated_pf_file = true;
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
+ const int type,
+ const char *argv[],
+ const char *envp[],
+ void *per_client_context,
+ struct openvpn_plugin_string_list **return_list)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ return auth_user_pass_verify (context, pcc, argv, envp);
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ return tls_final (context, pcc, argv, envp);
+ case OPENVPN_PLUGIN_ENABLE_PF:
+ printf ("OPENVPN_PLUGIN_ENABLE_PF\n");
+ if (context->test_packet_filter)
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+}
+
+OPENVPN_EXPORT void *
+openvpn_plugin_client_constructor_v1 (openvpn_plugin_handle_t handle)
+{
+ printf ("FUNC: openvpn_plugin_client_constructor_v1\n");
+ return calloc (1, sizeof (struct plugin_per_client_context));
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_client_destructor_v1 (openvpn_plugin_handle_t handle, void *per_client_context)
+{
+ printf ("FUNC: openvpn_plugin_client_destructor_v1\n");
+ free (per_client_context);
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ printf ("FUNC: openvpn_plugin_close_v1\n");
+ free (context);
+}
diff --git a/app/openvpn/sample/sample-plugins/defer/simple.def b/app/openvpn/sample/sample-plugins/defer/simple.def
new file mode 100755
index 00000000..a87507d1
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/defer/simple.def
@@ -0,0 +1,6 @@
+LIBRARY OpenVPN_PLUGIN_SAMPLE
+DESCRIPTION "Sample OpenVPN plug-in module."
+EXPORTS
+ openvpn_plugin_open_v1 @1
+ openvpn_plugin_func_v1 @2
+ openvpn_plugin_close_v1 @3
diff --git a/app/openvpn/sample/sample-plugins/defer/winbuild b/app/openvpn/sample/sample-plugins/defer/winbuild
new file mode 100755
index 00000000..82927d96
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/defer/winbuild
@@ -0,0 +1,18 @@
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../build"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp
diff --git a/app/openvpn/sample/sample-plugins/log/log.c b/app/openvpn/sample/sample-plugins/log/log.c
new file mode 100644
index 00000000..1cc4650e
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/log/log.c
@@ -0,0 +1,184 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This plugin is similar to simple.c, except it also logs extra information
+ * to stdout for every plugin method called by OpenVPN.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /*
+ * Set the username/password we will require.
+ */
+ context->username = "foo";
+ context->password = "bar";
+
+ /*
+ * Which callbacks to intercept.
+ */
+ *type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+void
+show (const int type, const char *argv[], const char *envp[])
+{
+ size_t i;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ break;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ break;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ break;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ break;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ break;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ break;
+ }
+
+ printf ("ARGV\n");
+ for (i = 0; argv[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, argv[i]);
+
+ printf ("ENVP\n");
+ for (i = 0; envp[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, envp[i]);
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+
+ show (type, argv, envp);
+
+ /* check entered username/password against what we require */
+ if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/app/openvpn/sample/sample-plugins/log/log_v3.c b/app/openvpn/sample/sample-plugins/log/log_v3.c
new file mode 100644
index 00000000..742c7568
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/log/log_v3.c
@@ -0,0 +1,247 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2010 David Sommerseth <dazo@users.sourceforge.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This plugin is similar to simple.c, except it also logs extra information
+ * to stdout for every plugin method called by OpenVPN. The only difference
+ * between this (log_v3.c) and log.c is that this module uses the v3 plug-in
+ * API.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#define ENABLE_SSL
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3 (const int v3structver,
+ struct openvpn_plugin_args_open_in const *args,
+ struct openvpn_plugin_args_open_return *ret)
+{
+ struct plugin_context *context = NULL;
+
+ /* Check that we are API compatible */
+ if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) {
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ /* Which callbacks to intercept. */
+ ret->type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
+
+
+ /* Allocate our context */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /* Set the username/password we will require. */
+ context->username = "foo";
+ context->password = "bar";
+
+ /* Point the global context handle to our newly created context */
+ ret->handle = (void *) context;
+
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+void
+show (const int type, const char *argv[], const char *envp[])
+{
+ size_t i;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ break;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ break;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ break;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ break;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ break;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ break;
+ }
+
+ printf ("ARGV\n");
+ for (i = 0; argv[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, argv[i]);
+
+ printf ("ENVP\n");
+ for (i = 0; envp[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, envp[i]);
+}
+
+static void
+x509_print_info (X509 *x509crt)
+{
+ int i, n;
+ int fn_nid;
+ ASN1_OBJECT *fn;
+ ASN1_STRING *val;
+ X509_NAME *x509_name;
+ X509_NAME_ENTRY *ent;
+ const char *objbuf;
+ unsigned char *buf;
+
+ x509_name = X509_get_subject_name (x509crt);
+ n = X509_NAME_entry_count (x509_name);
+ for (i = 0; i < n; ++i)
+ {
+ ent = X509_NAME_get_entry (x509_name, i);
+ if (!ent)
+ continue;
+ fn = X509_NAME_ENTRY_get_object (ent);
+ if (!fn)
+ continue;
+ val = X509_NAME_ENTRY_get_data (ent);
+ if (!val)
+ continue;
+ fn_nid = OBJ_obj2nid (fn);
+ if (fn_nid == NID_undef)
+ continue;
+ objbuf = OBJ_nid2sn (fn_nid);
+ if (!objbuf)
+ continue;
+ buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+ if (ASN1_STRING_to_UTF8 (&buf, val) <= 0)
+ continue;
+
+ printf("X509 %s: %s\n", objbuf, (char *)buf);
+ OPENSSL_free (buf);
+ }
+}
+
+
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v3 (const int version,
+ struct openvpn_plugin_args_func_in const *args,
+ struct openvpn_plugin_args_func_return *retptr)
+{
+ struct plugin_context *context = (struct plugin_context *) args->handle;
+
+ printf("\nopenvpn_plugin_func_v3() :::::>> ");
+ show (args->type, args->argv, args->envp);
+
+ /* Dump some X509 information if we're in the TLS_VERIFY phase */
+ if ((args->type == OPENVPN_PLUGIN_TLS_VERIFY) && args->current_cert ) {
+ printf("---- X509 Subject information ----\n");
+ printf("Certificate depth: %i\n", args->current_cert_depth);
+ x509_print_info(args->current_cert);
+ printf("----------------------------------\n");
+ }
+
+ /* check entered username/password against what we require */
+ if (args->type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", args->envp);
+ const char *password = get_env ("password", args->envp);
+
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/app/openvpn/sample/sample-plugins/log/winbuild b/app/openvpn/sample/sample-plugins/log/winbuild
new file mode 100755
index 00000000..decf05f8
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/log/winbuild
@@ -0,0 +1,18 @@
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../include"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp
diff --git a/app/openvpn/sample/sample-plugins/simple/README b/app/openvpn/sample/sample-plugins/simple/README
new file mode 100644
index 00000000..4400cd30
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/simple/README
@@ -0,0 +1,16 @@
+OpenVPN plugin examples.
+
+Examples provided:
+
+simple.c -- using the --auth-user-pass-verify callback, verify
+ that the username/password is "foo"/"bar".
+
+To build:
+
+ ./build simple (Linux/BSD/etc.)
+ ./winbuild simple (MinGW on Windows)
+
+To use in OpenVPN, add to config file:
+
+ plugin simple.so (Linux/BSD/etc.)
+ plugin simple.dll (MinGW on Windows)
diff --git a/app/openvpn/sample/sample-plugins/simple/simple.c b/app/openvpn/sample/sample-plugins/simple/simple.c
new file mode 100644
index 00000000..f26d89f6
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/simple/simple.c
@@ -0,0 +1,120 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will examine the username/password provided by a client,
+ * and make an accept/deny determination. Will run
+ * on Windows or *nix.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /*
+ * Set the username/password we will require.
+ */
+ context->username = "foo";
+ context->password = "bar";
+
+ /*
+ * We are only interested in intercepting the
+ * --auth-user-pass-verify callback.
+ */
+ *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ /* check entered username/password against what we require */
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/app/openvpn/sample/sample-plugins/simple/simple.def b/app/openvpn/sample/sample-plugins/simple/simple.def
new file mode 100755
index 00000000..a87507d1
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/simple/simple.def
@@ -0,0 +1,6 @@
+LIBRARY OpenVPN_PLUGIN_SAMPLE
+DESCRIPTION "Sample OpenVPN plug-in module."
+EXPORTS
+ openvpn_plugin_open_v1 @1
+ openvpn_plugin_func_v1 @2
+ openvpn_plugin_close_v1 @3
diff --git a/app/openvpn/sample/sample-plugins/simple/winbuild b/app/openvpn/sample/sample-plugins/simple/winbuild
new file mode 100755
index 00000000..decf05f8
--- /dev/null
+++ b/app/openvpn/sample/sample-plugins/simple/winbuild
@@ -0,0 +1,18 @@
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../include"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp
diff --git a/app/openvpn/sample/sample-scripts/auth-pam.pl b/app/openvpn/sample/sample-scripts/auth-pam.pl
new file mode 100755
index 00000000..5333badc
--- /dev/null
+++ b/app/openvpn/sample/sample-scripts/auth-pam.pl
@@ -0,0 +1,97 @@
+#!/usr/bin/perl -t
+
+# OpenVPN PAM AUTHENTICATON
+# This script can be used to add PAM-based authentication
+# to OpenVPN 2.0. The OpenVPN client must provide
+# a username/password, using the --auth-user-pass directive.
+# The OpenVPN server should specify --auth-user-pass-verify
+# with this script as the argument and the 'via-file' method
+# specified. The server can also optionally specify
+# --client-cert-not-required and/or --username-as-common-name.
+
+# SCRIPT OPERATION
+# Return success or failure status based on whether or not a
+# given username/password authenticates using PAM.
+# Caller should write username/password as two lines in a file
+# which is passed to this script as a command line argument.
+
+# CAVEATS
+# * Requires Authen::PAM module, which may also
+# require the pam-devel package.
+# * May need to be run as root in order to
+# access username/password file.
+
+# NOTES
+# * This script is provided mostly as a demonstration of the
+# --auth-user-pass-verify script capability in OpenVPN.
+# For real world usage, see the auth-pam module in the plugin
+# folder.
+
+use Authen::PAM;
+use POSIX;
+
+# This "conversation function" will pass
+# $password to PAM when it asks for it.
+
+sub my_conv_func {
+ my @res;
+ while ( @_ ) {
+ my $code = shift;
+ my $msg = shift;
+ my $ans = "";
+
+ $ans = $password if $msg =~ /[Pp]assword/;
+
+ push @res, (PAM_SUCCESS(),$ans);
+ }
+ push @res, PAM_SUCCESS();
+ return @res;
+}
+
+# Identify service type to PAM
+$service = "login";
+
+# Get username/password from file
+
+if ($ARG = shift @ARGV) {
+ if (!open (UPFILE, "<$ARG")) {
+ print "Could not open username/password file: $ARG\n";
+ exit 1;
+ }
+} else {
+ print "No username/password file specified on command line\n";
+ exit 1;
+}
+
+$username = <UPFILE>;
+$password = <UPFILE>;
+
+if (!$username || !$password) {
+ print "Username/password not found in file: $ARG\n";
+ exit 1;
+}
+
+chomp $username;
+chomp $password;
+
+close (UPFILE);
+
+# Initialize PAM object
+
+if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {
+ print "Authen::PAM init failed\n";
+ exit 1;
+}
+
+# Authenticate with PAM
+
+$res = $pamh->pam_authenticate;
+
+# Return success or failure
+
+if ($res == PAM_SUCCESS()) {
+ exit 0;
+} else {
+ print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n";
+ exit 1;
+}
diff --git a/app/openvpn/sample/sample-scripts/bridge-start b/app/openvpn/sample/sample-scripts/bridge-start
new file mode 100755
index 00000000..d20a2603
--- /dev/null
+++ b/app/openvpn/sample/sample-scripts/bridge-start
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+#################################
+# Set up Ethernet bridge on Linux
+# Requires: bridge-utils
+#################################
+
+# Define Bridge Interface
+br="br0"
+
+# Define list of TAP interfaces to be bridged,
+# for example tap="tap0 tap1 tap2".
+tap="tap0"
+
+# Define physical ethernet interface to be bridged
+# with TAP interface(s) above.
+eth="eth0"
+eth_ip="192.168.8.4"
+eth_netmask="255.255.255.0"
+eth_broadcast="192.168.8.255"
+
+for t in $tap; do
+ openvpn --mktun --dev $t
+done
+
+brctl addbr $br
+brctl addif $br $eth
+
+for t in $tap; do
+ brctl addif $br $t
+done
+
+for t in $tap; do
+ ifconfig $t 0.0.0.0 promisc up
+done
+
+ifconfig $eth 0.0.0.0 promisc up
+
+ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
diff --git a/app/openvpn/sample/sample-scripts/bridge-stop b/app/openvpn/sample/sample-scripts/bridge-stop
new file mode 100755
index 00000000..81927794
--- /dev/null
+++ b/app/openvpn/sample/sample-scripts/bridge-stop
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+####################################
+# Tear Down Ethernet bridge on Linux
+####################################
+
+# Define Bridge Interface
+br="br0"
+
+# Define list of TAP interfaces to be bridged together
+tap="tap0"
+
+ifconfig $br down
+brctl delbr $br
+
+for t in $tap; do
+ openvpn --rmtun --dev $t
+done
diff --git a/app/openvpn/sample/sample-scripts/ucn.pl b/app/openvpn/sample/sample-scripts/ucn.pl
new file mode 100755
index 00000000..6d708f82
--- /dev/null
+++ b/app/openvpn/sample/sample-scripts/ucn.pl
@@ -0,0 +1,11 @@
+#!/usr/bin/perl -t
+
+# OpenVPN --auth-user-pass-verify script.
+# Only authenticate if username equals common_name.
+# In OpenVPN config file:
+# auth-user-pass-verify ./ucn.pl via-env
+
+$username = $ENV{'username'};
+$common_name = $ENV{'common_name'};
+
+exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name);
diff --git a/app/openvpn/sample/sample-scripts/verify-cn b/app/openvpn/sample/sample-scripts/verify-cn
new file mode 100755
index 00000000..6e747ef1
--- /dev/null
+++ b/app/openvpn/sample/sample-scripts/verify-cn
@@ -0,0 +1,64 @@
+#!/usr/bin/perl
+
+# verify-cn -- a sample OpenVPN tls-verify script
+#
+# Return 0 if cn matches the common name component of
+# subject, 1 otherwise.
+#
+# For example in OpenVPN, you could use the directive:
+#
+# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
+#
+# This would cause the connection to be dropped unless
+# the client common name is listed on a line in the
+# allowed_clients file.
+
+die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3);
+
+# Parse out arguments:
+# cnfile -- The file containing the list of common names, one per
+# line, which the client is required to have,
+# taken from the argument to the tls-verify directive
+# in the OpenVPN config file.
+# The file can have blank lines and comment lines that begin
+# with the # character.
+# depth -- The current certificate chain depth. In a typical
+# bi-level chain, the root certificate will be at level
+# 1 and the client certificate will be at level 0.
+# This script will be called separately for each level.
+# x509 -- the X509 subject string as extracted by OpenVPN from
+# the client's provided certificate.
+($cnfile, $depth, $x509) = @ARGV;
+
+if ($depth == 0) {
+ # If depth is zero, we know that this is the final
+ # certificate in the chain (i.e. the client certificate),
+ # and the one we are interested in examining.
+ # If so, parse out the common name substring in
+ # the X509 subject string.
+
+ if ($x509 =~ / CN=([^,]+)/) {
+ $cn = $1;
+ # Accept the connection if the X509 common name
+ # string matches the passed cn argument.
+ open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
+ while (defined($line = <FH>)) {
+ if ($line !~ /^[[:space:]]*(#|$)/o) {
+ chop($line);
+ if ($line eq $cn) {
+ exit 0;
+ }
+ }
+ }
+ close(FH);
+ }
+
+ # Authentication failed -- Either we could not parse
+ # the X509 subject string, or the common name in the
+ # subject string didn't match the passed cn argument.
+ exit 1;
+}
+
+# If depth is nonzero, tell OpenVPN to continue processing
+# the certificate chain.
+exit 0;
diff --git a/app/openvpn/sample/sample-windows/sample.ovpn b/app/openvpn/sample/sample-windows/sample.ovpn
new file mode 100755
index 00000000..5accd573
--- /dev/null
+++ b/app/openvpn/sample/sample-windows/sample.ovpn
@@ -0,0 +1,103 @@
+# Edit this file, and save to a .ovpn extension
+# so that OpenVPN will activate it when run
+# as a service.
+
+# Change 'myremote' to be your remote host,
+# or comment out to enter a listening
+# server mode.
+remote myremote
+
+# Uncomment this line to use a different
+# port number than the default of 1194.
+; port 1194
+
+# Choose one of three protocols supported by
+# OpenVPN. If left commented out, defaults
+# to udp.
+; proto [tcp-server | tcp-client | udp]
+
+# You must specify one of two possible network
+# protocols, 'dev tap' or 'dev tun' to be used
+# on both sides of the connection. 'tap' creates
+# a VPN using the ethernet protocol while 'tun'
+# uses the IP protocol. You must use 'tap'
+# if you are ethernet bridging or want to route
+# broadcasts. 'tun' is somewhat more efficient
+# but requires configuration of client software
+# to not depend on broadcasts. Some platforms
+# such as Solaris, OpenBSD, and Mac OS X only
+# support 'tun' interfaces, so if you are
+# connecting to such a platform, you must also
+# use a 'tun' interface on the Windows side.
+
+# Enable 'dev tap' or 'dev tun' but not both!
+dev tap
+
+# This is a 'dev tap' ifconfig that creates
+# a virtual ethernet subnet.
+# 10.3.0.1 is the local VPN IP address
+# and 255.255.255.0 is the VPN subnet.
+# Only define this option for 'dev tap'.
+ifconfig 10.3.0.1 255.255.255.0
+
+# This is a 'dev tun' ifconfig that creates
+# a point-to-point IP link.
+# 10.3.0.1 is the local VPN IP address and
+# 10.3.0.2 is the remote VPN IP address.
+# Only define this option for 'dev tun'.
+# Make sure to include the "tun-mtu" option
+# on the remote machine, but swap the order
+# of the ifconfig addresses.
+;tun-mtu 1500
+;ifconfig 10.3.0.1 10.3.0.2
+
+# If you have fragmentation issues or misconfigured
+# routers in the path which block Path MTU discovery,
+# lower the TCP MSS and internally fragment non-TCP
+# protocols.
+;fragment 1300
+;mssfix
+
+# If you have set up more than one TAP-Win32 adapter
+# on your system, you must refer to it by name.
+;dev-node my-tap
+
+# You can generate a static OpenVPN key
+# by selecting the Generate Key option
+# in the start menu.
+#
+# You can also generate key.txt manually
+# with the following command:
+# openvpn --genkey --secret key.txt
+#
+# key must match on both ends of the connection,
+# so you should generate it on one machine and
+# copy it to the other over a secure medium.
+# Place key.txt in the same directory as this
+# config file.
+secret key.txt
+
+# Uncomment this section for a more reliable
+# detection when a system loses its connection.
+# For example, dial-ups or laptops that travel
+# to other locations.
+#
+# If this section is enabled and "myremote"
+# above is a dynamic DNS name (i.e. dyndns.org),
+# OpenVPN will dynamically "follow" the IP
+# address of "myremote" if it changes.
+; ping-restart 60
+; ping-timer-rem
+; persist-tun
+; persist-key
+; resolv-retry 86400
+
+# keep-alive ping
+ping 10
+
+# enable LZO compression
+comp-lzo
+
+# moderate verbosity
+verb 4
+mute 10