{
  "service_type": "user_service",
  "x509": {
    "use": true,
    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
    "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'"
  },
  "location": null,
  "openvpn": {
    "gateway_address": "REQUIRED",
    "second_gateway_address": "= openvpn.allow_limited && openvpn.allow_unlimited ? 'REQUIRED' : nil",
    "ports": ["80", "443", "53", "1194"],
    "protocols": ["tcp", "udp"],
    "filter_dns": false,
    "adblock": false,
    "user_ips": false,
    "allow_limited": "= provider.service.allow_limited_bandwidth",
    "allow_unlimited": "= provider.service.allow_unlimited_bandwidth",
    "limited_prefix": "= provider.ca.client_certificates.limited_prefix",
    "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix",
    "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil",
    "configuration": {
      "tls-cipher": "DHE-RSA-AES128-SHA",
      "auth": "SHA1",
      "cipher": "AES-128-CBC",
      "keepalive": "10 30",
      "tun-ipv6": true,
      "fragment": 1500
    }
  },
  "obfsproxy": {
    "scramblesuit": {
      "password": "= base32_secret('scramblesuit_password_'+name)",
      "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)"
    },
    "gateway_address": "= openvpn.gateway_address"
  },
  "firewall": {
    "vpn": {
      "from": "*",
      "to": "= openvpn.gateway_address",
      "port": "= openvpn.ports + [obfsproxy.scramblesuit.port]"
    }
  }
}