summaryrefslogtreecommitdiffstats
path: root/patches/source/openvpn
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2018-05-25 23:29:36 +0000
committer Eric Hameleers <alien@slackware.com>2018-06-01 00:36:01 +0200
commit39366733c3fe943363566756e2e152c45a1b3cb2 (patch)
tree228b0735896af90ca78151c9a69aa3efd12c8cae /patches/source/openvpn
parentd31c50870d0bee042ce660e445c9294a59a3a65b (diff)
downloadcurrent-14.2.tar.gz
current-14.2.tar.xz
Fri May 25 23:29:36 UTC 201814.2
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/openvpn')
-rw-r--r--patches/source/openvpn/README26
-rw-r--r--patches/source/openvpn/doinst.sh25
-rwxr-xr-xpatches/source/openvpn/openvpn.SlackBuild169
-rw-r--r--patches/source/openvpn/openvpn.url2
-rw-r--r--patches/source/openvpn/rc.openvpn111
-rw-r--r--patches/source/openvpn/slack-desc19
-rw-r--r--patches/source/openvpn/slackware.conf178
7 files changed, 530 insertions, 0 deletions
diff --git a/patches/source/openvpn/README b/patches/source/openvpn/README
new file mode 100644
index 000000000..cf2c6602f
--- /dev/null
+++ b/patches/source/openvpn/README
@@ -0,0 +1,26 @@
+OpenVPN is a full-featured SSL VPN which can accomodate a wide
+range of configurations, including remote access, site-to-site VPNs,
+WiFi security, and enterprise-scale remote access with load
+balancing, failover, and fine-grained access-controls.
+
+OpenVPN implements OSI layer 2 or 3 secure network extension using the
+industry standard SSL/TLS protocol, supports flexible client
+authentication methods based on certificates, smart cards, and/or
+2-factor authentication, and allows user or group-specific access
+control policies using firewall rules applied to the VPN virtual
+interface.
+
+This build of OpenVPN depends upon having openssl (not just
+openssl-solibs) and lzo installed on your computer.
+
+Please note that there is no default config file for OpenVPN. This is
+by design. OpenVPN can technically use any config file in any location.
+However, this script does create an /etc/openvpn/ directory with certs/
+and keys/ subdirectories. Feel free to place config files, keys, and
+certificates in these directories. certs/ and keys/ are owned by user
+root and group nobody and are not world readable nor writable.
+Additionally, they are not writable by group nobody. It is recommended
+that you run openvpn nobody:nobody, but you may use another
+non-privilaged user and group at your option. Just change the
+permissions on these permissions to reflect that if you do.
+
diff --git a/patches/source/openvpn/doinst.sh b/patches/source/openvpn/doinst.sh
new file mode 100644
index 000000000..4b9b133a9
--- /dev/null
+++ b/patches/source/openvpn/doinst.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+config() {
+ NEW="$1"
+ OLD="`dirname $NEW`/`basename $NEW .new`"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+preserve_perms() {
+ NEW="$1"
+ OLD="$(dirname ${NEW})/$(basename ${NEW} .new)"
+ if [ -e ${OLD} ]; then
+ cp -a ${OLD} ${NEW}.incoming
+ cat ${NEW} > ${NEW}.incoming
+ mv ${NEW}.incoming ${NEW}
+ fi
+ config ${NEW}
+}
+
+preserve_perms etc/rc.d/rc.openvpn.new
+
diff --git a/patches/source/openvpn/openvpn.SlackBuild b/patches/source/openvpn/openvpn.SlackBuild
new file mode 100755
index 000000000..91e67fd77
--- /dev/null
+++ b/patches/source/openvpn/openvpn.SlackBuild
@@ -0,0 +1,169 @@
+#!/bin/bash
+
+# Copyright 2006, Alan Hicks, Lizella, GA
+# Copyright 2008, 2009, 2010, 2011, 2013, 2016, 2018 Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+PKGNAM=openvpn
+VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-1_slack14.2}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i586 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
+# the name of the created package would be, and then exit. This information
+# could be useful to other scripts.
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+ echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
+ exit 0
+fi
+
+NUMJOBS=${NUMJOBS:-" -j7 "}
+
+if [ "$ARCH" = "i586" ]; then
+ SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+else
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+fi
+
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-$PKGNAM
+
+rm -rf $PKG
+mkdir -p $TMP $PKG
+cd $TMP
+rm -rf $PKGNAM-$VERSION
+tar xvf $CWD/$PKGNAM-$VERSION.tar.xz || exit 1
+cd $PKGNAM-$VERSION || exit 1
+
+# Fix ownership and permissions inside the source tarball.
+# It's appalling how many projects have 777 permissions or
+# even suid, sgid, and sticky bits set on things.
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+CFLAGS="$SLKCFLAGS" \
+CXXFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --sysconfdir=/etc/openvpn \
+ --localstatedir=/var \
+ --mandir=/usr/man \
+ --docdir=/usr/doc/openvpn-${VERSION} \
+ --enable-lzo \
+ --enable-iproute2 \
+ --disable-plugin-auth-pam \
+ --build=$ARCH-slackware-linux || exit 1
+
+make $NUMJOBS || make || exit 1
+make install-strip DESTDIR=$PKG || exit 1
+
+# Create a decent config directory. openvpn doesn't have one by
+# default, nor does it have a single config file.
+mkdir -p $PKG/etc/openvpn/{certs,keys}
+chown root:nobody $PKG/etc/openvpn/{certs,keys}
+chmod 750 $PKG/etc/openvpn/{certs,keys}
+
+# Install a startup script:
+mkdir -p $PKG/etc/rc.d
+cp -a $CWD/rc.openvpn $PKG/etc/rc.d/rc.openvpn.new
+chmod 644 $PKG/etc/rc.d/rc.openvpn.new
+chown root:root $PKG/etc/rc.d/rc.openvpn.new
+
+# Let folks know about the other configs, if they haven't found them.
+# They might even find the documentation there useful. ;-)
+cat << EOF > $PKG/etc/openvpn/README.TXT
+One or more OpenVPN config files should be installed in this directory
+as files ending in ".conf" (i.e. client.conf, server.conf, etc.).
+
+Have a look in sample-config-files for some more examples of how to
+configure OpenVPN.
+
+To start OpenVPN, use this command as root:
+sh /etc/rc.d/rc.openvpn start
+
+To make OpenVPN start automatically at boot, change the script permissions:
+chmod 755 /etc/rc.d/rc.openvpn
+
+See "man openvpn" and the other docs for more information.
+EOF
+
+# Add a link, too:
+( cd $PKG/etc/openvpn
+ ln -sf /usr/doc/$PKGNAM-$VERSION/sample-config-files .
+)
+
+if [ -d $PKG/usr/man ]; then
+( cd $PKG/usr/man
+ find . -type f -exec gzip -9 {} \;
+ for i in $(find . -type l) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+)
+fi
+
+mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
+cp -a AUTHORS COPYING* COPYRIGHT* INSTALL* \
+ NEWS PORTS README* sample/sample-config-files sample/sample-keys sample/sample-scripts \
+ $PKG/usr/doc/$PKGNAM-$VERSION
+
+# Install a reasonably generic sample config file:
+# (put this in with the other samples)
+mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files
+cp -a $CWD/slackware.conf $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files
+chown root:root $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files/slackware.conf
+chmod 644 $PKG/usr/doc/$PKGNAM-$VERSION/sample-config-files/slackware.conf
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+ DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
+ cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+ touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+mkdir -p $PKG/install
+zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/openvpn/openvpn.url b/patches/source/openvpn/openvpn.url
new file mode 100644
index 000000000..4c476d874
--- /dev/null
+++ b/patches/source/openvpn/openvpn.url
@@ -0,0 +1,2 @@
+https://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.xz
+https://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.xz.asc
diff --git a/patches/source/openvpn/rc.openvpn b/patches/source/openvpn/rc.openvpn
new file mode 100644
index 000000000..86f319225
--- /dev/null
+++ b/patches/source/openvpn/rc.openvpn
@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# /etc/rc.d/rc.openvpn
+#
+# Start/stop/restart the openvpn daemon.
+#
+# By default, this script will start/stop/restart a daemon for every *.conf
+# file found in /etc/openvpn.
+#
+# To work with a single connection, add the name of the config file:
+# /etc/rc.d/rc.openvpn start configfile.conf
+#
+# You may also use a config file not found in /etc/openvpn by providing a
+# complete path:
+# /etc/rc.d/rc.openvpn start /path/to/some/other/configfile.conf
+#
+# The name of a config file provided with a complete path should not match
+# the name of any config file present in the /etc/openvpn directory.
+
+ovpn_start() {
+ if [ -x /usr/sbin/openvpn ]; then
+ if [ -z "$1" ]; then # start OpenVPN for all config files:
+ if /bin/ls /etc/openvpn/*.conf 1> /dev/null 2> /dev/null ; then
+ for config in /etc/openvpn/*.conf ; do
+ echo "Starting OpenVPN: /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $config).pid --user nobody --group nobody --config $config"
+ /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $config).pid --user nobody --group nobody --config $config
+ done
+ else
+ echo "Unable to start OpenVPN - no .conf files found in /etc/openvpn/."
+ fi
+ else # start OpenVPN for one config file:
+ if [ -r "$1" ]; then
+ echo "Starting OpenVPN: /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $1).pid --user nobody --group nobody --config $1"
+ /usr/sbin/openvpn --daemon --writepid /run/openvpn/$(basename $1).pid --user nobody --group nobody --config $1
+ else # config file is missing:
+ echo "Error starting OpenVPN: config file $1 is missing."
+ fi
+ fi
+ fi
+}
+
+ovpn_stop() {
+ # Note: OpenVPN has a bad habit of leaving stale pid files around when exiting.
+ # Maybe it would be better to just use killall unless called for one config?
+ if [ -z "$1" ]; then # stop OpenVPN for all pid files:
+ if /bin/ls /run/openvpn/*.pid 1> /dev/null 2> /dev/null ; then
+ for pid in /run/openvpn/*.pid ; do
+ echo "Stopping OpenVPN for pid file $pid..."
+ kill $(cat $pid)
+ rm -f $pid
+ done
+ else
+ echo "Warning: no pid files found in /run/openvpn/. Using killall to stop any OpenVPN processes."
+ killall openvpn
+ fi
+ else # stop OpenVPN for one config file:
+ if [ -r /run/openvpn/$(basename ${1}).pid ]; then
+ echo "Stopping OpenVPN for config file ${1}..."
+ kill $(cat /run/openvpn/$(basename ${1}).pid)
+ rm -f /run/openvpn/$(basename ${1}).pid
+ else
+ echo "Error stopping OpenVPN: no such pid file /run/openvpn/$(basename ${1}).pid"
+ fi
+ fi
+}
+
+ovpn_restart() {
+ if [ ! -z "$1" ]; then # restart for all config files:
+ ovpn_stop
+ sleep 2
+ ovpn_start
+ else # restart for one config file only:
+ ovpn_stop $1
+ sleep 2
+ ovpn_start $1
+ fi
+}
+
+ovpn_status() {
+ if /bin/ls /run/openvpn/*.pid 1> /dev/null 2> /dev/null ; then
+ echo "Currently running OpenVPN processes according to .pid files in /run/openvpn:"
+ for pid in /run/openvpn/*.pid ; do
+ echo " $(basename $pid) ($(cat $pid))"
+ done
+ else
+ echo "No .pid files found in /run/openvpn."
+ fi
+}
+
+# Create PID directory if it doesn't exist:
+if [ ! -d /run/openvpn ]; then
+ mkdir -p /run/openvpn
+fi
+
+case "$1" in
+'start')
+ ovpn_start $2
+ ;;
+'stop')
+ ovpn_stop $2
+ ;;
+'restart')
+ ovpn_restart $2
+ ;;
+'status')
+ ovpn_status
+ ;;
+*)
+ echo "Usage: $0 {start|stop|restart}"
+esac
+
diff --git a/patches/source/openvpn/slack-desc b/patches/source/openvpn/slack-desc
new file mode 100644
index 000000000..7ffd6167d
--- /dev/null
+++ b/patches/source/openvpn/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+openvpn: openvpn (secure IP tunnel daemon)
+openvpn:
+openvpn: OpenVPN is a full-featured SSL VPN which can accommodate a wide range
+openvpn: of configurations, including remote access, site-to-site VPNs, WiFi
+openvpn: security, and enterprise-scale remote access with load balancing,
+openvpn: failover, and fine-grained access-controls.
+openvpn:
+openvpn: OpenVPN's home on the net is: http://openvpn.net
+openvpn:
+openvpn:
+openvpn:
diff --git a/patches/source/openvpn/slackware.conf b/patches/source/openvpn/slackware.conf
new file mode 100644
index 000000000..4314b5441
--- /dev/null
+++ b/patches/source/openvpn/slackware.conf
@@ -0,0 +1,178 @@
+# openvpn.conf.sample
+#
+# This is a sample configuration file for OpenVPN.
+# Not all options are listed here; you can find good documentation
+# about all of the options in OpenVPN's manual page - openvpn(8).
+#
+# You can make a P-t-P connection by creating a shared key,
+# copying this key to other hosts in your network, and changing
+# the IP addresses in this file.
+#
+# Commented options are provided for some typical configurations
+
+# Change the "search" path to /etc/openvpn
+# All files referenced in this configuration will be relative to
+# whatever directory is specified here - we default to /etc/openvpn
+cd /etc/openvpn
+
+# If running as a server, which local IP address should OpenVPN
+# listen on? Specify this as either a hostname or IP address. If
+# this is left blank, OpenVPN will default to listening on all
+# interfaces.
+#local a.b.c.d
+
+# This option defines the IP or DNS name of the other side of your VPN
+# connection. This option is needed if you are making client or P-t-P
+# connections. If you are the server, use "local" instead. This may
+# be specified as a domain name or IP address.
+#remote vpn.server.org
+
+# This option defins the protocol to use. Valid options are:
+# udp, tcp-server, or tcp-client. Default is udp, and generally
+# speaking, tcp is a bad idea.
+proto udp
+
+# This option defines the port on which your server will be listening
+# or trying to connect. The default is 1194
+port 1194
+
+# This option defines whether to use LZO compression.
+# If enabled, it must be enabled at both ends of the VPN connection.
+#comp-lzo
+
+# Debug level (default 1)
+#verb 3
+
+# VPN logfile location
+# If you don't specify a location here, logging will be done through
+# syslogd and write to /var/log/messages
+log-append /var/log/openvpn.log
+
+# If you want to use OpenVPN as a daemon, uncomment this line.
+# Generally speaking, servers should run OpenVPN as a daemon
+# and clients should not.
+#daemon
+
+# Device type to use, you can choose between tun or tap.
+# TUN is the most common option. If you have multiple connections,
+# it is a good idea to bind each connection to a separate TUN/TAP
+# interface using tunX/tapX, where X is the number of each interface.
+dev tun
+
+# This option prevents OpenVPN from closing and re-opening the tun/tap
+# device every time it receives a SIGUSR1 signal
+#persist-tun
+
+# This is similar to the previous option, but it prevents OpenVPN from
+# re-reading the key files every time
+#persist-key
+
+# If you are using a client-server architecture, you need to specify the
+# role of your computer in your VPN network. To use one of these options,
+# you need to configure TLS options too.
+#
+# To use the "server" option, you must specify a network subnet such
+# as 172.16.1.0 255.255.255.0. The first number is the network, the
+# second is the netmask. OpenVPN will take the first available IP
+# for itself (in our example, 172.16.1.1) and the rest will be
+# given to connecting clients dynamically.
+#
+# Leave these commented out if you are using OpenVPN in bridging mode.
+#
+#server 10.1.2.0 255.255.255.0
+#client
+
+# This option defines a file with IP address to client mapping.
+# This is useful in general, and necessary if clients use persist-tun.
+#ifconfig-pool-persist ips.txt
+
+# Enable this option if you want clients connected to this VPN to be
+# able to talk directly to each other
+#client-to-client
+
+# This option defines the directory in which configuration files for clients
+# will reside. With individual files you can make each client get different
+# options using "push" parameters
+#client-config-dir ccd
+
+# If you are using P-t-P, you need to specify the IP addresses at both ends
+# of your VPN connection. The IP addresses are reversed at the other side.
+#
+# You can use this to specify client IP addresses in ccd files (on server)
+# or directly in client configuration
+#ifconfig 10.1.2.1 10.1.2.2
+
+# You can set routes to specific networks. In the sample below, "vpn_gateway"
+# is an internal OpenVPN alias to your VPN gateway - leave it as is.
+# This will enable you to talk with the networks behind your VPN server.
+# Multiple routes can be specified.
+#
+# +------------+ <eth>-<tun> <tun>-<eth> +------------+
+# | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 |
+# +------------+ +------+ +------+ +------------+
+# 192.168.0.0/24 192.168.2.0/24
+#
+# The sample below shows how VPN1 server can reach Network2
+#route 192.168.2.0 255.255.255.0 vpn_gateway
+
+# You can send clients many network configuration options using the
+# "push" directive and sending commands.
+# Multiple "push" directives can be used. You should only put global
+# "push" directives here. You can "push" different options to
+# different clients in per-client configuration files. See
+# "client-config-dir" above.
+#
+# Using the same network configuration that you see above, the route statment
+# here allows VPN2 to reach Network1
+#push "route-delay 2 600"
+#push "route 192.168.2.0 255.255.255.0 vpn_gateway"
+#push "persist-key"
+
+# This option sets the encryption algorithm to use in the VPN connection.
+# Available options are:
+# DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC,
+# DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC,
+# RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC
+cipher BF-CBC
+
+# Shared Key Connection
+# ---------------------
+# Secret is one shared key between the hosts that want to connect through VPNs.
+# Without secret or TLS options, your data will not be encrypted.
+#
+# To generate an encryption key do:
+# openvpn --genkey --secret /etc/openvpn/keys/shared.key
+#
+# Do the above on one host and copy it to the others
+secret keys/shared.key
+
+# TLS Connections
+# ---------------
+# TLS must be used if you use option "server" or "client"
+# The basic idea there is: You have one Certificate Authority, and all
+# machines in your VPN network need to have individual certificates and
+# keys signed by Certificate Authority. This means each client can
+# have its own key, making it easier to revoke a key without copying
+# a shared secret key to every client.
+#
+# Inside the /usr/doc/openvpn-$VERSION documentation directory, you can
+# find "easy-rsa" scripts to make certificate and key management easier.
+
+# Certificate Authority file
+# This file must be identical on all hosts that connect to your VPN
+#ca certs/ca.crt
+
+# If you are the server, you need to specify some Diffie Hellman parameters.
+# OpenVPN provides some sample .pem files in documentation directory
+#dh my-dh.pem
+
+# Certificate and Key signed by Certificate Authority
+# Each machine needs to have their own unique certificate
+#cert certs/machine.cert
+#key keys/machine.key
+
+# To prevent some DoS attacks we can add another authentication layer in the
+# TLS control channel. This needs to be enabled at both ends to work
+# client uses the value 1; server uses the value 0
+#tls-auth keys/shared.key 0
+