===== Simple configuration =====
=== Server side ===
   port 1011
   proto udp
   dev tun1
   daemon
   writepid /var/run/openvpn.pid
   ca /etc/openvpn/certs/ca.pem
   cert /etc/openvpn/certs/cert.pem
   key /etc/openvpn/certs/.key
   dh /etc/openvpn/certs/dh1024.pem
   server 192.168.240.8 255.255.255.248
   client-config-dir /etc/openvpn/ccd
   ccd-exclusive
   push "route 10.10.50.32 255.255.255.224"
   client-to-client
   keepalive 10 120
   comp-lzo
   tls-auth /etc/openvpn/certs/ta.key 0 # This file is secret
   cipher AES-256-CBC        
   max-clients 5
   user nobody
   group nogroup
   persist-key
   persist-tun
   log     /var/log/openvpn/vpn.log
   status  /var/log/openvpn/vpn.status
   verb 4
   mute 10


# To create the dh512.pem  or dh1024.pem:
        % # openssl gendh -rand rand.dat -out dh1024.pem
        % openssl dhparam -check -text -5 512     -out   dh512.pem
        % openssl dhparam -check -text -5 1024  -out  dh1024.pem

===== authenticate OpenVPN users against a plain text file =====
<code bash| >
#/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
</code>



===== OpenSSL / SSL stuff =====

**Generate individual certs out of .pk12 cert**

   openssl pkcs12 -nocerts -in default.p12 -out userkey.pem
   openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
   openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem



==== change PKCS12 password using OpenSSL ====

FIXME - **not tested!**

   openssl pkcs12 -in old.p12 | openssl pkcs12 -export -out new.p12

Then, you should type in:
  - Old import password
  - PEM password
  - PEM password again
  - PEM password again twice
  - New export password

FIXME - alternative way

<code>
#!/bin/bash
echo Exporting private KEY
openssl pkcs12 -nocerts -in $1 -out userkey.pem
echo Exporting public cert
openssl pkcs12 -nokeys -clcerts -in $1 -out usercert.pem
echo Exporting CA Cert
openssl pkcs12 -nokeys -cacerts -in $1 -out userca.pem
echo Creating new PKCS12 cert
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -certfile userca.pem -name "FOOBAR" -out $2
</code>