Als Server-Betriebssystem wird Debian Lenny 5.04 eingesetzt (http://cdimage.debian.org/debian-cd/5.0.4/i386/iso-dvd/)
Der Server steht hinter einem Router und kann per DynDNS vom Internet aus erreicht werden: Portforwarding für SSH (12345/TCP) und OpenVPN (1194/UDP).

Es wird eine minimal-Installation von DVD ausgeführt: gruppe1.test.xa (Server-Name)

vi /etc/network/interfaces
  auto eth0
  iface eth0 inet static
  	address 192.168.63.100
    	netmask 255.255.255.0
    	network 192.168.63.0
    	broadcast 192.168.63.255
    	gateway: 192.168.63.5
/etc/init.d/networking restart

vi /etc/host
  192.168.63.100	gruppe1.test.xa gruppe1
echo gruppe1.test.xa > /etc/hostname
/etc/init.d/hostname.sh start

apt-get install ntp ntpdate

useradd -m rudolf
useradd -m claussen
useradd -m pump
passwd rudolf
passwd claussen
passwd pump

apt-get install ssh openssh-server
vi /etc/ssh/sshd_config
  Port 12345
  PermitRootLogin no
/etc/init.d/ssh restart

ssh-keygen -t dsa
ssh-keygen -t rsa
cat ~/.ssh/id*.pub >~/.ssh/authorized_keys

Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

Pscp.exe (Download der privaten Schlüssel):
  pscp.exe -P 12345 claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/id_rsa C:\Daten_priv\id_rsa

PuttyGen.exe (Konvertieren von OpenSSH-Format in Putty-Format):
  Load: C:\Daten_priv\id_rsa
  Save private key: C:\Daten_priv\id_rsa.ppk

Putty (Einrichten der Verbindung):
  Session - Hostname: kurs1599-gruppe1.dyndns.org
  Session - Port: 12345
  Connection - Data: %username% (rudolf/claussen/pump)
  Connection - SSH - Auth - Private key for authentication - Browse: C:\Daten_priv\id_rsa.ppk
  Session - Saved Sessions: OpenVPNServer
  Session - Save
  Open

vi /etc/ssh/sshd_config
  PermitRootLogin no
  AllowGroups rudolf claussen pump
  AllowUsers rudolf claussen pump
  ClientAliveInterval 15
  LoginGraceTime 10
  PubkeyAuthentication yes
  MaxAuthTries 3
  MaxStartups 1
  PrintLastLog yes
  KeepAlive no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  RSAAuthentication no
  UsePam no
/etc/init.d/ssh restart 

apt-get install openvpn
cp -av /usr/share/doc/openvpn/examples/ /etc/openvpn/
Erstellen Master-Zertifikat und -Schluessel (CA):
  vi /etc/openvpn/examples/easy-rsa/2.0/vars
  - export KEY_COUNTRY="DE"
  - export KEY_PROVINCE="HH"
  - export KEY_CITY="Hamburg"
  - export KEY_ORG="gruppe1"
  - export KEY_EMAIL="sven.claussen@fernuni-hagen.de"
  cd /etc/openvpn/examples/easy-rsa/2.0/
  source ./vars
  ./clean-all
  ./build-ca
Erstellen Server-Zertifikat und -Schluessel:
  ./build-key-server gruppe1
Erstellen Client-Schluessel:
  ./build-key client11
  ./build-key client12
  ./build-key client13
Erstellen Diffie-Hellmann-Parameter:
  ./build-dh
mkdir /etc/openvpn/keys
cp ./ca.crt /etc/openvpn/keys/ca.crt
cp ./gruppe1.crt /etc/openvpn/keys/gruppe1.crt
cp ./gruppe1.key /etc/openvpn/keys/gruppe1.key
cp ./dh1024.pem /etc/openvpn/keys/dh1024.pem

cp ./ca.crt /home/claussen/.ssh/ca.crt
cp ./client11.crt /home/claussen/.ssh/client11.crt
cp ./client11.key /home/claussen/.ssh/client11.key
chown claussen:claussen /home/claussen/.ssh/ca.crt
chown claussen:claussen /home/claussen/.ssh/client11.crt
chown claussen:claussen /home/claussen/.ssh/client11.key

cd /etc/openvpn/examples/sample-config-files
gunzip server.conf.gz
cp ./server.conf /etc/openvpn/server.conf
vi /etc/openvpn/server.conf:
  - ca /etc/openvpn/ca.crt
  - cert /etc/openvpn/gruppe1.crt
  - key /etc/openvpn/gruppe1.key
  - dh /etc/openvpn/dh1024.pem
  - server 10.1.0.0 255.255.255.0
  - push ping 110
  - push ping-restart 120
  - client-to-client
  - user nobody
  - group nogroup
/etc/init.d/openvpn restart

OpenVPN-Client-Software (http://openvpn.net/index.php/open-source/downloads.html)

Konfiguration:

  Client11 (Sven Claussen; Windows XP)):
    pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/ca.crt C:\Daten_priv\ca.crt
    pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/client11.crt C:\Daten_priv\client11.crt
    pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/client11.key C:\Daten_priv\client11.key
    copy C:\Daten_priv\bundle.txt + c:\Daten_priv\ca.crt C:\Daten_priv\bundle.txt
    config.ovpn:
      client
      dev tun
      proto udp
      remote kurs1599-gruppe1.dyndns.org 1194
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      mute-replay-warnings
      comp-lzo
      ca C:\\Daten_priv\\ca-bundle.txt
      cert C:\\Daten_priv\\client11.crt
      key C:\\Daten_priv\\client11.key
      ;log openvpn.txt

  Client12 (Thomas Rudolf):
    pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk rudolf@kurs1599-gruppe1.dyndns.org:/home/rudolf/.ssh/ca.crt C:\Daten_priv\ca.crt
    ca.crt, client12.crt, client12.key

  Client13 (Matthias Pump):
    ca.crt, client13.crt, client13.key

Per WINSCP http://portableapps.com/apps/internet/winscp_portable die auf dem Server von Gruppe 2 erstellten Zertifikate (ca.crt, server1_client.crt) und Schluessel (server1_client.key) - verschlüsselt per mail übertragen - auf den Server in das Verzeichnis /etc/openvpn/server02keys/ kopieren.

vi /etc/openvpn/server02vpn.conf:
  client
  dev tun
  proto udp
  remote kurs1599-gruppe2.dyndns.org
  resolv-retry infinite
  nobind
  persist-key
  persist-tun
  mute-replay-warnings
  comp-lzo
  ca /etc/openvpn/server02keys/ca.crt
  cert /etc/openvpn/server02keys/server1_client.crt
  key /etc/openvpn/server02keys/server1_client.key
  ping 110
  ping-restart 120

vi /etc/openvpn/server.conf:
  - push "route 10.2.0.0 255.255.255.0"
  - push "route 10.3.0.0 255.255.255.0"

/etc/init.d/openvpn restart

vollständige server.conf:

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/gruppe1.crt
key /etc/openvpn/keys/gruppe1.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh /etc/openvpn/keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.1.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 10.2.0.0 255.255.255.0"
push "route 10.3.0.0 255.255.255.0"
persist-key
persist-tun
push ping 110
push ping-restart 120

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.3.0.0 255.255.0.0
;route 10.2.0.0 255.255.0.0
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

Die Firewall wird so aufgesetzt, dass aller ausgehender Verkehr ebenso wie sämtlicher Verkehr durch das OpenVPN-Netz (tun+) erlaubt ist. Sonst darf nur eine Verbindung für ssh (tcp 12345) und OpenVPN (udp 1194) von aussen aufgebaut werden. Gepingt werden darf in alle Richtungen.

vi /etc/init.d/firewall.sh

#!/bin/bash

# A Sample OpenVPN-aware firewall.

# move script to /etc/init.d/firewall.sh
# update-rc.d firewall.sh start 40 S . stop 89 0 6 .

# eth0 is connected to the internet.
# eth1 is connected to a private subnet.

# Change this subnet to correspond to your private
# ethernet subnet.  Home will use HOME_NET/24 and
# Office will use OFFICE_NET/24.
PRIVATE=10.1.0.0/24

# Loopback address
LOOP=127.0.0.1

if ! [ -x /sbin/iptables ]; then
    exit 0
fi

fw_stop () {

  # Delete old iptables rules
  # and temporarily block all traffic.
  iptables -P OUTPUT DROP
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -F

  # Set default policies
  iptables -P OUTPUT ACCEPT
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
}

fw_start () {


  # Prevent external packets from using loopback addr
  iptables -A INPUT -i eth0 -s $LOOP -j DROP
  iptables -A FORWARD -i eth0 -s $LOOP -j DROP
  iptables -A INPUT -i eth0 -d $LOOP -j DROP
  iptables -A FORWARD -i eth0 -d $LOOP -j DROP

  # Anything coming from the Internet should have a real Internet address
  iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
  iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
  iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
  ##iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
  iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
  iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP

  # Block outgoing NetBios (if you have windows machines running
  # on the private subnet).  This will not affect any NetBios
  # traffic that flows over the VPN tunnel, but it will stop
  # local windows machines from broadcasting themselves to
  # the internet.
  iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
  iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
  iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
  iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

  # Check source address validity on packets going out to internet
  ##iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP

  # Allow local loopback
  iptables -A INPUT -s $LOOP -j ACCEPT
  iptables -A INPUT -d $LOOP -j ACCEPT

  # Allow incoming pings (can be disabled)
  # Log ping Sven (see /var/log/sven.log; /etc/rsyslog.d/sven.conf)
  iptables -A INPUT -p icmp -s 10.1.0.6 --icmp-type echo-request -j LOG --log-prefix ' ** Sven ** '
  iptables -A OUTPUT -p icmp -d 10.1.0.6 --icmp-type echo-reply -j LOG --log-prefix ' ** Sven ** '
  iptables -A FORWARD -p icmp -s 10.1.0.6 --icmp-type echo-request -j LOG --log-prefix ' ** Sven ** '
  iptables -A FORWARD -p icmp -d 10.1.0.6 --icmp-type echo-reply -j LOG --log-prefix ' ** Sven ** '
  # Log ping Thomas
  iptables -A INPUT -p icmp -s 10.1.0.14 --icmp-type echo-request -j LOG --log-prefix ' ** Thomas ** '
  iptables -A OUTPUT -p icmp -d 10.1.0.14 --icmp-type echo-reply -j LOG --log-prefix ' ** Thomas ** '
  iptables -A FORWARD -p icmp -s 10.1.0.14 --icmp-type echo-request -j LOG --log-prefix ' ** Thomas ** '
  iptables -A FORWARD -p icmp -d 10.1.0.14 --icmp-type echo-reply -j LOG --log-prefix ' ** Thomas ** '
  # Log ping Matthias
  iptables -A INPUT -p icmp -s 10.1.0.22 --icmp-type echo-request -j LOG --log-prefix ' ** Matthias ** '
  iptables -A OUTPUT -p icmp -d 10.1.0.22 --icmp-type echo-reply -j LOG --log-prefix ' ** Matthias ** '
  iptables -A FORWARD -p icmp -s 10.1.0.22 --icmp-type echo-request -j LOG --log-prefix ' ** Matthias ** '
  iptables -A FORWARD -p icmp -d 10.1.0.22 --icmp-type echo-reply -j LOG --log-prefix ' ** Matthias ** '
  # Log all ping
  iptables -A INPUT -p icmp -j LOG
  iptables -A OUTPUT -p icmp -j LOG
  iptables -A FORWARD -p icmp -j LOG
  # Accept Input and Forward ping (output is allowed all)
  iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

  # Allow services such as www and ssh (can be disabled)
  ##iptables -A INPUT -p tcp --dport http -j ACCEPT
  ##iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  iptables -A INPUT -p tcp --dport 12345 -j ACCEPT

  # Allow incoming OpenVPN packets
  # Duplicate the line below for each
  # OpenVPN tunnel, changing --dport n
  # to match the OpenVPN UDP port.
  #
  # In OpenVPN, the port number is
  # controlled by the --port n option.
  # If you put this option in the config
  # file, you can remove the leading '--'
  #
  # If you taking the stateful firewall
  # approach (see the OpenVPN HOWTO),
  # then comment out the line below.

  iptables -A INPUT -p udp --dport 1194 -j ACCEPT

  # Allow packets from TUN/TAP devices.
  # When OpenVPN is run in a secure mode,
  # it will authenticate packets prior
  # to their arriving on a tun or tap
  # interface.  Therefore, it is not
  # necessary to add any filters here,
  # unless you want to restrict the
  # type of packets which can flow over
  # the tunnel.

  iptables -A INPUT -i tun+ -j ACCEPT
  iptables -A FORWARD -i tun+ -j ACCEPT
  iptables -A INPUT -i tap+ -j ACCEPT
  iptables -A FORWARD -i tap+ -j ACCEPT

  # Allow packets from private subnets
  ##iptables -A INPUT -i eth1 -j ACCEPT
  ##iptables -A FORWARD -i eth1 -j ACCEPT

  # Keep state of connections from local machine and private subnets
  iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  ##iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
  ##iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  # Masquerade local subnet
  ##iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE

}

fw_clear () {
  /sbin/iptables -F
  /sbin/iptables -t nat -F
  /sbin/iptables -t mangle -F
  /sbin/iptables -P INPUT ACCEPT
  /sbin/iptables -P FORWARD ACCEPT
  /sbin/iptables -P OUTPUT ACCEPT
}

case "$1" in
  start|restart)
    echo -n "Starting firewall.."
    fw_stop
    fw_start
    echo "done."
    ;;
  stop)
    echo -n "Stopping firewall.."
    fw_stop
    echo "done."
    ;;
  clear)
    echo -n "Clearing firewall.."
    fw_clear
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|clear}"
    exit 1
    ;;
  esac
exit 0

chmod 755 /etc/init.d/firewall.sh
update-rc.d /etc/init.d/firewall.sh start 40 S . stop 89 0 6 .
/etc/init.d/firewall start

gruppe1:/etc/rsyslog.d# touch /var/log/sven.log
gruppe1:/etc/rsyslog.d# chown root:adm /var/log/sven.log
gruppe1:/etc/rsyslog.d# chmod 640 /var/log/sven.log
gruppe1:/etc/rsyslog.d# vi /etc/rsyslog.d/sven.conf
  :msg,contains,"** Sven **" /var/log/sven.log
  & ~

gruppe1:/etc/rsyslog.d# touch /var/log/thomas.log
gruppe1:/etc/rsyslog.d# chown root:adm /var/log/thomas.log
gruppe1:/etc/rsyslog.d# chmod 640 /var/log/thomas.log
gruppe1:/etc/rsyslog.d# vi /etc/rsyslog.d/thomas.conf
  :msg,contains,"** Thomas **" /var/log/thomas.log
  & ~

gruppe1:/etc/rsyslog.d# touch /var/log/matthias.log
gruppe1:/etc/rsyslog.d# chown root:adm /var/log/matthias.log
gruppe1:/etc/rsyslog.d# chmod 640 /var/log/matthias.log
gruppe1:/etc/rsyslog.d# vi /etc/rsyslog.d/matthias.conf
  :msg,contains,"** Matthias **" /var/log/matthias.log
  & ~

gruppe1:/etc/rsyslog.d# /etc/init.d/rsyslog restart
 

http://www.howtoforge.de/howto/der-perfekte-server-debian-lenny-debian-50-ispconfig-2/4/
http://www.asconix.com/howtos/debian/key-ssh-authentication-debian-lenny-howto
http://www.berts-linux.de/2009/05/29/openvpn-server-mit-debian-lenny/
http://wiki.openvpn.eu/index.php/Hauptseite
http://wiki.openvpn.eu/index.php/Erzeugen_einer_PKI_mit_EasyRSA
http://wiki.openvpn.eu/index.php/Config_ServerNET_Routing

http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html#s-rpc

http://forum.mark-puettmann.de/viewtopic.php?f=7&t=49

gruppe1:~# apt-get install openvpn
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut
Lese Status-Informationen ein... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  liblzo2-2 libpkcs11-helper1 openssl openssl-blacklist openvpn-blacklist
Vorgeschlagene Pakete:
  ca-certificates resolvconf
Die folgenden NEUEN Pakete werden installiert:
  liblzo2-2 libpkcs11-helper1 openssl openssl-blacklist openvpn
  openvpn-blacklist
0 aktualisiert, 6 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen noch 1034kB von 8948kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 18,5MB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren [J/n]? J
Hole:1 http://ftp.informatik.uni-frankfurt.de lenny/main openssl 0.9.8g-15+lenny7 [1034kB]
Es wurden 1034kB in 17s geholt (58,5kB/s)
Vorkonfiguration der Pakete ...
Wähle vormals abgewähltes Paket openssl.
(Lese Datenbank ... 20419 Dateien und Verzeichnisse sind derzeit installiert.)
Entpacke openssl (aus .../openssl_0.9.8g-15+lenny7_i386.deb) ...
Wähle vormals abgewähltes Paket openssl-blacklist.
Entpacke openssl-blacklist (aus .../openssl-blacklist_0.4.2_all.deb) ...
Wähle vormals abgewähltes Paket liblzo2-2.
Entpacke liblzo2-2 (aus .../lzo2/liblzo2-2_2.03-1_i386.deb) ...
Wähle vormals abgewähltes Paket libpkcs11-helper1.
Entpacke libpkcs11-helper1 (aus .../libpkcs11-helper1_1.05-1_i386.deb) ...
Wähle vormals abgewähltes Paket openvpn-blacklist.
Entpacke openvpn-blacklist (aus .../openvpn-blacklist_0.3_all.deb) ...
Wähle vormals abgewähltes Paket openvpn.
Entpacke openvpn (aus .../openvpn_2.1~rc11-1_i386.deb) ...
Verarbeite Trigger für man-db ...
Richte openssl ein (0.9.8g-15+lenny7) ...
Richte openssl-blacklist ein (0.4.2) ...
Richte liblzo2-2 ein (2.03-1) ...
Richte libpkcs11-helper1 ein (1.05-1) ...
Richte openvpn-blacklist ein (0.3) ...
Richte openvpn ein (2.1~rc11-1) ...
Restarting virtual private network daemon.:.
gruppe1:~#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# vi ./vars
gruppe1:/etc/openvpn/examples/easy-rsa/2.0# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/examples/easy-rsa/2.0/keys
xgruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls
build-ca     build-key         build-key-server  clean-all      Makefile              pkitool      sign-req
build-dh     build-key-pass    build-req         inherit-inter  openssl-0.9.6.cnf.gz  README.gz    vars
build-inter  build-key-pkcs12  build-req-pass    list-crl       openssl.cnf           revoke-full  whichopensslcnf
gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./clean-all
gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls
build-ca     build-key         build-key-server  clean-all      list-crl              openssl.cnf  revoke-full  whichopensslcnf
build-dh     build-key-pass    build-req         inherit-inter  Makefile              pkitool      sign-req
build-inter  build-key-pkcs12  build-req-pass    keys           openssl-0.9.6.cnf.gz  README.gz    vars
gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls keys
index.txt  serial
gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
...++++++
............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [HH]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [gruppe1]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [gruppe1 CA]:gruppe1CA
Email Address [admin@kurs1599-gruppe1.dyndns.org]:
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key-server gruppe1
Generating a 1024 bit RSA private key
....................++++++
.....++++++
writing new private key to 'gruppe1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [HH]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [gruppe1]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [gruppe1]:
Email Address [admin@kurs1599-gruppe1.dyndns.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'HH'
localityName          :PRINTABLE:'Hamburg'
organizationName      :PRINTABLE:'gruppe1'
commonName            :PRINTABLE:'gruppe1'
emailAddress          :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org'
Certificate is to be certified until Jul  8 15:10:13 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls -al keys
insgesamt 48
drwx------ 2 root root 4096 11. Jul 17:10 .
drwxr-xr-x 3 root root 4096 11. Jul 17:16 ..
-rw-r--r-- 1 root root 3949 11. Jul 17:10 01.pem
-rw-r--r-- 1 root root 1261 11. Jul 17:04 ca.crt
-rw------- 1 root root  887 11. Jul 17:04 ca.key
-rw-r--r-- 1 root root 3949 11. Jul 17:10 gruppe1.crt
-rw-r--r-- 1 root root  688 11. Jul 17:10 gruppe1.csr
-rw------- 1 root root  887 11. Jul 17:10 gruppe1.key
-rw-r--r-- 1 root root  118 11. Jul 17:10 index.txt
-rw-r--r-- 1 root root   21 11. Jul 17:10 index.txt.attr
-rw-r--r-- 1 root root    0 11. Jul 17:03 index.txt.old
-rw-r--r-- 1 root root    3 11. Jul 17:10 serial
-rw-r--r-- 1 root root    3 11. Jul 17:03 serial.old
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key client11
Generating a 1024 bit RSA private key
.......................................................................++++++
.........++++++
writing new private key to 'client11.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [HH]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [gruppe1]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client11]:
Email Address [admin@kurs1599-gruppe1.dyndns.org]: 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'HH'
localityName          :PRINTABLE:'Hamburg'
organizationName      :PRINTABLE:'gruppe1'
commonName            :PRINTABLE:'client11' 
emailAddress          :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org'
Certificate is to be certified until Jul  8 15:25:17 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key client12
Generating a 1024 bit RSA private key
......++++++  
.............................++++++
writing new private key to 'client12.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [HH]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [gruppe1]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client12]:
Email Address [admin@kurs1599-gruppe1.dyndns.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'HH'
localityName          :PRINTABLE:'Hamburg'
organizationName      :PRINTABLE:'gruppe1'
commonName            :PRINTABLE:'client12'
emailAddress          :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org'
Certificate is to be certified until Jul  8 15:26:42 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key client13
Generating a 1024 bit RSA private key
..........++++++
....++++++
writing new private key to 'client13.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [HH]:
Locality Name (eg, city) [Hamburg]:
Organization Name (eg, company) [gruppe1]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client13]:
Email Address [admin@kurs1599-gruppe1.dyndns.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'HH'
localityName          :PRINTABLE:'Hamburg'
organizationName      :PRINTABLE:'gruppe1'
commonName            :PRINTABLE:'client13'
emailAddress          :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org'
Certificate is to be certified until Jul  8 15:26:56 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls -al keys
insgesamt 104
drwx------ 2 root root 4096 11. Jul 17:26 .
drwxr-xr-x 3 root root 4096 11. Jul 17:16 ..
-rw-r--r-- 1 root root 3949 11. Jul 17:10 01.pem
-rw-r--r-- 1 root root 3828 11. Jul 17:25 02.pem
-rw-r--r-- 1 root root 3828 11. Jul 17:26 03.pem
-rw-r--r-- 1 root root 3828 11. Jul 17:26 04.pem
-rw-r--r-- 1 root root 1261 11. Jul 17:04 ca.crt
-rw------- 1 root root  887 11. Jul 17:04 ca.key
-rw-r--r-- 1 root root 3828 11. Jul 17:25 client11.crt
-rw-r--r-- 1 root root  688 11. Jul 17:25 client11.csr
-rw------- 1 root root  887 11. Jul 17:25 client11.key
-rw-r--r-- 1 root root 3828 11. Jul 17:26 client12.crt
-rw-r--r-- 1 root root  688 11. Jul 17:26 client12.csr
-rw------- 1 root root  891 11. Jul 17:26 client12.key
-rw-r--r-- 1 root root 3828 11. Jul 17:26 client13.crt
-rw-r--r-- 1 root root  688 11. Jul 17:26 client13.csr
-rw------- 1 root root  887 11. Jul 17:26 client13.key
-rw-r--r-- 1 root root 3949 11. Jul 17:10 gruppe1.crt
-rw-r--r-- 1 root root  688 11. Jul 17:10 gruppe1.csr
-rw------- 1 root root  887 11. Jul 17:10 gruppe1.key
-rw-r--r-- 1 root root  475 11. Jul 17:26 index.txt
-rw-r--r-- 1 root root   20 11. Jul 17:26 index.txt.attr
-rw-r--r-- 1 root root   20 11. Jul 17:26 index.txt.attr.old
-rw-r--r-- 1 root root  356 11. Jul 17:26 index.txt.old
-rw-r--r-- 1 root root    3 11. Jul 17:26 serial
-rw-r--r-- 1 root root    3 11. Jul 17:26 serial.old
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
................++*++*++*
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls -al keys
insgesamt 108
drwx------ 2 root root 4096 11. Jul 17:30 .
drwxr-xr-x 3 root root 4096 11. Jul 17:16 ..
-rw-r--r-- 1 root root 3949 11. Jul 17:10 01.pem
-rw-r--r-- 1 root root 3828 11. Jul 17:25 02.pem
-rw-r--r-- 1 root root 3828 11. Jul 17:26 03.pem
-rw-r--r-- 1 root root 3828 11. Jul 17:26 04.pem
-rw-r--r-- 1 root root 1261 11. Jul 17:04 ca.crt
-rw------- 1 root root  887 11. Jul 17:04 ca.key
-rw-r--r-- 1 root root 3828 11. Jul 17:25 client11.crt
-rw-r--r-- 1 root root  688 11. Jul 17:25 client11.csr
-rw------- 1 root root  887 11. Jul 17:25 client11.key
-rw-r--r-- 1 root root 3828 11. Jul 17:26 client12.crt
-rw-r--r-- 1 root root  688 11. Jul 17:26 client12.csr
-rw------- 1 root root  891 11. Jul 17:26 client12.key
-rw-r--r-- 1 root root 3828 11. Jul 17:26 client13.crt
-rw-r--r-- 1 root root  688 11. Jul 17:26 client13.csr
-rw------- 1 root root  887 11. Jul 17:26 client13.key
-rw-r--r-- 1 root root  245 11. Jul 17:30 dh1024.pem
-rw-r--r-- 1 root root 3949 11. Jul 17:10 gruppe1.crt
-rw-r--r-- 1 root root  688 11. Jul 17:10 gruppe1.csr
-rw------- 1 root root  887 11. Jul 17:10 gruppe1.key
-rw-r--r-- 1 root root  475 11. Jul 17:26 index.txt
-rw-r--r-- 1 root root   20 11. Jul 17:26 index.txt.attr
-rw-r--r-- 1 root root   20 11. Jul 17:26 index.txt.attr.old
-rw-r--r-- 1 root root  356 11. Jul 17:26 index.txt.old
-rw-r--r-- 1 root root    3 11. Jul 17:26 serial
-rw-r--r-- 1 root root    3 11. Jul 17:26 serial.old
gruppe1:/etc/openvpn/examples/easy-rsa/2.0#

gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# mkdir /etc/openvpn/keys
gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./ca.crt /etc/openvpn/keys/ca.crt
gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./gruppe1.crt /etc/openvpn/keys/gruppe1.crt
gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./gruppe1.key /etc/openvpn/keys/gruppe1.key
gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./dh1024.pem /etc/openvpn/keys/dh1024.pem
gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cd /etc/openvpn/keys
gruppe1:/etc/openvpn/keys# ls -al
insgesamt 24
drwxr-xr-x 2 root root 4096 11. Jul 17:38 .
drwxr-xr-x 4 root root 4096 11. Jul 17:37 ..
-rw-r--r-- 1 root root 1261 11. Jul 17:37 ca.crt
-rw-r--r-- 1 root root  245 11. Jul 17:38 dh1024.pem
-rw-r--r-- 1 root root 3949 11. Jul 17:38 gruppe1.crt
-rw------- 1 root root  887 11. Jul 17:38 gruppe1.key
gruppe1:/etc/openvpn/keys#

/etc/openvpn/server.conf:

gruppe1:/etc/openvpn# tail -n 25 /var/log/syslog
Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #1 wildcard, ::#123 Disabled
Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #2 lo, ::1#123 Enabled
Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #3 eth0, fe80::214:2aff:fed2:8f4f#123 Enabled
Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #4 lo, 127.0.0.1#123 Enabled
Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #5 eth0, 192.168.63.100#123 Enabled
Jul 11 10:59:46 gruppe1 ntpd[2313]: kernel time sync status 0040
Jul 11 10:59:46 gruppe1 ntpd[2313]: frequency initialized 74.237 PPM from /var/lib/ntp/ntp.drift
Jul 11 10:59:46 gruppe1 kernel: [   58.929054] warning: `ntpd' uses 32-bit capabilities (legacy support in use)
Jul 11 10:59:46 gruppe1 /usr/sbin/cron[2341]: (CRON) INFO (pidfile fd = 3)
Jul 11 10:59:46 gruppe1 /usr/sbin/cron[2342]: (CRON) STARTUP (fork ok)
Jul 11 10:59:46 gruppe1 /usr/sbin/cron[2342]: (CRON) INFO (Running @reboot jobs)
Jul 11 11:03:00 gruppe1 ntpd[2313]: synchronized to 192.168.63.5, stratum 2
Jul 11 11:03:00 gruppe1 ntpd[2313]: kernel time sync status change 0001
Jul 11 11:17:02 gruppe1 /USR/SBIN/CRON[2386]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jul 11 12:17:01 gruppe1 /USR/SBIN/CRON[2457]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jul 11 13:17:01 gruppe1 /USR/SBIN/CRON[2605]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jul 11 14:17:01 gruppe1 /USR/SBIN/CRON[2612]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jul 11 15:17:01 gruppe1 /USR/SBIN/CRON[2641]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jul 11 16:17:01 gruppe1 /USR/SBIN/CRON[2649]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jul 11 17:17:01 gruppe1 /USR/SBIN/CRON[2734]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Diffie-Hellman initialized with 1024 bit key
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Cannot load certificate file /etc/openvpn/keys/server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Exiting
gruppe1:/etc/openvpn# vi server.conf
gruppe1:/etc/openvpn# /etc/init.d/openvpn restart
Stopping virtual private network daemon:.
Starting virtual private network daemon: server.
gruppe1:/etc/openvpn#

gruppe1:/etc/openvpn# tail -n 25 /var/log/syslog
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Diffie-Hellman initialized with 1024 bit key
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Cannot load certificate file /etc/openvpn/keys/server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Exiting
Jul 11 18:05:00 gruppe1 ovpn-server[2875]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Jul 11 18:05:00 gruppe1 ovpn-server[2875]: Diffie-Hellman initialized with 1024 bit key
Jul 11 18:05:00 gruppe1 ovpn-server[2875]: /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Jul 11 18:05:02 gruppe1 ovpn-server[2875]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 11 18:05:02 gruppe1 ovpn-server[2875]: ROUTE default_gateway=192.168.63.5
Jul 11 18:05:03 gruppe1 kernel: [25575.562815] tun: Universal TUN/TAP device driver, 1.6
Jul 11 18:05:03 gruppe1 kernel: [25575.562838] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jul 11 18:05:03 gruppe1 ovpn-server[2875]: TUN/TAP device tun0 opened
Jul 11 18:05:03 gruppe1 ovpn-server[2875]: TUN/TAP TX queue length set to 100
Jul 11 18:05:03 gruppe1 kernel: [25575.576349] tun0: Disabled Privacy Extensions
Jul 11 18:05:03 gruppe1 ovpn-server[2875]: /sbin/ifconfig tun0 10.1.0.1 pointopoint 10.1.0.2 mtu 1500
Jul 11 18:05:03 gruppe1 ovpn-server[2875]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 10.1.0.2
Jul 11 18:05:03 gruppe1 ovpn-server[2875]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 11 18:05:03 gruppe1 ovpn-server[2884]: Socket Buffers: R=[111616->131072] S=[111616->131072]
Jul 11 18:05:03 gruppe1 ovpn-server[2884]: UDPv4 link local (bound): [undef]:1194
Jul 11 18:05:03 gruppe1 ovpn-server[2884]: UDPv4 link remote: [undef]
Jul 11 18:05:03 gruppe1 ovpn-server[2884]: MULTI: multi_init called, r=256 v=256
Jul 11 18:05:03 gruppe1 ovpn-server[2884]: IFCONFIG POOL: base=10.1.0.4 size=62
Jul 11 18:05:03 gruppe1 ovpn-server[2884]: IFCONFIG POOL LIST
Jul 11 18:05:03 gruppe1 ovpn-server[2884]: Initialization Sequence Completed
Jul 11 18:09:47 gruppe1 ntpd[2313]: Listening on interface #6 tun0, 10.1.0.1#123 Enabled
gruppe1:/etc/openvpn#

gruppe1:/etc/openvpn# ifconfig
eth0      Link encap:Ethernet  Hardware Adresse 00:14:2a:d2:8f:4f
          inet Adresse:192.168.63.100  Bcast:192.168.63.255  Maske:255.255.255.0
          inet6-Adresse: fe80::214:2aff:fed2:8f4f/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:14296 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12951 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:1123358 (1.0 MiB)  TX bytes:1701768 (1.6 MiB)
          Interrupt:11 Basisadresse:0xd000

lo        Link encap:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metrik:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:560 (560.0 B)  TX bytes:560 (560.0 B)

tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.1.0.1  P-z-P:10.1.0.2  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

gruppe1:/etc/openvpn#

claussen@gruppe1:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/claussen/.ssh/id_rsa):
Created directory '/home/claussen/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/claussen/.ssh/id_rsa.
Your public key has been saved in /home/claussen/.ssh/id_rsa.pub.
The key fingerprint is:
83:cc:f4:2a:f5:3f:df:b0:6f:61:94:da:ee:e9:b2:71 claussen@gruppe1.test.xa
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|      .        . |
|     + o      o  |
|      = S    +   |
|     . o .  . +  |
|    . . .   ooE. |
|     .   .. .*o. |
|          .o+B*  |
+-----------------+
claussen@gruppe1:~$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/claussen/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/claussen/.ssh/id_dsa.
Your public key has been saved in /home/claussen/.ssh/id_dsa.pub.
The key fingerprint is:
3a:13:36:52:2f:0f:4a:70:01:d4:0f:52:5a:fc:9d:0a claussen@gruppe1.test.xa
The key's randomart image is:
+--[ DSA 1024]----+
| .o=+            |
|  .o+.           |
|  o..+.. .       |
|   oE.o.o        |
|    o.*.S        |
|   . +.B         |
|    . + .        |
|       o         |
|                 |
+-----------------+
claussen@gruppe1:~$

claussen@gruppe1:~/.ssh$ ls -al
insgesamt 24
drwx------ 2 claussen claussen 4096 12. Jul 18:10 .
drwxr-xr-x 3 claussen claussen 4096 12. Jul 18:05 ..
-rw------- 1 claussen claussen  668 12. Jul 18:10 id_dsa
-rw-r--r-- 1 claussen claussen  614 12. Jul 18:10 id_dsa.pub
-rw------- 1 claussen claussen 1675 12. Jul 18:05 id_rsa
-rw-r--r-- 1 claussen claussen  406 12. Jul 18:05 id_rsa.pub
claussen@gruppe1:~/.ssh$ cat authorized_keys
ssh-dss   
AAAAB3NzaC1kc3MAAACBAMmOSxJXn2QcgNiZUyX1j1tu2BEogHj0IUGrwR4UGnTY7usQtI/sZHFe/2aOvK5oWcwcVQjIaSCI9uWCvn6A7DMrfRGSksH8D7WtNnSrGaoGokGNwNET3JIzBoQ
WmxNXmoEerJJusXmQfwzJffMMlHpFQs38HfSaj7dtx+q1/3aRAAAAFQDrQGQvQE0gUcjHejmyM2kHWF4QgQAAAIBwuQHXFIdjaIrfDsF9S3hnPRlxxon/g7BGWwx3q6Go9PEOr4CvcaiS3F
ofjZVPNrzQ0STDYSn5//zvuuP7ELsJy7tB121wwbmPyEnVzJ4Cl0cFengLB2vdGbrdtiSRANkuvgVFWNII0qz/f5qSM4LeohzMjYGH/UkmAnm6khbz1wAAAIAETxBxDPUdXiYqD98ybmNos
yfnrNw8namv363QLoVAw8TjVgQfHlVZncvWcDaCn5DFd5XVr7jF7ENNkXBtoI7Y+gOWJ9WCe0HovSnmqgQBaTNKuGmjyfwMVRsjXpjdCTeFnS1ySoESpWXKz8+cyTO3yw5SlZrH3OF6VGWm
6+WFxg== claussen@gruppe1.test.xa
ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAQEAxZQYoLel51uA+iwTmR0tfn/OrnIBaKjoAr9pcq+6ITgLCJLwtEHdk/c6gM5DvD42JT8t7z9ZTSoBUm1ikjEarZLpvkh5e/5tIhk8jxLwO1IHz12eXnK
kQrMgjU0QGQ3niOe541OGEfxevXayw6kaOGu82w7lpUuiLLTxG25DSyvnhOYzlleuUZL9/Fs08pw2/dL3+M6nyNm7p36NGtfliLiEgeKkqXfIOsBg6Rv+McJjwJkhYa90zqR8EUCmc/vJ0q
QefVOTOpOaaR7Cmib8KF/rOJ6FRNSFAdJ/5uGSacRMV1USRYGJdVKGogvNITUgId2q4WKMwNgcp3oK82g1nw== claussen@gruppe1.test.xa

C:\>ping 10.1.0.14

Ping wird ausgeführt für 10.1.0.14 mit 32 Bytes Daten:

Antwort von 10.1.0.14: Bytes=32 Zeit=50ms TTL=128
Antwort von 10.1.0.14: Bytes=32 Zeit=47ms TTL=128
Antwort von 10.1.0.14: Bytes=32 Zeit=48ms TTL=128
Antwort von 10.1.0.14: Bytes=32 Zeit=47ms TTL=128

Ping-Statistik für 10.1.0.14:

  Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),\\

Ca. Zeitangaben in Millisek.:

  Minimum = 47ms, Maximum = 50ms, Mittelwert = 48ms\\

C:\>ping 10.1.0.22

Ping wird ausgeführt für 10.1.0.22 mit 32 Bytes Daten:

Zeitüberschreitung der Anforderung.
Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64
Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64
Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64

Ping-Statistik für 10.1.0.22:

  Pakete: Gesendet = 4, Empfangen = 3, Verloren = 1 (25% Verlust),\\

Ca. Zeitangaben in Millisek.:

  Minimum = 34ms, Maximum = 34ms, Mittelwert = 34ms\\

C:\>ping 10.1.0.22

Ping wird ausgeführt für 10.1.0.22 mit 32 Bytes Daten:

Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64
Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64
Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64
Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64

Ping-Statistik für 10.1.0.22:

  Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),\\

Ca. Zeitangaben in Millisek.:

  Minimum = 34ms, Maximum = 34ms, Mittelwert = 34ms\\

C:\>tracert 10.1.0.22

Routenverfolgung zu 10.1.0.22 über maximal 30 Abschnitte

1    35 ms    33 ms    33 ms  10.1.0.22\\

Ablaufverfolgung beendet.

C:\>tracert 10.1.0.14

Routenverfolgung zu 10.1.0.14 über maximal 30 Abschnitte

1    50 ms    49 ms    53 ms  10.1.0.14\\

Ablaufverfolgung beendet.

C:\>

gruppe1:/etc/openvpn# cat openvpn-status.log
OpenVPN CLIENT LIST
Updated,Thu Jul 22 22:06:30 2010
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client12,178.203.65.232:59585,10479,49549,Thu Jul 22 21:48:32 2010
client11,192.168.62.13:1426,75748,80984,Thu Jul 22 19:27:03 2010
client13,84.46.68.32:64833,105559,43213,Thu Jul 22 20:34:52 2010
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.1.0.22,client13,84.46.68.32:64833,Thu Jul 22 22:00:26 2010
10.1.0.6,client11,192.168.62.13:1426,Thu Jul 22 22:01:02 2010
10.1.0.14,client12,178.203.65.232:59585,Thu Jul 22 22:06:29 2010
GLOBAL STATS
Max bcast/mcast queue length,1
END
gruppe1:/etc/openvpn# ping 10.1.0.14
PING 10.1.0.14 (10.1.0.14) 56(84) bytes of data.
64 bytes from 10.1.0.14: icmp_seq=1 ttl=128 time=48.5 ms
64 bytes from 10.1.0.14: icmp_seq=2 ttl=128 time=46.8 ms

— 10.1.0.14 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 46.857/47.723/48.589/0.866 ms
gruppe1:/etc/openvpn# ping 10.1.0.22
PING 10.1.0.22 (10.1.0.22) 56(84) bytes of data.
64 bytes from 10.1.0.22: icmp_seq=1 ttl=64 time=33.6 ms
64 bytes from 10.1.0.22: icmp_seq=2 ttl=64 time=34.1 ms

— 10.1.0.22 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 33.635/33.889/34.144/0.314 ms
gruppe1:/etc/openvpn# ping 10.1.0.6
PING 10.1.0.6 (10.1.0.6) 56(84) bytes of data.
64 bytes from 10.1.0.6: icmp_seq=1 ttl=128 time=2.15 ms
64 bytes from 10.1.0.6: icmp_seq=2 ttl=128 time=1.60 ms
64 bytes from 10.1.0.6: icmp_seq=3 ttl=128 time=1.68 ms

— 10.1.0.6 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 1.606/1.815/2.153/0.241 ms
gruppe1:/etc/openvpn#

Netz Gruppe1 

Ping wird ausgefhrt fr 10.1.0.1 mit 32 Bytes Daten:

Antwort von 10.1.0.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.1.0.1: Bytes=32 Zeit=2ms TTL=64

Ping-Statistik fr 10.1.0.1:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 2ms, Maximum = 2ms, Mittelwert = 2ms
============================================ 
Sven 

Ping wird ausgefhrt fr 10.1.0.6 mit 32 Bytes Daten:

Antwort von 10.1.0.6: Bytes=32 Zeit<1ms TTL=128
Antwort von 10.1.0.6: Bytes=32 Zeit<1ms TTL=128

Ping-Statistik fr 10.1.0.6:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms
============================================ 
Thomas 

Ping wird ausgefhrt fr 10.1.0.14 mit 32 Bytes Daten:

Antwort von 10.1.0.14: Bytes=32 Zeit=53ms TTL=128
Antwort von 10.1.0.14: Bytes=32 Zeit=55ms TTL=128

Ping-Statistik fr 10.1.0.14:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 53ms, Maximum = 55ms, Mittelwert = 54ms
============================================ 
Matthias 

Ping wird ausgefhrt fr 10.1.0.22 mit 32 Bytes Daten:

Antwort von 10.1.0.22: Bytes=32 Zeit=41ms TTL=64
Antwort von 10.1.0.22: Bytes=32 Zeit=41ms TTL=64

Ping-Statistik fr 10.1.0.22:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 41ms, Maximum = 41ms, Mittelwert = 41ms
============================================ 
Netz Gruppe2 

Ping wird ausgefhrt fr 10.2.0.1 mit 32 Bytes Daten:

Antwort von 10.2.0.1: Bytes=32 Zeit=54ms TTL=63
Antwort von 10.2.0.1: Bytes=32 Zeit=46ms TTL=63

Ping-Statistik fr 10.2.0.1:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 46ms, Maximum = 54ms, Mittelwert = 50ms
============================================ 
Robert 

Ping wird ausgefhrt fr 10.2.0.5 mit 32 Bytes Daten:

Antwort von 10.2.0.5: Bytes=32 Zeit=110ms TTL=127
Antwort von 10.2.0.5: Bytes=32 Zeit=112ms TTL=127

Ping-Statistik fr 10.2.0.5:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 110ms, Maximum = 112ms, Mittelwert = 111ms
============================================ 
Peter 

Ping wird ausgefhrt fr 10.2.0.9 mit 32 Bytes Daten:

Antwort von 10.2.0.9: Bytes=32 Zeit=292ms TTL=63
Antwort von 10.2.0.9: Bytes=32 Zeit=319ms TTL=63

Ping-Statistik fr 10.2.0.9:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 292ms, Maximum = 319ms, Mittelwert = 305ms
============================================ 
Dennis 

Ping wird ausgefhrt fr 10.2.0.13 mit 32 Bytes Daten:

Antwort von 10.2.0.13: Bytes=32 Zeit=97ms TTL=63
Antwort von 10.2.0.13: Bytes=32 Zeit=121ms TTL=63

Ping-Statistik fr 10.2.0.13:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 97ms, Maximum = 121ms, Mittelwert = 109ms
============================================ 
Netz Gruppe3 

Ping wird ausgefhrt fr 10.3.0.1 mit 32 Bytes Daten:

Antwort von 10.3.0.1: Bytes=32 Zeit=86ms TTL=63
Antwort von 10.3.0.1: Bytes=32 Zeit=81ms TTL=63

Ping-Statistik fr 10.3.0.1:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 81ms, Maximum = 86ms, Mittelwert = 83ms
============================================ 
Niklas 

Ping wird ausgefhrt fr 10.3.0.6 mit 32 Bytes Daten:

Antwort von 10.3.0.6: Bytes=32 Zeit=74ms TTL=126
Antwort von 10.3.0.6: Bytes=32 Zeit=90ms TTL=126

Ping-Statistik fr 10.3.0.6:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 74ms, Maximum = 90ms, Mittelwert = 82ms
============================================ 
Timo 

Ping wird ausgefhrt fr 10.3.0.10 mit 32 Bytes Daten:

Antwort von 10.3.0.10: Bytes=32 Zeit=157ms TTL=126
Antwort von 10.3.0.10: Bytes=32 Zeit=134ms TTL=126

Ping-Statistik fr 10.3.0.10:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 134ms, Maximum = 157ms, Mittelwert = 145ms
============================================ 
Martin 

Ping wird ausgefhrt fr 10.3.0.14 mit 32 Bytes Daten:

Antwort von 10.3.0.14: Bytes=32 Zeit=143ms TTL=62
Antwort von 10.3.0.14: Bytes=32 Zeit=132ms TTL=62

Ping-Statistik fr 10.3.0.14:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 132ms, Maximum = 143ms, Mittelwert = 137ms
  

gruppe1:/etc/openvpn# cat openvpn-status.log
OpenVPN CLIENT LIST
Updated,Mon Aug  2 20:47:14 2010
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client11,192.168.62.16:1077,245622,246257,Mon Aug  2 18:08:38 2010
client12,178.203.65.232:62449,145940,147684,Mon Aug  2 20:07:51 2010
client13,84.46.40.26:62721,26874,27569,Mon Aug  2 20:38:58 2010
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.1.0.14,client12,178.203.65.232:62449,Mon Aug  2 20:42:06 2010
10.1.0.6,client11,192.168.62.16:1077,Mon Aug  2 20:42:12 2010
10.1.0.22,client13,84.46.40.26:62721,Mon Aug  2 20:43:55 2010
GLOBAL STATS
Max bcast/mcast queue length,1
END