From 73d65d729e8821bf78b257cb035e8a94593420e3 Mon Sep 17 00:00:00 2001
From: Brian Read <brianr@koozali.org>
Date: Thu, 6 Mar 2025 14:40:52 +0000
Subject: [PATCH] initial commit of file from CVS for smeserver-openvpn-routed
 on Thu  6 Mar 14:40:52 GMT 2025

---
 .gitignore                                    |   4 +
 Makefile                                      |  21 +++
 README.md                                     |  16 +-
 additional/CHANGELOG.git                      | 155 ++++++++++++++++++
 additional/smeserver-openvpn-routed.spec      |  90 ++++++++++
 contriborbase                                 |   1 +
 createlinks                                   |  69 ++++++++
 .../defaults/openvpn-routed/Cipher            |   1 +
 .../defaults/openvpn-routed/HMAC              |   1 +
 .../defaults/openvpn-routed/UDPPort           |   1 +
 .../defaults/openvpn-routed/access            |   1 +
 .../defaults/openvpn-routed/status            |   1 +
 .../defaults/openvpn-routed/type              |   1 +
 .../migrate/50openvpn-routed-management-pass  |   9 +
 .../events/actions/openvpn-routed-delete-net  |  25 +++
 .../events/actions/openvpn-routed-jail        |   7 +
 .../events/actions/openvpn-routed-update-crl  |  32 ++++
 .../etc/openvpn/routed/management-pass.txt    |   3 +
 .../templates/etc/crontab/openvpn-routed-crl  |   7 +
 .../openvpn/routed/management-pass.txt/10All  |   4 +
 .../etc/openvpn/routed/openvpn.conf/10dev     |  21 +++
 .../etc/openvpn/routed/openvpn.conf/20daemon  |   5 +
 .../etc/openvpn/routed/openvpn.conf/30cert    |  20 +++
 .../openvpn/routed/openvpn.conf/35encryption  |  33 ++++
 .../etc/openvpn/routed/openvpn.conf/40auth    |   8 +
 .../etc/openvpn/routed/openvpn.conf/50server  |   9 +
 .../etc/openvpn/routed/openvpn.conf/60options |  55 +++++++
 .../etc/openvpn/routed/openvpn.conf/70routes  |  29 ++++
 .../openvpn/routed/openvpn.conf/80management  |   5 +
 .../etc/openvpn/routed/openvpn.conf/90clients |  13 ++
 .../etc/openvpn/routed/openvpn.conf/95logs    |  10 ++
 root/etc/logrotate.d/openvpn-routed           |   8 +
 root/etc/openvpn/routed/bin/up                |  12 ++
 root/sbin/e-smith/systemd/openvpn-routed      |  30 ++++
 .../lib/systemd/system/openvpn-routed.service |  26 +++
 root/var/service/openvpn-routed/log/run       |   6 +
 root/var/service/openvpn-routed/run           |   5 +
 smeserver-openvpn-routed.spec                 | 124 ++++++++++++++
 38 files changed, 866 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 Makefile
 create mode 100644 additional/CHANGELOG.git
 create mode 100644 additional/smeserver-openvpn-routed.spec
 create mode 100644 contriborbase
 create mode 100644 createlinks
 create mode 100644 root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
 create mode 100644 root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
 create mode 100644 root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort
 create mode 100644 root/etc/e-smith/db/configuration/defaults/openvpn-routed/access
 create mode 100644 root/etc/e-smith/db/configuration/defaults/openvpn-routed/status
 create mode 100644 root/etc/e-smith/db/configuration/defaults/openvpn-routed/type
 create mode 100644 root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass
 create mode 100644 root/etc/e-smith/events/actions/openvpn-routed-delete-net
 create mode 100644 root/etc/e-smith/events/actions/openvpn-routed-jail
 create mode 100644 root/etc/e-smith/events/actions/openvpn-routed-update-crl
 create mode 100644 root/etc/e-smith/templates.metadata/etc/openvpn/routed/management-pass.txt
 create mode 100644 root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients
 create mode 100644 root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs
 create mode 100644 root/etc/logrotate.d/openvpn-routed
 create mode 100644 root/etc/openvpn/routed/bin/up
 create mode 100644 root/sbin/e-smith/systemd/openvpn-routed
 create mode 100644 root/usr/lib/systemd/system/openvpn-routed.service
 create mode 100644 root/var/service/openvpn-routed/log/run
 create mode 100644 root/var/service/openvpn-routed/run
 create mode 100644 smeserver-openvpn-routed.spec

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cbb3a13
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+*.rpm
+*.log
+*spec-20*
+*.tar.gz
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..97fa679
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,21 @@
+# Makefile for source rpm: smeserver-openvpn-routed
+# $Id: Makefile,v 1.1 2021/02/04 16:20:21 brianr Exp $
+NAME := smeserver-openvpn-routed
+SPECFILE = $(firstword $(wildcard *.spec))
+
+define find-makefile-common
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+endef
+
+MAKEFILE_COMMON := $(shell $(find-makefile-common))
+
+ifeq ($(MAKEFILE_COMMON),)
+# attept a checkout
+define checkout-makefile-common
+test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
+endef
+
+MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
+endif
+
+include $(MAKEFILE_COMMON)
diff --git a/README.md b/README.md
index ae832a5..44570e6 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,15 @@
-# smeserver-openvpn-routed
+# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-openvpn-routed
 
-SMEServer Koozali developed git repo for smeserver-openvpn-routed smecontribs
\ No newline at end of file
+SMEServer Koozali developed git repo for smeserver-openvpn-routed smecontribs
+
+## Wiki
+<br />https://wiki.koozali.org/
+
+## Bugzilla
+Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-openvpn-routed&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
+
+## Description
+
+<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
+*Once it has been checked, then this comment will be deleted*
+<br />
diff --git a/additional/CHANGELOG.git b/additional/CHANGELOG.git
new file mode 100644
index 0000000..d6e8b96
--- /dev/null
+++ b/additional/CHANGELOG.git
@@ -0,0 +1,155 @@
+commit 66557c7d543573cdd5e3eb332bb54ba2517a3d60
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Mon Apr 10 11:18:17 2017 +0200
+
+    Update pam plugin path
+
+commit 848752010a3a37d1bd75d38b4f0c0e3011109884
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Mon Feb 8 10:59:41 2016 +0100
+
+    Create urandom in chroot
+
+commit 5e590ef5b9bda1aa62264b104fed5a8aa8d8f099
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Tue Sep 29 12:02:31 2015 +0200
+
+    Spec file update
+
+commit c595fbe31a78521383074be878e6afe810b11d0a
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Tue Sep 29 11:42:30 2015 +0200
+
+    Make crl verification optional
+
+commit 36f5d2b782c5cfdf1717dc73dfeff5d7867cdf85
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Tue Sep 29 11:23:44 2015 +0200
+
+    Restrict access to the management-pass.txt file
+
+commit d66b9396e182fda414eaf994884b6244caa00204
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Tue Sep 29 11:21:01 2015 +0200
+
+    Set default network in the up script
+
+commit 019d0e2d50184ca5822b7ce6736c4ba3ad0f0fd5
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Wed Dec 3 22:25:19 2014 +0100
+
+    Spec file update
+
+commit 6a3d60d9a8ab6a33b04aad4bf059eab45eac438b
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Wed Dec 3 21:54:49 2014 +0100
+
+    Correctly push route for local network
+
+commit 496a2b678f383f2980f6a7c9677b2166dd5b7835
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Mon Jun 23 18:26:42 2014 +0200
+
+    Spec file update
+
+commit 5534d9a3cb739d20b202f92b755e66a0c5a3a56b
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Mon Jun 23 18:25:55 2014 +0200
+
+    Fix plugin path on x86_64
+
+commit 890a6c2e09bcaccfe7c9a2b2f9a88e6dadc3ae0d
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Wed Aug 21 16:06:26 2013 +0200
+
+    update spec file
+
+commit b89fdff8d3018f849456d4b408dba274e5e7f955
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Wed Aug 21 16:05:48 2013 +0200
+
+    Use full path the the up script
+
+commit d31a088f194a3d8d1ca9ecf51b2f37aaf64d42e4
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Tue Jun 11 10:58:01 2013 +0200
+
+    update spec file
+
+commit 2d0c9d80dde1ccc7f99deb0720db5ad0d252c568
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Wed May 29 14:45:14 2013 +0200
+
+    Use different name for the crl to prevent race conditions with openvpn-bridge
+
+commit 9d0d164b4d8d589d62343dd9e9a1f8f1b8f912fe
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Mon May 27 09:44:28 2013 +0200
+
+    Fix update CRL script, refers to Routed mode, not bridged one
+
+commit 7b7d1f9e50435deb3608c370dedf75b056fed561
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:59:45 2013 +0200
+
+    Do not try to update the CRL if its URL is not set
+
+commit 322061737010908e87e582e54af86219dc84d60d
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:36:12 2013 +0200
+
+    Comment unused reload-ccd event
+
+commit 655898a494ffb6323d3876058dc2eb3077540252
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:35:23 2013 +0200
+
+    Remove copyright notice in up script
+
+commit 2995895c2005c0a764b67230c67045e6fe7ca6f5
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:35:03 2013 +0200
+
+    Fix up script
+
+commit 69aa3d3988a0b08196a19374746c6c7f28ccaa84
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:34:29 2013 +0200
+
+    Add script-security 2, as required to execute external scripts
+
+commit 5230402365b0758c764da2acfb1d5677be7cb00d
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:29:49 2013 +0200
+
+    Call the up script during service startup
+
+commit 6378427fdf9590f69117997c83ce6023e377c48e
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:29:15 2013 +0200
+
+    Fix permission of the up script
+
+commit 42036e42ee291404c96db59f07e667e0d6688a75
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:26:57 2013 +0200
+
+    Fix openvpn-routed-delete-net script and remove copyright notice
+
+commit 74bfd5d71beb9a094a1011a621135308f3cea761
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:06:42 2013 +0200
+
+    Don't add template header in management-pass file
+
+commit bc7246dd740f47b6c9f5aa619fc59ddf5228753c
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 16:05:29 2013 +0200
+
+    Fixes in templates for openvpn.conf
+
+commit e201d0a9b0c059f23eb9750f383fc2a5f331663e
+Author: Daniel Berteaud <daniel@firewall-services.com>
+Date:   Fri May 24 15:38:55 2013 +0200
+
+    FIrst commit
diff --git a/additional/smeserver-openvpn-routed.spec b/additional/smeserver-openvpn-routed.spec
new file mode 100644
index 0000000..7c213c5
--- /dev/null
+++ b/additional/smeserver-openvpn-routed.spec
@@ -0,0 +1,90 @@
+# Authority: vip-ire
+# Name: Daniel Berteaud
+
+Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
+Name: smeserver-openvpn-routed
+%define version 0.1.5
+%define release 1
+Version: %{version}
+Release: %{release}%{?dist}
+License: GPL
+Group: Networking/Remote access
+Source: %{name}-%{version}.tar.gz
+
+BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
+BuildArchitectures: noarch
+
+BuildRequires: e-smith-devtools
+
+Requires: e-smith-base
+Requires: openvpn
+#Requires: perl(Net::OpenVPN::Manage)
+
+%description
+This package contains all the needed scripts and templates
+to have a full working openvpn server running in routed mode.
+
+
+%changelog
+* Mon Feb 8 2016 Daniel Berteaud <daniel@firewall-services.com> 0.1.5-1
+- Create /etc/openvpn/routed/dev/urandom [SME: 9238]
+
+* Tue Sep 29 2015 Daniel Berteaud <daniel@firewall-services.com> 0.1.4-1
+- Make crl verification optional
+- Set a default Network if none is set
+- restrict permission on the management-pass.txt file
+
+* Wed Dec 3 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.3-1
+- Correctly push route to local network when not redirecting gw
+
+* Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.2-1
+- Fix plugin path on x86_64
+
+* Wed Aug 21 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.1-1
+- Use full path to the up script
+
+* Tue Jun 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1
+- initial release
+
+%prep
+%setup -q -n %{name}-%{version}
+
+%build
+perl createlinks
+
+%{__mkdir_p} root/etc/openvpn/routed/ccd
+%{__mkdir_p} root/etc/openvpn/routed/priv
+%{__mkdir_p} root/etc/openvpn/routed/pub
+%{__mkdir_p} root/etc/openvpn/routed/tmp
+%{__mkdir_p} root/etc/openvpn/routed/dev
+%{__mkdir_p} root/var/log/openvpn-routed
+
+%install
+/bin/rm -rf $RPM_BUILD_ROOT
+(cd root   ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
+/bin/rm -f %{name}-%{version}-filelist
+/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
+  --file /var/service/openvpn-routed/run 'attr(0755,root,root)' \
+  --file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \
+  --dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \
+  --dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \
+  --dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \
+  --dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \
+  --dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \
+  --file /usr/bin/ovpn-routed-update-crl  'attr(0750,root,root)' \
+  --file /etc/openvpn/routed/bin/up 'attr(755,root,root)' \
+  > %{name}-%{version}-filelist
+
+%files -f %{name}-%{version}-filelist
+%defattr(-,root,root)
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+if [ \! -c /etc/openvpn/routed/dev/urandom ]; then
+    mknod -m 0444 /etc/openvpn/routed/dev/urandom c 1 9
+fi
+
+%preun
+
diff --git a/contriborbase b/contriborbase
new file mode 100644
index 0000000..9b7fd51
--- /dev/null
+++ b/contriborbase
@@ -0,0 +1 @@
+contribs10
diff --git a/createlinks b/createlinks
new file mode 100644
index 0000000..fdfe977
--- /dev/null
+++ b/createlinks
@@ -0,0 +1,69 @@
+#!/usr/bin/perl -w
+
+use esmith::Build::CreateLinks qw(:all);
+
+safe_symlink("restart", "root/etc/e-smith/events/openvpn-routed-update/services2adjust/openvpn-routed");
+safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-routed");
+safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-routed");
+
+#service_link_enhanced("openvpn-routed", "S80", "7");
+#service_link_enhanced("openvpn-routed", "K25", "6");
+#service_link_enhanced("openvpn-routed", "K25", "0");
+
+#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-routed');
+safe_symlink("/var/service/openvpn-routed" , 'root/service/openvpn-routed');
+
+safe_touch("root/var/service/openvpn-routed/down");
+
+safe_touch("root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/template-begin");
+safe_touch("root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/template-end");
+
+#panel_link("openvpnrouted", 'manager');
+
+templates2events("/etc/openvpn/routed/openvpn.conf", "openvpn-routed-update");
+
+templates2events("/etc/openvpn/routed/management-pass.txt", qw(openvpn-routed-update bootstrap-console-save));
+templates2events("/etc/openvpn/routed/openvpn.conf", qw(openvpn-routed-update bootstrap-console-save network-create network-delete));
+templates2events("/etc/crontab", qw(openvpn-routed-update));
+
+#event_link("openvpn-routed-reload-ccd", "openvpn-routed-update", "20");
+event_link("openvpn-routed-update-crl", "openvpn-routed-update", "30");
+event_link("openvpn-routed-delete-net", "openvpn-routed-update", "40");
+event_link("openvpn-bridge-jail", "openvpn-routed-update", "03");
+event_link("openvpn-bridge-jail", "bootstrap-console-save", "03");
+#event_link("openvpn-routed-reload-ccd", "openvpn-routed-reload-ccd", "20");
+#event_link("openvpn-routed-update-crl", "openvpn-routed-reload-ccd", "30");
+
+# our event specific for updating with yum without reboot
+$event = "smeserver-openvpn-routed-update";
+#add here the path to your templates needed to expand
+#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
+
+foreach my $file (qw(
+                /etc/systemd/system-preset/49-koozali.preset
+                /etc/crontab
+		/etc/openvpn/routed/management-pass.txt
+		/etc/openvpn/routed/openvpn.conf
+
+))
+{
+    templates2events( $file, $event );
+}
+
+#action needed in case we have a systemd unit
+event_link("systemd-default", $event, "10");
+event_link("systemd-reload", $event, "50");
+
+#action specific to this package
+event_link("openvpn-routed-update", $event, "60");
+event_link("openvpn-bridge-jail", $event, "03");
+#services we need to restart
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/openvpn-routed");
+
+
+use esmith::Build::Backup qw(:all);
+backup_includes("smeserver-openvpn-routed", qw(
+/etc/openvpn/routed/priv
+/etc/openvpn/routed/pub
+/var/log/openvpn-routed
+));
diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
new file mode 100644
index 0000000..f2defb7
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
@@ -0,0 +1 @@
+AES-128-CBC
diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
new file mode 100644
index 0000000..cad7bd6
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
@@ -0,0 +1 @@
+SHA256
diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort
new file mode 100644
index 0000000..9f6bb62
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort
@@ -0,0 +1 @@
+1194
diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access
new file mode 100644
index 0000000..a48cf0d
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access
@@ -0,0 +1 @@
+public
diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status
new file mode 100644
index 0000000..86981e6
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status
@@ -0,0 +1 @@
+enabled
diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type
new file mode 100644
index 0000000..24e1098
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type
@@ -0,0 +1 @@
+service
diff --git a/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass b/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass
new file mode 100644
index 0000000..9956c65
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass
@@ -0,0 +1,9 @@
+{
+    my $openvpn = $DB->get('openvpn-routed') || $DB->new_record('openvpn-routed', {type => 'service'});
+    my $management = $openvpn->prop('ManagementPassword') || '';
+    return "" if ($management ne '');
+
+    # Generate a random password
+    $pass=`/usr/bin/openssl rand -base64 20 | tr -c -d '[:alnum:]'`;
+    $openvpn->set_prop('ManagementPassword',"$pass");
+}
diff --git a/root/etc/e-smith/events/actions/openvpn-routed-delete-net b/root/etc/e-smith/events/actions/openvpn-routed-delete-net
new file mode 100644
index 0000000..8f5ef32
--- /dev/null
+++ b/root/etc/e-smith/events/actions/openvpn-routed-delete-net
@@ -0,0 +1,25 @@
+#!/usr/bin/perl -w
+use strict;
+use esmith::ConfigDB;
+use esmith::NetworksDB;
+use esmith::event;
+
+my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
+my $n = esmith::NetworksDB->open || die "Couldn't open netwoks db\n";
+my @nets = $n->networks;
+my $ovpn = $c->get('openvpn-routed');
+my $net = $ovpn->prop('Network') || '192.168.29.0/255.255.255.0';
+my ($vpnnet,$mask) = split /\//, $net;
+
+foreach my $net (@nets){
+    my $key = $net->key;
+    my $vpn = $n->get_prop($key,"VPNRouted") || '';
+
+    if ($vpn eq 'yes'){
+        unless ($key eq $vpnnet){
+            $n->set_prop($key, type=>'network-deleted');
+            event_signal("network-delete","$key");
+            $n->get($key)->delete;
+        }
+    }
+}
diff --git a/root/etc/e-smith/events/actions/openvpn-routed-jail b/root/etc/e-smith/events/actions/openvpn-routed-jail
new file mode 100644
index 0000000..3e71340
--- /dev/null
+++ b/root/etc/e-smith/events/actions/openvpn-routed-jail
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+#copy any files needed for the jail
+
+#be sure we have the needed timezone
+/bin/cp -L /etc/localtime  /etc/openvpn/routed/etc
+
diff --git a/root/etc/e-smith/events/actions/openvpn-routed-update-crl b/root/etc/e-smith/events/actions/openvpn-routed-update-crl
new file mode 100644
index 0000000..19a1e89
--- /dev/null
+++ b/root/etc/e-smith/events/actions/openvpn-routed-update-crl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+URL=$(/sbin/e-smith/db configuration getprop openvpn-routed CrlUrl)
+DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
+
+if [ -z $URL ]; then
+    exit 0
+fi
+
+/usr/bin/wget $URL -O /tmp/cacrl_routed.pem > /dev/null 2>&1
+
+/usr/bin/openssl crl -inform PEM -in /tmp/cacrl_routed.pem -text > /dev/null 2>&1
+
+if [ "$?" -eq "0" ]; then
+        /bin/mv -f /tmp/cacrl_routed.pem /etc/openvpn/routed/pub/cacrl.pem > /dev/null 2>&1
+else
+        cat > /tmp/crlmail_routed <<END
+
+An error occured while updating the CRL for OpenVPN-Routed
+because openssl didn't recognize the file as a valid CRL.
+Below is the copy of the latest CRL downloaded from
+$URL
+
+
+END
+
+        cat /tmp/cacrl_routed.pem >> /tmp/crlmail_routed
+        mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail_routed
+fi
+
+rm -f /tmp/cacrl_routed.pem
+rm -f /tmp/crlmail_routed
diff --git a/root/etc/e-smith/templates.metadata/etc/openvpn/routed/management-pass.txt b/root/etc/e-smith/templates.metadata/etc/openvpn/routed/management-pass.txt
new file mode 100644
index 0000000..19c11e8
--- /dev/null
+++ b/root/etc/e-smith/templates.metadata/etc/openvpn/routed/management-pass.txt
@@ -0,0 +1,3 @@
+PERMS=0600
+UID="root"
+GID="root"
diff --git a/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl b/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl
new file mode 100644
index 0000000..bb45375
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl
@@ -0,0 +1,7 @@
+{
+my $url = ${'openvpn-routed'}{'CrlUrl'} || '';
+if ($url =~ /^http(s)?:\/\/.*$/){
+        $OUT .= "# Update OpenVPN routed CRL\n";
+        $OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-routed-update-crl 2>&1 /dev/null\n";
+}
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All b/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All
new file mode 100644
index 0000000..ba32597
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All
@@ -0,0 +1,4 @@
+{
+    my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
+    $OUT = "$pass";
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev
new file mode 100644
index 0000000..f938443
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev
@@ -0,0 +1,21 @@
+{
+    my $OUT='';
+    my $protocol = ${'openvpn-routed'}{Protocol} || 'udp';
+    my $port='';
+    if ($protocol eq 'udp'){
+        $port = ${'openvpn-routed'}{UDPPort} || '1194';
+    }
+    if ($protocol eq 'tcp'){
+        $port = ${'openvpn-routed'}{TCPPort} || '1194';
+        $protocol = 'tcp-server';
+    }
+
+$OUT .=<<"HERE";
+
+port $port
+proto $protocol
+dev tunvpn0
+
+HERE
+
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon
new file mode 100644
index 0000000..915f1ac
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon
@@ -0,0 +1,5 @@
+user openvpn
+group openvpn
+chroot /etc/openvpn/routed
+persist-key
+persist-tun
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert
new file mode 100644
index 0000000..8362cbf
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert
@@ -0,0 +1,20 @@
+# Certificates config
+dh pub/dh.pem
+ca pub/cacert.pem
+cert pub/cert.pem
+key priv/key.pem
+tls-server
+
+{
+
+if (-e "/etc/openvpn/routed/priv/takey.pem" &&
+    !-z "/etc/openvpn/routed/priv/takey.pem"){
+  $OUT .= "tls-auth priv/takey.pem 0\n";
+}
+
+if (-e '/etc/openvpn/routed/pub/cacrl.pem' &&
+   !-z '/etc/openvpn/routed/pub/cacrl.pem'){
+  $OUT .= "crl-verify pub/cacrl.pem\n";
+}
+
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
new file mode 100644
index 0000000..0bc25fd
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
@@ -0,0 +1,33 @@
+{
+    #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
+    # need to be changed on both side
+    my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ?  ${'openvpn-routed'}{'HMAC'} : undef;
+    # cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...
+    # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
+    my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'}  : undef;
+
+    ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
+    my $tlsVmin = (  ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/  ) ) ? ${'openvpn-routed'}{'tlsVmin'}  : "1.2";
+    # TLS 1.3 encryption settings
+    my $tlsCipherSuites13 = (  ${'openvpn-routed'}{'tlsCipherSuites13'} ) ?  ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+    # # TLS 1.2 encryption settings
+    my $tlsCipher12 = (  ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
+
+
+
+     $OUT .= "#securing control channel\n";
+     $OUT .= "tls-version-min $tlsVmin\n";
+     $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
+     $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
+     #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
+     #$OUT .= "ecdh-curve secp384r1\n";
+
+     # data channel
+     $OUT .= "#securing data channel\n";
+     $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
+     #auth SHA512
+     $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
+
+
+
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth
new file mode 100644
index 0000000..3834504
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth
@@ -0,0 +1,8 @@
+{
+    my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass';
+    if ($userAuth eq 'CrtWithPass'){
+        my $libdir = (-d "/usr/lib64/") ? '/usr/lib64' : '/usr/lib';
+        $OUT .= "plugin " . $libdir . "/openvpn/plugins/openvpn-plugin-auth-pam.so login\n";
+    }
+    $OUT .= '';
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server
new file mode 100644
index 0000000..f975994
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server
@@ -0,0 +1,9 @@
+{
+    my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0';
+    my ($addr,$mask) = split /\//, $net;
+    $OUT = "server $addr $mask\n";
+}
+topology subnet
+
+up /etc/openvpn/routed/bin/up
+script-security 2
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
new file mode 100644
index 0000000..6cb7327
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
@@ -0,0 +1,55 @@
+# Options
+{
+
+my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
+my $fragment = ${'openvpn-routed'}{Fragment} || '';
+my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
+my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
+my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
+my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled';
+my $compress = ${'openvpn-routed'}{Compression} || 'enabled';
+
+if ($proto eq 'tcp'){
+    $mtuTest = 'disabled';
+    $fragment = '';
+}
+
+$OUT .=<<"HERE";
+keepalive 40 180
+push "dhcp-option DOMAIN $DomainName"
+push "dhcp-option DNS $LocalIP"
+push "dhcp-option WINS $LocalIP"
+
+HERE
+
+if ($tunMtu !~ /^\d+$/){
+    $OUT .= "mtu-test\n";
+}
+else{
+    if ($tunMtu ne ''){
+        $OUT .= "tun-mtu $tunMtu\n";
+    }
+}
+
+if (($proto eq 'udp') && ($fragment =~ /^\d+$/)){
+    $OUT .= "fragment $fragment\n";
+}
+$OUT .= "mssfix\n";
+
+if ($duplicate eq 'enabled'){
+    $OUT .= "duplicate-cn\n";
+}
+
+if ($passtos eq 'enabled'){
+    $OUT .= "passtos\n";
+}
+
+if ($compress eq 'enabled'){
+    $OUT .= "comp-lzo adaptive\n";
+    $OUT .= "push \"comp-lzo adaptive\"\n";
+}
+
+}
+
+nice 5
+
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
new file mode 100644
index 0000000..138b0f5
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
@@ -0,0 +1,29 @@
+{
+
+my $pushRoutes =  ${'openvpn-routed'}{PushLocalNetworks} || 'enabled';
+my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || 'disabled';
+
+use esmith::NetworksDB;
+my $ndb = esmith::NetworksDB->open_ro() ||
+    die('Can not open Networks DB');
+
+my @networks = $ndb->networks();
+
+if ($redirectGW eq 'enabled'){
+    $OUT .= "push \"redirect-gateway def1\"\n";
+}
+elsif ($pushRoutes eq 'enabled'){
+    foreach my $network (@networks) {
+        my $route = '';
+        my $addr = $network->key;
+        my $mask = $network->prop('Mask');
+        my $gw = $network->prop('Router') || '';
+        my $vpn = $network->prop('VPN') || '';
+	next if (($network->prop('PushRoute') || 'enabled') eq 'disabled'); 
+        next if (($network->prop('VPNRouted') || 'no') eq 'yes');
+        $route .= "push \"route $addr $mask";
+        $route .= " $gw" if ($vpn eq '' && $gw ne '');
+        $OUT .= "$route\"\n";
+    }
+}
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management
new file mode 100644
index 0000000..8e74018
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management
@@ -0,0 +1,5 @@
+{
+    my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
+    $OUT ="management 127.0.0.1 11195 management-pass.txt\n";
+
+}
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients
new file mode 100644
index 0000000..502b409
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients
@@ -0,0 +1,13 @@
+{   
+    my $OUT = '';
+    my $maxClient = ${'openvpn-routed'}{MaxClients} || '';
+    my $configRequired = ${'openvpn-routed'}{ConfigRequired} || 'disabled';
+
+    if ($configRequired eq 'enabled'){
+        $OUT .= 'ccd-exclusive\n';
+    }
+    if ($maxClient =~ /^\d+$/){
+        $OUT .= "max-clients $maxClient\n";
+    }
+}
+client-config-dir ccd
diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs
new file mode 100644
index 0000000..98f536a
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs
@@ -0,0 +1,10 @@
+status-version 2
+status bridge-status.txt
+{
+	#suppress-timestamps
+        my $OUT = '';
+        my $verb = ${'openvpn-routed'}{Verbose} || '3';
+        $OUT .= "verb $verb\n";
+}
+log-append /var/log/openvpn-routed/openvpn-routed.log
+
diff --git a/root/etc/logrotate.d/openvpn-routed b/root/etc/logrotate.d/openvpn-routed
new file mode 100644
index 0000000..fdd6834
--- /dev/null
+++ b/root/etc/logrotate.d/openvpn-routed
@@ -0,0 +1,8 @@
+/var/log/openvpn-routed/*.log{
+    monthly
+    rotate 6
+    compress
+    copytruncate
+    missingok
+}
+
diff --git a/root/etc/openvpn/routed/bin/up b/root/etc/openvpn/routed/bin/up
new file mode 100644
index 0000000..a9bf5f8
--- /dev/null
+++ b/root/etc/openvpn/routed/bin/up
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+net=$(/sbin/e-smith/db configuration getprop openvpn-routed Network || echo '192.168.29.0/255.255.255.0')
+addr=${net%%/*}
+mask=${net#*/}
+
+db=$(/sbin/e-smith/db networks getprop $addr VPNRouted)
+if [ -z $db ]; then
+    /sbin/e-smith/db networks set $addr network Mask $mask VPNRouted yes Removable no
+    /sbin/e-smith/signal-event network-create $addr
+fi
+exit 0
diff --git a/root/sbin/e-smith/systemd/openvpn-routed b/root/sbin/e-smith/systemd/openvpn-routed
new file mode 100644
index 0000000..2b9dbe5
--- /dev/null
+++ b/root/sbin/e-smith/systemd/openvpn-routed
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+[[ ! -f /etc/openvpn/routed/pub/cert.pem  && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem
+[[ ! -f /etc/openvpn/routed/pub/cacert.pem  && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem
+[[ ! -f /etc/openvpn/routed/pub/dh.pem  && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem
+[[ ! -f /etc/openvpn/routed/priv/key.pem  && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem
+[[ ! -f /etc/openvpn/routed/priv/takey.pem  && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem
+if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then
+  cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem
+  CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl`
+  /sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl="
+
+  myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort`
+  oriport="$myiport"
+  bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort`
+  s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re  's/.*Port\|([0-9]+).*/\1/'|sort|uniq`
+  while [[ $s2sports =~ $myport  || $myport == $bridgeport ]]
+  do
+    myport=$[$myport+1]
+  done
+  if [[ $myport != $oriport ]]; then
+    echo "set UDPPort to $myport as $oriport was already taken"
+    /sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport
+    /sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf 
+  fi
+fi
+chmod 0600 /etc/openvpn/routed/priv/*
+chmod 0644 /etc/openvpn/routed/pub/*
+chown root:admin /etc/openvpn/routed/priv/*
+chown root:admin /etc/openvpn/routed/pub/*
diff --git a/root/usr/lib/systemd/system/openvpn-routed.service b/root/usr/lib/systemd/system/openvpn-routed.service
new file mode 100644
index 0000000..95b4764
--- /dev/null
+++ b/root/usr/lib/systemd/system/openvpn-routed.service
@@ -0,0 +1,26 @@
+[Unit]
+Description=OpenVPN Server routed for Roadwariors
+After=network.service
+
+[Service]
+Type=notify
+PrivateTmp=true
+WorkingDirectory=/etc/openvpn/routed
+
+ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
+ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
+ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC  --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed 
+
+PrivateTmp=true
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+KillMode=process
+RestartSec=5s
+Restart=on-failure
+
+
+[Install]
+WantedBy=sme-server.target
+
diff --git a/root/var/service/openvpn-routed/log/run b/root/var/service/openvpn-routed/log/run
new file mode 100644
index 0000000..0479041
--- /dev/null
+++ b/root/var/service/openvpn-routed/log/run
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+exec                                    \
+    /usr/local/bin/setuidgid smelog     \
+    /usr/local/bin/multilog t s5000000  \
+    /var/log/openvpn-routed
diff --git a/root/var/service/openvpn-routed/run b/root/var/service/openvpn-routed/run
new file mode 100644
index 0000000..e78ed1e
--- /dev/null
+++ b/root/var/service/openvpn-routed/run
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+exec 2>&1
+
+exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
diff --git a/smeserver-openvpn-routed.spec b/smeserver-openvpn-routed.spec
new file mode 100644
index 0000000..aa8cdcf
--- /dev/null
+++ b/smeserver-openvpn-routed.spec
@@ -0,0 +1,124 @@
+# Authority: vip-ire
+# Name: Daniel Berteaud
+
+Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
+Name: smeserver-openvpn-routed
+%define version 0.1.6
+%define release 8
+Version: %{version}
+Release: %{release}%{?dist}
+License: GPL
+Group: Networking/Remote access
+Source: %{name}-%{version}.tar.xz
+
+BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
+BuildArchitectures: noarch
+
+BuildRequires: e-smith-devtools
+
+Requires: e-smith-base
+Requires: openvpn
+#Requires: perl(Net::OpenVPN::Manage)
+
+%description
+This package contains all the needed scripts and templates
+to have a full working openvpn server running in routed mode.
+
+
+%changelog
+* Thu Mar 06 2025 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.1.6-8.sme
+- Roll up patches and move to git repo [SME: 12338]
+
+* Thu Mar 06 2025 BogusDateBot
+- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
+  by assuming the date is correct and changing the weekday.
+
+* Wed Nov 23 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-7.sme
+- log to a dedicated file [SME: 12243]
+  use locale timestamp 
+
+* Sat Jul 30 2022 Brian Read <brianr@bjsystems.co.uk> 0.1.6-6.sme
+- Re-build and link to latest devtools [SME: 11997]
+
+* Sat Jul 23 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-5.sme
+- add to core backup [SME: 11997]
+
+* Thu Apr 01 2021 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-4.sme
+- autoconfiguration if openvpn-bridge is isntalled and configured [SME: 11336]
+- reworked systemd unit and scripts
+- new property HMAC forced to SHA256, instead of insecure default SHA1 [SME: 9925]
+- Cipher now enforced to AES-128-CBC, instead of insecure default Blowfish [SME: 9919]
+- possibility to exclude networks to push [SME: 10548]
+
+* Thu Feb 04 2021 Brian Read <brianr@bjsystems.co.uk> 0.1.6-2.sme
+- Initial import to SME10 [SME: 11336]
+- Add-in-systemd-startup
+
+* Mon Apr 10 2017 Daniel Berteaud <daniel@firewall-services.com> 0.1.6-1
+- Update pam plugin path [SME: 10220]
+
+* Mon Feb 8 2016 Daniel Berteaud <daniel@firewall-services.com> 0.1.5-1
+- Create /etc/openvpn/routed/dev/urandom [SME: 9238]
+
+* Tue Sep 29 2015 Daniel Berteaud <daniel@firewall-services.com> 0.1.4-1
+- Make crl verification optional
+- Set a default Network if none is set
+- restrict permission on the management-pass.txt file
+
+* Wed Dec 3 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.3-1
+- Correctly push route to local network when not redirecting gw
+
+* Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.2-1
+- Fix plugin path on x86_64
+
+* Wed Aug 21 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.1-1
+- Use full path to the up script
+
+* Tue Jun 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1
+- initial release
+
+%prep
+%setup -q -n %{name}-%{version}
+
+%build
+perl createlinks
+
+%{__mkdir_p} root/etc/openvpn/routed/ccd
+%{__mkdir_p} root/etc/openvpn/routed/priv
+%{__mkdir_p} root/etc/openvpn/routed/pub
+%{__mkdir_p} root/etc/openvpn/routed/etc
+%{__mkdir_p} root/etc/openvpn/routed/tmp
+%{__mkdir_p} root/etc/openvpn/routed/dev
+%{__mkdir_p} root/var/log/openvpn-routed
+
+%install
+/bin/rm -rf $RPM_BUILD_ROOT
+(cd root   ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
+/bin/rm -f %{name}-%{version}-filelist
+/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
+  --file /sbin/e-smith/systemd/openvpn-routed 'attr(0755,root,root)' \
+  --file /var/service/openvpn-routed/run 'attr(0755,root,root)' \
+  --file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \
+  --dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \
+  --dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \
+  --dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \
+  --dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \
+  --dir /etc/openvpn/routed/etc 'attr(0755,root,root)' \
+  --dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \
+  --file /usr/bin/ovpn-routed-update-crl  'attr(0750,root,root)' \
+  --file /etc/openvpn/routed/bin/up 'attr(755,root,root)' \
+  > %{name}-%{version}-filelist
+
+%files -f %{name}-%{version}-filelist
+%defattr(-,root,root)
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+if [ \! -c /etc/openvpn/routed/dev/urandom ]; then
+    mknod -m 0444 /etc/openvpn/routed/dev/urandom c 1 9
+fi
+
+%preun
+