Buildroot-based VPN server

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "buildroot"]
+	path = buildroot
+	url = http://blankertz.org/~matthias/git/buildroot.git
+	branch = 2014.02_panda

build.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+(
+	cd buildroot
+	BR2_DEFCONFIG=../buildroot.config make defconfig &&
+	make
+)

buildroot.config

@@ -0,0 +1,41 @@
+BR2_x86_athlon_4=y
+BR2_KERNEL_HEADERS_VERSION=y
+BR2_DEFAULT_KERNEL_VERSION="3.12.16"
+BR2_UCLIBC_CONFIG="$(TOPDIR)/../uClibc-0.9.33.panda.config"
+BR2_TOOLCHAIN_BUILDROOT_LARGEFILE=y
+BR2_TOOLCHAIN_BUILDROOT_INET_IPV6=y
+BR2_TOOLCHAIN_BUILDROOT_LOCALE=y
+BR2_TOOLCHAIN_BUILDROOT_USE_SSP=y
+BR2_BINUTILS_VERSION_2_24=y
+BR2_GCC_VERSION_4_8_X=y
+BR2_TOOLCHAIN_BUILDROOT_CXX=y
+BR2_GENERATE_LOCALE="en_US.UTF-8 de_DE.UTF-8"
+BR2_TARGET_GENERIC_HOSTNAME="panda"
+BR2_TARGET_GENERIC_PASSWD_SHA256=y
+BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV=y
+BR2_ROOTFS_OVERLAY="$(TOPDIR)/../overlay"
+BR2_ROOTFS_CUSTOM_FAKEROOT="$(TOPDIR)/../fakeroot.fs"
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="3.12.16"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(TOPDIR)/../linux-3.12.16.config"
+BR2_LINUX_KERNEL_INSTALL_TARGET=y
+BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y
+BR2_PACKAGE_XZ=y
+BR2_PACKAGE_DOSFSTOOLS=y
+BR2_PACKAGE_LINUX_FIRMWARE=y
+BR2_PACKAGE_CA_CERTIFICATES=y
+BR2_PACKAGE_DHCPCD=y
+BR2_PACKAGE_IPROUTE2=y
+BR2_PACKAGE_IPTABLES=y
+BR2_PACKAGE_IPUTILS=y
+BR2_PACKAGE_OPENSSH=y
+BR2_PACKAGE_OPENVPN=y
+BR2_PACKAGE_BASH=y
+BR2_PACKAGE_SUDO=y
+BR2_TARGET_ROOTFS_CPIO=y
+BR2_TARGET_ROOTFS_CPIO_XZ=y
+BR2_TARGET_SYSLINUX=y
+# BR2_TARGET_SYSLINUX_ISOLINUX is not set
+# BR2_TARGET_SYSLINUX_PXELINUX is not set

fakeroot.fs

@@ -0,0 +1,7 @@
+echo "Hello, fake" `pwd`
+(
+	cd output/target
+	chown -R 1001:100 home/matthias
+	chown -R 1002:100 home/pan
+)
+

linux-3.12.16.config

@@ -0,0 +1,299 @@
+# CONFIG_64BIT is not set
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_DEFAULT_HOSTNAME="panda"
+CONFIG_SYSVIPC=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_TASKSTATS=y
+CONFIG_TASK_DELAY_ACCT=y
+CONFIG_TASK_XACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
+CONFIG_LOG_BUF_SHIFT=18
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_RESOURCE_COUNTERS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_NAMESPACES=y
+CONFIG_RELAY=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_RD_XZ=y
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_EMBEDDED=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_PROFILING=y
+CONFIG_PARTITION_ADVANCED=y
+# CONFIG_EFI_PARTITION is not set
+CONFIG_DEFAULT_DEADLINE=y
+# CONFIG_X86_MPPARSE is not set
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+CONFIG_MK7=y
+CONFIG_PROCESSOR_SELECT=y
+# CONFIG_CPU_SUP_INTEL is not set
+# CONFIG_CPU_SUP_CYRIX_32 is not set
+# CONFIG_CPU_SUP_CENTAUR is not set
+# CONFIG_CPU_SUP_TRANSMETA_32 is not set
+# CONFIG_CPU_SUP_UMC_32 is not set
+CONFIG_HPET_TIMER=y
+CONFIG_PREEMPT_VOLUNTARY=y
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+# CONFIG_X86_MCE_INTEL is not set
+CONFIG_X86_REBOOTFIXUPS=y
+CONFIG_MICROCODE=y
+# CONFIG_MICROCODE_INTEL is not set
+CONFIG_MICROCODE_AMD=y
+CONFIG_X86_MSR=y
+CONFIG_X86_CPUID=y
+CONFIG_NOHIGHMEM=y
+CONFIG_X86_CHECK_BIOS_CORRUPTION=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_RELOCATABLE is not set
+# CONFIG_SUSPEND is not set
+CONFIG_PM_RUNTIME=y
+CONFIG_ACPI_PROCFS=y
+# CONFIG_ACPI_BATTERY is not set
+CONFIG_ACPI_DOCK=y
+CONFIG_ACPI_CONTAINER=y
+CONFIG_CPU_FREQ=y
+# CONFIG_CPU_FREQ_STAT is not set
+CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
+CONFIG_CPU_FREQ_GOV_USERSPACE=y
+CONFIG_X86_ACPI_CPUFREQ=y
+CONFIG_X86_POWERNOW_K7=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_IOAPIC=y
+CONFIG_BINFMT_MISC=y
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_XFRM_USER=y
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_RARP=y
+CONFIG_IP_MROUTE=y
+CONFIG_IP_PIMSM_V1=y
+CONFIG_IP_PIMSM_V2=y
+CONFIG_SYN_COOKIES=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET_DIAG is not set
+CONFIG_TCP_CONG_ADVANCED=y
+# CONFIG_TCP_CONG_BIC is not set
+# CONFIG_TCP_CONG_WESTWOOD is not set
+# CONFIG_TCP_CONG_HTCP is not set
+CONFIG_TCP_MD5SIG=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_NETLABEL=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_ADVANCED is not set
+CONFIG_NET_SCHED=y
+CONFIG_NET_EMATCH=y
+CONFIG_NET_CLS_ACT=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+# CONFIG_STANDALONE is not set
+CONFIG_DEBUG_DEVRES=y
+CONFIG_CONNECTOR=y
+CONFIG_PARPORT=y
+CONFIG_PARPORT_PC=y
+CONFIG_PARPORT_PC_FIFO=y
+CONFIG_PARPORT_PC_SUPERIO=y
+CONFIG_PARIDE=y
+CONFIG_PARIDE_PD=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_BLK_DEV_SR_VENDOR=y
+CONFIG_CHR_DEV_SG=y
+CONFIG_SCSI_SPI_ATTRS=y
+# CONFIG_SCSI_LOWLEVEL is not set
+CONFIG_ATA=y
+# CONFIG_SATA_PMP is not set
+CONFIG_ATA_PIIX=y
+CONFIG_PATA_OLDPIIX=y
+CONFIG_PATA_SIS=y
+CONFIG_ATA_GENERIC=y
+CONFIG_NETDEVICES=y
+CONFIG_NETCONSOLE=y
+CONFIG_TUN=y
+# CONFIG_NET_VENDOR_3COM is not set
+# CONFIG_NET_VENDOR_ADAPTEC is not set
+# CONFIG_NET_VENDOR_ALTEON is not set
+# CONFIG_NET_VENDOR_AMD is not set
+# CONFIG_NET_VENDOR_ARC is not set
+# CONFIG_NET_VENDOR_ATHEROS is not set
+# CONFIG_NET_CADENCE is not set
+# CONFIG_NET_VENDOR_BROADCOM is not set
+# CONFIG_NET_VENDOR_BROCADE is not set
+# CONFIG_NET_VENDOR_CHELSIO is not set
+# CONFIG_NET_VENDOR_CISCO is not set
+# CONFIG_NET_VENDOR_DEC is not set
+# CONFIG_NET_VENDOR_DLINK is not set
+# CONFIG_NET_VENDOR_EMULEX is not set
+# CONFIG_NET_VENDOR_EXAR is not set
+# CONFIG_NET_VENDOR_HP is not set
+# CONFIG_NET_VENDOR_INTEL is not set
+# CONFIG_NET_VENDOR_MARVELL is not set
+# CONFIG_NET_VENDOR_MELLANOX is not set
+# CONFIG_NET_VENDOR_MICREL is not set
+# CONFIG_NET_VENDOR_MYRI is not set
+# CONFIG_NET_VENDOR_NATSEMI is not set
+# CONFIG_NET_VENDOR_NVIDIA is not set
+# CONFIG_NET_VENDOR_OKI is not set
+# CONFIG_NET_PACKET_ENGINE is not set
+# CONFIG_NET_VENDOR_QLOGIC is not set
+CONFIG_8139CP=y
+CONFIG_R8169=y
+# CONFIG_NET_VENDOR_RDC is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
+# CONFIG_NET_VENDOR_SILAN is not set
+# CONFIG_NET_VENDOR_SIS is not set
+# CONFIG_NET_VENDOR_SMSC is not set
+# CONFIG_NET_VENDOR_STMICRO is not set
+# CONFIG_NET_VENDOR_SUN is not set
+# CONFIG_NET_VENDOR_TEHUTI is not set
+# CONFIG_NET_VENDOR_TI is not set
+# CONFIG_NET_VENDOR_VIA is not set
+# CONFIG_NET_VENDOR_WIZNET is not set
+CONFIG_PHYLIB=y
+CONFIG_REALTEK_PHY=y
+# CONFIG_WLAN is not set
+CONFIG_INPUT_POLLDEV=y
+CONFIG_INPUT_SPARSEKMAP=y
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+CONFIG_INPUT_EVDEV=y
+CONFIG_INPUT_JOYSTICK=y
+CONFIG_INPUT_TABLET=y
+CONFIG_INPUT_TOUCHSCREEN=y
+CONFIG_INPUT_MISC=y
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_SERIAL_NONSTANDARD=y
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_NR_UARTS=32
+CONFIG_SERIAL_8250_EXTENDED=y
+CONFIG_SERIAL_8250_MANY_PORTS=y
+CONFIG_SERIAL_8250_SHARE_IRQ=y
+CONFIG_SERIAL_8250_DETECT_IRQ=y
+CONFIG_SERIAL_8250_RSA=y
+CONFIG_NVRAM=y
+CONFIG_HPET=y
+# CONFIG_HPET_MMAP is not set
+CONFIG_I2C_SIS96X=y
+CONFIG_PPS=y
+CONFIG_THERMAL_GOV_USER_SPACE=y
+CONFIG_WATCHDOG=y
+CONFIG_AGP=y
+CONFIG_AGP_SIS=y
+CONFIG_DRM=y
+CONFIG_DRM_SIS=y
+CONFIG_VIDEO_OUTPUT_CONTROL=y
+CONFIG_FB=y
+CONFIG_FB_MODE_HELPERS=y
+CONFIG_FB_TILEBLITTING=y
+CONFIG_VGACON_SOFT_SCROLLBACK=y
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
+CONFIG_LOGO=y
+# CONFIG_LOGO_LINUX_MONO is not set
+# CONFIG_LOGO_LINUX_VGA16 is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_SEQUENCER=y
+CONFIG_SND_SEQ_DUMMY=y
+CONFIG_SND_MIXER_OSS=y
+CONFIG_SND_PCM_OSS=y
+CONFIG_SND_SEQUENCER_OSS=y
+CONFIG_SND_HRTIMER=y
+CONFIG_SND_INTEL8X0=y
+# CONFIG_SND_USB is not set
+CONFIG_HIDRAW=y
+CONFIG_HID_GYRATION=y
+CONFIG_HID_LOGITECH=y
+CONFIG_LOGITECH_FF=y
+CONFIG_HID_NTRIG=y
+CONFIG_HID_PANTHERLORD=y
+CONFIG_PANTHERLORD_FF=y
+CONFIG_HID_PETALYNX=y
+CONFIG_HID_SAMSUNG=y
+CONFIG_HID_SUNPLUS=y
+CONFIG_HID_TOPSEED=y
+CONFIG_HID_PID=y
+CONFIG_USB_HIDDEV=y
+CONFIG_USB=y
+CONFIG_USB_DEBUG=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_MON=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_UHCI_HCD=y
+CONFIG_USB_PRINTER=y
+CONFIG_USB_STORAGE=y
+CONFIG_USB_STORAGE_CYPRESS_ATACB=y
+CONFIG_EDAC=y
+CONFIG_RTC_CLASS=y
+# CONFIG_RTC_HCTOSYS is not set
+CONFIG_DMADEVICES=y
+# CONFIG_IOMMU_SUPPORT is not set
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_QUOTA=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+# CONFIG_PRINT_QUOTA_WARNING is not set
+CONFIG_QFMT_V2=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+CONFIG_ZISOFS=y
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_HUGETLBFS=y
+CONFIG_NFS_FS=y
+CONFIG_NFS_V3_ACL=y
+CONFIG_NFS_V4=y
+CONFIG_ROOT_NFS=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
+CONFIG_PRINTK_TIME=y
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+CONFIG_FRAME_WARN=2048
+# CONFIG_UNUSED_SYMBOLS is not set
+CONFIG_DEBUG_FS=y
+CONFIG_MAGIC_SYSRQ=y
+# CONFIG_SCHED_DEBUG is not set
+CONFIG_TIMER_STATS=y
+# CONFIG_FTRACE is not set
+CONFIG_EARLY_PRINTK_DBGP=y
+# CONFIG_DEBUG_RODATA_TEST is not set
+CONFIG_DEBUG_BOOT_PARAMS=y
+CONFIG_OPTIMIZE_INLINING=y
+CONFIG_KEYS_DEBUG_PROC_KEYS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_CRYPTO_AES_586=y
+CONFIG_CRYPTO_ARC4=y
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_VIRTUALIZATION is not set
+CONFIG_AVERAGE=y

openvpn-test/ca.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE9zCCA9+gAwIBAgIJAPiqn2VVDFaUMA0GCSqGSIb3DQEBCwUAMIGtMQswCQYD
+VQQGEwJERTELMAkGA1UECBMCQlcxEjAQBgNVBAcTCUthcmxzcnVoZTENMAsGA1UE
+ChMEbm9uZTEbMBkGA1UECxMSTWF0dGhpYXMgQmxhbmtlcnR6MRgwFgYDVQQDEw9w
+YW5kYS5oYWRpa28uZGUxEDAOBgNVBCkTB0Vhc3lSU0ExJTAjBgkqhkiG9w0BCQEW
+Fm1hdHRoaWFzQGJsYW5rZXJ0ei5vcmcwHhcNMTQwNDAzMTQ0NTM2WhcNMjQwMzMx
+MTQ0NTM2WjCBrTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlL
+YXJsc3J1aGUxDTALBgNVBAoTBG5vbmUxGzAZBgNVBAsTEk1hdHRoaWFzIEJsYW5r
+ZXJ0ejEYMBYGA1UEAxMPcGFuZGEuaGFkaWtvLmRlMRAwDgYDVQQpEwdFYXN5UlNB
+MSUwIwYJKoZIhvcNAQkBFhZtYXR0aGlhc0BibGFua2VydHoub3JnMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDC2BIf3FfEoLxrr9oxQ46cDO8DBRdqF
+3ZUiVupBZ8+MJz871UJEUvVjJi7yuxGOfr1JIBYfgEgFzLNvhFsRrwQGp6hcGgJC
+38JQOZAWopjz/cH4LRyNaPOu9Hd5KCspOSfZLj7y7VKzcO1TtLOYHlnmilM/VWL1
+38yZ3gwnFTRSaue2nHB8ex8Lm9uWYhzy8PTNcIVUaM7cFuX1LQmk3tyHsuN4ZFIV
++9D1+O3JKaepdzXC6af2we37wYIxl02R428bkf+QEqfcU3lqlmOBMKqHRMxnYtGE
+bOZgVkUJJ07BreiYiypNbrBNsJjf+kWTT+ymzie8h3V6eBUdjSbmCwIDAQABo4IB
+FjCCARIwHQYDVR0OBBYEFLHei9/kSHXfzWfdcUYXv1DHa063MIHiBgNVHSMEgdow
+gdeAFLHei9/kSHXfzWfdcUYXv1DHa063oYGzpIGwMIGtMQswCQYDVQQGEwJERTEL
+MAkGA1UECBMCQlcxEjAQBgNVBAcTCUthcmxzcnVoZTENMAsGA1UEChMEbm9uZTEb
+MBkGA1UECxMSTWF0dGhpYXMgQmxhbmtlcnR6MRgwFgYDVQQDEw9wYW5kYS5oYWRp
+a28uZGUxEDAOBgNVBCkTB0Vhc3lSU0ExJTAjBgkqhkiG9w0BCQEWFm1hdHRoaWFz
+QGJsYW5rZXJ0ei5vcmeCCQD4qp9lVQxWlDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBEqr4PGh+LzAz1PmVKY5pOXX/nxysy8c+Lob6GvvTzBa1H3Tk+
+OHX3VTVMF4fY/UtVpypK1dHyMpA0AT9SPrZG68PxwKLemE6PqnVecX+slPrbyiY9
+Op4A65UN6UgkcBPTkcToAXjMMDGjQU/r1PswNCBZdb7ZQa/it31KF0nHDNWIG1Da
+60LKQx96fTLI57+/VMLq5+Uo+RGXcBT1JbHgMSJhUfGePlNyGirlN9EiNJgCYTXo
+SrobHLsHNByurTSlvMYBsOFudeVvI0ZbiGN5JJO5/WMMJk9MM/iqe6An2ipZHNsf
+vYwg6bV2KTpv+4R4/wWb0ADtkZHnjrC0p9ZP
+-----END CERTIFICATE-----

openvpn-test/client.conf

@@ -0,0 +1,123 @@
+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel
+# if you have more than one.  On XP SP2,
+# you may need to disable the firewall
+# for the TAP adapter.
+;dev-node MyTap
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server.
+proto tcp
+;proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote 172.20.117.221 1194
+;remote my-server-2 1194
+
+# Choose a random host from the remote
+# list for load-balancing.  Otherwise
+# try hosts in the order specified.
+;remote-random
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Downgrade privileges after initialization (non-Windows only)
+;user nobody
+;group nobody
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# If you are connecting through an
+# HTTP proxy to reach the actual OpenVPN
+# server, put the proxy server/IP and
+# port number here.  See the man page
+# if your proxy server requires
+# authentication.
+;http-proxy-retry # retry on connection failures
+;http-proxy [proxy server] [proxy port #]
+
+# Wireless networks often produce a lot
+# of duplicate packets.  Set this flag
+# to silence duplicate packet warnings.
+;mute-replay-warnings
+
+# SSL/TLS parms.
+# See the server config file for more
+# description.  It's best to use
+# a separate .crt/.key file pair
+# for each client.  A single ca
+# file can be used for all clients.
+ca ca.crt
+cert matthias.crt
+key matthias.key
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-server
+# script in the easy-rsa folder will do this.
+ns-cert-type server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+;tls-auth ta.key 1
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+;cipher x
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+
+# Set log file verbosity.
+verb 3
+
+# Silence repeating messages
+;mute 20

overlay/etc/firewall.sh

@@ -0,0 +1,118 @@
+#!/bin/sh
+
+# A Sample OpenVPN-aware firewall.
+
+# eth0 is connected to the internet.
+# eth1 is connected to a private subnet.
+
+VPNIF=tun0
+LANIF=eth0
+
+PRIVATE=10.42.23.0/24
+
+# Loopback address
+LOOP=127.0.0.1
+
+# Delete old iptables rules
+# and temporarily block all traffic.
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -F
+
+# Set default policies
+iptables -P OUTPUT ACCEPT
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+
+# Prevent external packets from using loopback addr
+iptables -A INPUT -i $LANIF -s $LOOP -j DROP
+iptables -A FORWARD -i $LANIF -s $LOOP -j DROP
+iptables -A INPUT -i $LANIF -d $LOOP -j DROP
+iptables -A FORWARD -i $LANIF -d $LOOP -j DROP
+
+# Anything coming from the Network should have a real Internet address,
+# or a known "Uninetz" private address (172.20.0.0/16)
+iptables -N Antispoof_172
+iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j DROP
+iptables -A FORWARD -i $LANIF -s 172.16.0.0/12 -j Antispoof_172
+iptables -A FORWARD -i $LANIF -s 10.0.0.0/8 -j DROP
+iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j DROP
+iptables -A INPUT -i $LANIF -s 172.16.0.0/12 -j Antispoof_172
+iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j DROP
+iptables -A Antispoof_172 -i $LANIF -s 172.20.0.0/16 -j RETURN
+iptables -A Antispoof_172 -j DROP
+
+# Block outgoing NetBios (if you have windows machines running
+# on the private subnet).  This will not affect any NetBios
+# traffic that flows over the VPN tunnel, but it will stop
+# local windows machines from broadcasting themselves to
+# the network.
+iptables -A FORWARD -p tcp --sport 137:139 -o $LANIF -j DROP
+iptables -A FORWARD -p udp --sport 137:139 -o $LANIF -j DROP
+iptables -A OUTPUT -p tcp --sport 137:139 -o $LANIF -j DROP
+iptables -A OUTPUT -p udp --sport 137:139 -o $LANIF -j DROP
+
+# Check source address validity on packets going out to network
+iptables -A OUTPUT -s $PRIVATE -o $LANIF -j DROP
+
+# Allow local loopback
+iptables -A INPUT -s $LOOP -j ACCEPT
+iptables -A INPUT -d $LOOP -j ACCEPT
+
+# Allow useful ICMP, and forward it too
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type 11/0 -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type 11/1 -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type 0/0 -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
+iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A FORWARD -p icmp --icmp-type 11/0 -j ACCEPT
+iptables -A FORWARD -p icmp --icmp-type 11/1 -j ACCEPT
+iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT
+iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT
+
+# Allow services such as ssh (can be disabled)
+iptables -A INPUT -p tcp --dport ssh -j ACCEPT
+
+# Allow incoming OpenVPN packets
+# Duplicate the line below for each
+# OpenVPN tunnel, changing --dport n
+# to match the OpenVPN UDP port.
+#
+# In OpenVPN, the port number is
+# controlled by the --port n option.
+# If you put this option in the config
+# file, you can remove the leading '--'
+#
+# If you taking the stateful firewall
+# approach (see the OpenVPN HOWTO),
+# then comment out the line below.
+
+iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
+
+# Allow packets from TUN/TAP devices.
+# When OpenVPN is run in a secure mode,
+# it will authenticate packets prior
+# to their arriving on a tun or tap
+# interface.  Therefore, it is not
+# necessary to add any filters here,
+# unless you want to restrict the
+# type of packets which can flow over
+# the tunnel.
+
+iptables -A INPUT -i tun+ -j ACCEPT
+iptables -A FORWARD -i tun+ -j ACCEPT
+#iptables -A INPUT -i tap+ -j ACCEPT
+#iptables -A FORWARD -i tap+ -j ACCEPT
+
+# Keep state of connections from local machine and private subnets
+iptables -A OUTPUT -m state --state NEW -o $LANIF -j ACCEPT
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state NEW -o $LANIF -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Masquerade local subnet
+iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE
+
+echo "1" > /proc/sys/net/ipv4/ip_forward

overlay/etc/group

@@ -0,0 +1,29 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+kmem:x:9:
+wheel:x:10:root,matthias,pan
+cdrom:x:11:
+dialout:x:18:
+floppy:x:19:
+video:x:28:
+audio:x:29:
+tape:x:32:
+www-data:x:33:
+utmp:x:43:
+plugdev:x:46:
+staff:x:50:
+lock:x:54:
+haldaemon:x:68:
+dbus:x:81:
+netdev:x:82:
+ftp:x:83
+nobody:x:99:
+nogroup:x:99:
+users:x:100:
+default:x:1000:

overlay/etc/init.d/S41firewall

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/etc/firewall.sh

overlay/etc/login.defs

@@ -0,0 +1 @@
+ENCRYPT_METHOD SHA256

overlay/etc/network/interfaces

@@ -0,0 +1,9 @@
+# Configure Loopback
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+    address 172.20.117.221
+    netmask 255.255.255.240
+    gateway 172.20.117.209

overlay/etc/openvpn/ca.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE9zCCA9+gAwIBAgIJAPiqn2VVDFaUMA0GCSqGSIb3DQEBCwUAMIGtMQswCQYD
+VQQGEwJERTELMAkGA1UECBMCQlcxEjAQBgNVBAcTCUthcmxzcnVoZTENMAsGA1UE
+ChMEbm9uZTEbMBkGA1UECxMSTWF0dGhpYXMgQmxhbmtlcnR6MRgwFgYDVQQDEw9w
+YW5kYS5oYWRpa28uZGUxEDAOBgNVBCkTB0Vhc3lSU0ExJTAjBgkqhkiG9w0BCQEW
+Fm1hdHRoaWFzQGJsYW5rZXJ0ei5vcmcwHhcNMTQwNDAzMTQ0NTM2WhcNMjQwMzMx
+MTQ0NTM2WjCBrTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlL
+YXJsc3J1aGUxDTALBgNVBAoTBG5vbmUxGzAZBgNVBAsTEk1hdHRoaWFzIEJsYW5r
+ZXJ0ejEYMBYGA1UEAxMPcGFuZGEuaGFkaWtvLmRlMRAwDgYDVQQpEwdFYXN5UlNB
+MSUwIwYJKoZIhvcNAQkBFhZtYXR0aGlhc0BibGFua2VydHoub3JnMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDC2BIf3FfEoLxrr9oxQ46cDO8DBRdqF
+3ZUiVupBZ8+MJz871UJEUvVjJi7yuxGOfr1JIBYfgEgFzLNvhFsRrwQGp6hcGgJC
+38JQOZAWopjz/cH4LRyNaPOu9Hd5KCspOSfZLj7y7VKzcO1TtLOYHlnmilM/VWL1
+38yZ3gwnFTRSaue2nHB8ex8Lm9uWYhzy8PTNcIVUaM7cFuX1LQmk3tyHsuN4ZFIV
++9D1+O3JKaepdzXC6af2we37wYIxl02R428bkf+QEqfcU3lqlmOBMKqHRMxnYtGE
+bOZgVkUJJ07BreiYiypNbrBNsJjf+kWTT+ymzie8h3V6eBUdjSbmCwIDAQABo4IB
+FjCCARIwHQYDVR0OBBYEFLHei9/kSHXfzWfdcUYXv1DHa063MIHiBgNVHSMEgdow
+gdeAFLHei9/kSHXfzWfdcUYXv1DHa063oYGzpIGwMIGtMQswCQYDVQQGEwJERTEL
+MAkGA1UECBMCQlcxEjAQBgNVBAcTCUthcmxzcnVoZTENMAsGA1UEChMEbm9uZTEb
+MBkGA1UECxMSTWF0dGhpYXMgQmxhbmtlcnR6MRgwFgYDVQQDEw9wYW5kYS5oYWRp
+a28uZGUxEDAOBgNVBCkTB0Vhc3lSU0ExJTAjBgkqhkiG9w0BCQEWFm1hdHRoaWFz
+QGJsYW5rZXJ0ei5vcmeCCQD4qp9lVQxWlDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBEqr4PGh+LzAz1PmVKY5pOXX/nxysy8c+Lob6GvvTzBa1H3Tk+
+OHX3VTVMF4fY/UtVpypK1dHyMpA0AT9SPrZG68PxwKLemE6PqnVecX+slPrbyiY9
+Op4A65UN6UgkcBPTkcToAXjMMDGjQU/r1PswNCBZdb7ZQa/it31KF0nHDNWIG1Da
+60LKQx96fTLI57+/VMLq5+Uo+RGXcBT1JbHgMSJhUfGePlNyGirlN9EiNJgCYTXo
+SrobHLsHNByurTSlvMYBsOFudeVvI0ZbiGN5JJO5/WMMJk9MM/iqe6An2ipZHNsf
+vYwg6bV2KTpv+4R4/wWb0ADtkZHnjrC0p9ZP
+-----END CERTIFICATE-----

overlay/etc/openvpn/dh2048.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA/nVvOO+MHJlMpltHnmWsaQSXxlUwtUh2ncd2znELunsoPWbunDaC
+tKI2+NG8PssKRUm0pOKQM8nJN7sn+zu6yj7xGKQ1bcdoNfUS/FU05MClGxMrV3vV
+54PQQgKnpgaNEhlanNNCc2GaVZSEHOXi+X7J8b/WW7JjarwKgGZLqiScvgbvFIE6
+Yz8AIm4/hF4K6MjHuzJfL8JwfiqNchBRp8g0XUwDRR1AKa0WIivQ/1ZHbzLsxgRM
+c1QlF0r6Syyj6pt6mRDv52SD3+fKFzrNohLGe/1DQnlkNw2xAvEbgVHv+Dt+IgJd
+Z4UBzw4p/XpUPxouFWL5fjWMKyIKDPpMywIBAg==
+-----END DH PARAMETERS-----

overlay/etc/openvpn/panda.crt

@@ -0,0 +1,98 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=DE, ST=BW, L=Karlsruhe, O=none, OU=Matthias Blankertz, CN=panda.hadiko.de/name=EasyRSA/emailAddress=matthias@blankertz.org
+        Validity
+            Not Before: Apr  3 14:46:07 2014 GMT
+            Not After : Mar 31 14:46:07 2024 GMT
+        Subject: C=DE, ST=BW, L=Karlsruhe, O=none, OU=Matthias Blankertz, CN=panda/name=EasyRSA/emailAddress=matthias@blankertz.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:f1:62:95:6e:a9:b8:0c:b2:52:fc:95:6a:44:69:
+                    9a:37:28:13:35:42:ad:77:49:c9:c5:d4:e6:a3:b9:
+                    8f:4c:92:b1:0b:0b:1b:d1:be:66:44:15:06:d9:74:
+                    93:0f:9b:b8:c2:d5:46:98:45:73:25:de:6f:15:cc:
+                    ea:cb:1a:d8:24:ae:2d:da:ed:a7:2a:fd:6d:e4:b4:
+                    c6:f3:de:81:90:b3:f0:fd:38:40:e5:1a:8b:75:c9:
+                    12:26:8d:6c:b3:a3:d3:f1:b6:fa:03:cf:3a:d1:1a:
+                    d6:c3:08:3f:1c:fe:a7:d1:9d:d7:43:19:4f:87:69:
+                    26:c1:14:fa:c1:26:58:55:85:13:25:57:4e:58:a6:
+                    9d:f0:91:ab:eb:6c:56:f9:77:92:26:b5:68:8e:ec:
+                    81:ae:94:ab:8b:b6:72:ce:fa:05:e3:4e:e4:b1:d4:
+                    f3:fa:b4:fc:41:3d:4b:c3:11:d3:d7:94:08:6f:c9:
+                    22:c8:50:24:29:ac:32:3f:6d:5d:77:69:74:4c:a2:
+                    86:91:6c:f1:4b:09:74:33:5e:fe:c8:16:7d:86:37:
+                    2a:ef:74:e5:06:41:52:62:9e:09:d4:25:df:49:68:
+                    a8:a9:b2:09:44:0f:ae:09:50:d4:59:a2:be:74:45:
+                    ed:7f:89:af:b9:2b:35:f9:37:28:ea:7c:b8:5a:71:
+                    eb:03
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                02:6C:87:DE:AF:88:D9:C9:78:C2:59:B1:1E:06:81:77:89:4A:B3:6D
+            X509v3 Authority Key Identifier: 
+                keyid:B1:DE:8B:DF:E4:48:75:DF:CD:67:DD:71:46:17:BF:50:C7:6B:4E:B7
+                DirName:/C=DE/ST=BW/L=Karlsruhe/O=none/OU=Matthias Blankertz/CN=panda.hadiko.de/name=EasyRSA/emailAddress=matthias@blankertz.org
+                serial:F8:AA:9F:65:55:0C:56:94
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         3e:82:fe:8a:88:c2:12:67:73:a3:f4:27:30:9c:49:fd:f6:bf:
+         38:a5:80:e3:06:dc:d1:54:ed:4b:b6:0f:1f:8c:a5:15:99:76:
+         4e:f8:35:12:ee:09:03:bc:6a:cc:89:bf:e2:8a:b9:b8:7e:89:
+         01:fc:ec:2b:33:90:c8:7c:53:6d:af:b8:bc:d8:90:13:36:dd:
+         3a:7e:a0:89:07:7e:26:71:3f:42:c6:05:af:85:02:cd:fb:cb:
+         45:6c:4c:4e:14:84:05:26:e9:5b:10:a4:67:7e:ef:4e:5c:94:
+         d2:63:9b:8b:3f:3e:6a:ae:ce:2e:ac:6d:59:79:1b:8a:48:44:
+         a6:56:d3:e4:a2:06:50:95:6e:34:53:3f:83:3c:ec:df:ab:7c:
+         2b:2c:a2:a2:14:b3:67:82:bf:dd:a6:0d:12:0e:a7:0d:f5:9c:
+         31:a4:5a:a7:b9:09:50:b2:cb:63:af:a1:8a:df:a3:c6:21:ca:
+         85:e3:85:2d:33:12:a0:f1:3b:8b:65:4c:fd:54:b2:25:57:fa:
+         22:bd:d8:f8:a2:9c:6d:cf:2b:4e:8a:fd:69:32:fe:5e:d6:2e:
+         d2:88:00:c8:60:6f:e0:18:0b:96:b1:2c:ba:15:66:e4:ff:ff:
+         44:f9:f0:7c:f1:d7:ab:52:a0:22:d3:03:0d:81:79:d3:7b:43:
+         5b:3f:c1:69
+-----BEGIN CERTIFICATE-----
+MIIFTTCCBDWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBrTELMAkGA1UEBhMCREUx
+CzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlLYXJsc3J1aGUxDTALBgNVBAoTBG5vbmUx
+GzAZBgNVBAsTEk1hdHRoaWFzIEJsYW5rZXJ0ejEYMBYGA1UEAxMPcGFuZGEuaGFk
+aWtvLmRlMRAwDgYDVQQpEwdFYXN5UlNBMSUwIwYJKoZIhvcNAQkBFhZtYXR0aGlh
+c0BibGFua2VydHoub3JnMB4XDTE0MDQwMzE0NDYwN1oXDTI0MDMzMTE0NDYwN1ow
+gaMxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJCVzESMBAGA1UEBxMJS2FybHNydWhl
+MQ0wCwYDVQQKEwRub25lMRswGQYDVQQLExJNYXR0aGlhcyBCbGFua2VydHoxDjAM
+BgNVBAMTBXBhbmRhMRAwDgYDVQQpEwdFYXN5UlNBMSUwIwYJKoZIhvcNAQkBFhZt
+YXR0aGlhc0BibGFua2VydHoub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA8WKVbqm4DLJS/JVqRGmaNygTNUKtd0nJxdTmo7mPTJKxCwsb0b5mRBUG
+2XSTD5u4wtVGmEVzJd5vFczqyxrYJK4t2u2nKv1t5LTG896BkLPw/ThA5RqLdckS
+Jo1ss6PT8bb6A8860RrWwwg/HP6n0Z3XQxlPh2kmwRT6wSZYVYUTJVdOWKad8JGr
+62xW+XeSJrVojuyBrpSri7ZyzvoF407ksdTz+rT8QT1LwxHT15QIb8kiyFAkKawy
+P21dd2l0TKKGkWzxSwl0M17+yBZ9hjcq73TlBkFSYp4J1CXfSWioqbIJRA+uCVDU
+WaK+dEXtf4mvuSs1+Tco6ny4WnHrAwIDAQABo4IBfjCCAXowCQYDVR0TBAIwADAR
+BglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdlbmVy
+YXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAJsh96viNnJeMJZsR4G
+gXeJSrNtMIHiBgNVHSMEgdowgdeAFLHei9/kSHXfzWfdcUYXv1DHa063oYGzpIGw
+MIGtMQswCQYDVQQGEwJERTELMAkGA1UECBMCQlcxEjAQBgNVBAcTCUthcmxzcnVo
+ZTENMAsGA1UEChMEbm9uZTEbMBkGA1UECxMSTWF0dGhpYXMgQmxhbmtlcnR6MRgw
+FgYDVQQDEw9wYW5kYS5oYWRpa28uZGUxEDAOBgNVBCkTB0Vhc3lSU0ExJTAjBgkq
+hkiG9w0BCQEWFm1hdHRoaWFzQGJsYW5rZXJ0ei5vcmeCCQD4qp9lVQxWlDATBgNV
+HSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEB
+AD6C/oqIwhJnc6P0JzCcSf32vzilgOMG3NFU7Uu2Dx+MpRWZdk74NRLuCQO8asyJ
+v+KKubh+iQH87CszkMh8U22vuLzYkBM23Tp+oIkHfiZxP0LGBa+FAs37y0VsTE4U
+hAUm6VsQpGd+705clNJjm4s/Pmquzi6sbVl5G4pIRKZW0+SiBlCVbjRTP4M87N+r
+fCssoqIUs2eCv92mDRIOpw31nDGkWqe5CVCyy2OvoYrfo8YhyoXjhS0zEqDxO4tl
+TP1UsiVX+iK92PiinG3PK06K/Wky/l7WLtKIAMhgb+AYC5axLLoVZuT//0T58Hzx
+16tSoCLTAw2BedN7Q1s/wWk=
+-----END CERTIFICATE-----

overlay/etc/openvpn/panda.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDxYpVuqbgMslL8
+lWpEaZo3KBM1Qq13ScnF1OajuY9MkrELCxvRvmZEFQbZdJMPm7jC1UaYRXMl3m8V
+zOrLGtgkri3a7acq/W3ktMbz3oGQs/D9OEDlGot1yRImjWyzo9PxtvoDzzrRGtbD
+CD8c/qfRnddDGU+HaSbBFPrBJlhVhRMlV05Ypp3wkavrbFb5d5ImtWiO7IGulKuL
+tnLO+gXjTuSx1PP6tPxBPUvDEdPXlAhvySLIUCQprDI/bV13aXRMooaRbPFLCXQz
+Xv7IFn2GNyrvdOUGQVJingnUJd9JaKipsglED64JUNRZor50Re1/ia+5KzX5Nyjq
+fLhacesDAgMBAAECggEAc5MjP2gtwo6DY4La7cSuXShoAgFZ8xq2bG2ivNO1BBHc
+iRAZktSaPJDgxa+mVjvWPBtIANKH7qLRB1wlM3g382Aefot5lgDf5DiWZd+so680
+fNm5YLjT+2J5uVHPsTeI3Fwi2z4WyFYUbC9/oI9hpODxV6Q/yvMS5jH4WhDVDKSL
+zWZ8nfvfLK6yArc99pmEyWwDM0Np2JCQ3Iz6XZibNimoiDBma0Ss7hcMSShKNEKR
+7YS6cFbpPMlhHN3mWQ+6R/TrdTYylwFFUFn7KjlbAkO+tRmXyKHPUIEinmahyBl9
+aP/YPg67zhOCCPoHDcHnlB91Yxw2xNukvYVZkMywQQKBgQD9enYpoCF0msvDlk5L
+m7S73AwHelHEAtusfyoaM/mNRW0F6q8bBoISGyHn2JHhG2C2EfDJ9YLCR4D4jquj
+t62f3fA63MZbf8wFFjRZs1JteVpZajBXJYPk8uIBhVTlFFocHClORSmLYtMia/k5
+qakdBxSrcZ3VVMGio7blSxcy4wKBgQDzyVLvgiQVlEiAFQPupnbQjox2B1/zfc3i
+4rKFA8NZv114pz2/FBKbJ1r7OgwB311cLBLwvTAiVzxZuebxLUqMeG1+Qv/8U3gC
+GOv+LS3ymg+H4oPUw4MSSgPRB+byPR+J5b1j9JIbEqSw3zrHA6n+1YTOnAKtyXQm
+J1zLIxRBYQKBgQCuq3nLm14ShS0O3X+cmHKF1c+wQ3ke0j1gc8yme9RmpkXHgv4h
+aG2vXmUR5+o2rfAJ5vj/op/1kuJr5ZyfV85cUMrfNQ23Nax4gOGYQnr1l19MKGGh
+W+e0mC5nj+J9bXXe0wUfu4cyVupZWQBH3QL9TsjOj5+MxzgcBCbfgMw+swKBgQCx
+hXniNMdn+1msAyGg6BD/H76CuC4T1hlVzTSoDax0Lxi2ojohaVF/L/JdnNBfkLKg
+Suvj6DAj4Zht0iSsnQl7Lrq0xb84k+OAy3sV1PpvfeYvUjAjf9dzOvh6f6GZ5g6Q
+UP5PyimWk0XgEj3v6+gfTIZwGUUOHfN5URKOTdYTIQKBgQDc6ZqseI1MZBCRMiHS
+zB6yjO+CwO4wp8UBU+jfvxEJdf9FhqsjoM94pQXR/wBvisl5o/CpUhRI+5XufBaA
+GmEOaKHDHdugbLgBkh0B+cKFHoAtgGMJb6GyI2rht0cty41L+SXARxomfmlzSiJx
+wZOOnJA7kn2JqUwsz5NBJcJA3g==
+-----END PRIVATE KEY-----

overlay/etc/openvpn/vpn.conf

@@ -0,0 +1,299 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+proto tcp
+;proto udp
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun0
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca ca.crt
+cert panda.crt
+key panda.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys. 
+dh dh2048.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.42.23.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses.  You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+push "route 172.20.0.0 255.255.0.0"
+;push "route 192.168.20.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir ccd
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+;push "redirect-gateway def1 bypass-dhcp"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+;push "dhcp-option DNS 208.67.222.222"
+;push "dhcp-option DNS 208.67.220.220"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+;client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nobody
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status openvpn-status.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log         openvpn.log
+;log-append  openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 3
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20

overlay/etc/passwd

@@ -0,0 +1,18 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:100:sync:/bin:/bin/sync
+mail:x:8:8:mail:/var/spool/mail:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+operator:x:37:37:Operator:/var:/bin/sh
+haldaemon:x:68:68:hald:/:/bin/sh
+dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
+ftp:x:83:83:ftp:/home/ftp:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+sshd:x:103:99:Operator:/var:/bin/sh
+default:x:1000:1000:Default non-root user:/home/default:/bin/sh
+matthias:x:1001:100:Matthias Blankertz:/home/matthias:/bin/bash
+pan:x:1002:100:Jan Olbrich:/home/pan:/bin/bash

overlay/etc/shadow

@@ -0,0 +1,15 @@
+root:$5$gUuEjn0WlWhOpa$KepWf0fQ4h5numS.fgEe00dkjSbeLdEcuhN61jZIh92:10933:0:99999:7:::
+bin:*:10933:0:99999:7:::
+daemon:*:10933:0:99999:7:::
+adm:*:10933:0:99999:7:::
+lp:*:10933:0:99999:7:::
+sync:*:10933:0:99999:7:::
+shutdown:*:10933:0:99999:7:::
+halt:*:10933:0:99999:7:::
+uucp:*:10933:0:99999:7:::
+operator:*:10933:0:99999:7:::
+ftp:*:10933:0:99999:7:::
+nobody:*:10933:0:99999:7:::
+default::10933:0:99999:7:::
+matthias:$5$F.fOPdBKgS$IlltP/mudUssGW1nzJdYeCYgoWNxJnBtclJdKD3viZ3:10933:0:99999:7:::
+pan:$5$mMC5xGOJ9yamml35$sy6cF3oyJ7aXyBDbpIfHuimhoz3gTsj7h2xmMpU.Hj0:10933:0:99999:7:::

overlay/etc/ssh_host_dsa_key

@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCKzn298l8C3TCanK2wXVsAbDBTtOBWqArzXMNiIU7E5+VYQwFQ
+pj7phnukT1dDwe8Bvafoe+q25AROqPoxZ7TxTlRT0PzOMsDyvlCA4iqQvDTjN97N
+LbGphtN4n1oeFBWIBBa9smAKI8YsCD2CBeItWYAGeXYG8Sx9XpQju9zVTQIVANzA
+z8Y2IRHfLJSnwo3jq1vbeU25AoGAZGoiZH6l5Ks9pZIGQ0gMqZyYMwMgDKCEaIme
+GOHAJL9DYVVxqH4CynwjBeIT5Fl8dTXCTOgU8MljbwDYCHwgAYHmKDp1+J9GwqiW
+XaXlKXhrqlQfJSORb1mbxmY4wRY542kRYAbt/v4BiZuI/61sLKD+YGG18Hd/qPID
+fPwIsKECgYAieOgS1TX9ZgGRsrDa8za8jCwXq9SpBLbKGAwYOs01wy6KMD+v9456
+AuEtdOzDzUqxwbF4bknIH3O394CBnFDop1oG9eyyYx6q4hk5XeUEnbd8tAyaFLDI
+ck4D2zRjfaD+GbPJv/bvhIIBdW5vkGmHZJjW9jmfnMvIhGnsPzioxgIUTSA9/nd0
+I4r5A3j8Vzr2n2ryRqw=
+-----END DSA PRIVATE KEY-----

overlay/etc/ssh_host_dsa_key.pub

@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAIrOfb3yXwLdMJqcrbBdWwBsMFO04FaoCvNcw2IhTsTn5VhDAVCmPumGe6RPV0PB7wG9p+h76rbkBE6o+jFntPFOVFPQ/M4ywPK+UIDiKpC8NOM33s0tsamG03ifWh4UFYgEFr2yYAojxiwIPYIF4i1ZgAZ5dgbxLH1elCO73NVNAAAAFQDcwM/GNiER3yyUp8KN46tb23lNuQAAAIBkaiJkfqXkqz2lkgZDSAypnJgzAyAMoIRoiZ4Y4cAkv0NhVXGofgLKfCMF4hPkWXx1NcJM6BTwyWNvANgIfCABgeYoOnX4n0bCqJZdpeUpeGuqVB8lI5FvWZvGZjjBFjnjaRFgBu3+/gGJm4j/rWwsoP5gYbXwd3+o8gN8/AiwoQAAAIAieOgS1TX9ZgGRsrDa8za8jCwXq9SpBLbKGAwYOs01wy6KMD+v9456AuEtdOzDzUqxwbF4bknIH3O394CBnFDop1oG9eyyYx6q4hk5XeUEnbd8tAyaFLDIck4D2zRjfaD+GbPJv/bvhIIBdW5vkGmHZJjW9jmfnMvIhGnsPzioxg== matthias@pc

overlay/etc/ssh_host_ecdsa_key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINYYNMLKTfrYyF1ZbYtwQuOBtPU53kcd1VOnXnSgrA1OoAoGCCqGSM49
+AwEHoUQDQgAEJI90n+jfS66AYoiHY0CC/+TgwqLoD1h1VS+HPYy8XuyXKBALfaW0
+LZAZ8m6qkKJbLmg6PX6PQSvZJbtFcJGe5A==
+-----END EC PRIVATE KEY-----

overlay/etc/ssh_host_ecdsa_key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCSPdJ/o30uugGKIh2NAgv/k4MKi6A9YdVUvhz2MvF7slygQC32ltC2QGfJuqpCiWy5oOj1+j0Er2SW7RXCRnuQ= matthias@pc

overlay/etc/ssh_host_ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCGfJWFyzWrWbWGiolHhYi6IcQ+zvfBFOKCZJ7VBDeuLQAAAJBNR6UITUel
+CAAAAAtzc2gtZWQyNTUxOQAAACCGfJWFyzWrWbWGiolHhYi6IcQ+zvfBFOKCZJ7VBDeuLQ
+AAAEDNDMIrJLjlEyhxsNGkm981drkI4vy8oTpaqSmmJ20AmoZ8lYXLNatZtYaKiUeFiLoh
+xD7O98EU4oJkntUEN64tAAAAC21hdHRoaWFzQHBjAQI=
+-----END OPENSSH PRIVATE KEY-----

overlay/etc/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ8lYXLNatZtYaKiUeFiLohxD7O98EU4oJkntUEN64t matthias@pc

overlay/etc/ssh_host_key.pub

@@ -0,0 +1 @@
+2048 65537 23787955081135508414851670779501263820665165350017275161945639136316896875794454102301026503444145519476639659544305621626447497523905069993847279187013072580710184138698862458510325337402960448304786535231328335405657806009240740225886756180839465075334044310841655592332096760685938324261886508785915993250966221224209386220442907975541981894406488381894663020981434925751266558355602536765175001042917550961947469452113199850391519543579602982089570390037989909730304534427455011181703773379481541446935494958318100269109323716005907840287816655524991909804547348726112626963819397899600297814043343980773634857031 matthias@pc

overlay/etc/ssh_host_rsa_key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2LcgdlLMlyPgOgs/Jeji5Kr+2cGqenXQrQC/9jvgJpbUQ3L1
+kN59hz3RYhkmn8viVSc1utry0vjmHrxtfU/CWq6Yzo6Ie4tXD8p9oq/Xp36vin5f
+xoDOqvUMd/3BxdEmtiZZk+eQ9ZEKYHdf532RwkkBjCVpfXECwHsLtmN5rVemM+mI
+uToPx+NLr83uTBF+8R0mSgv+qt1gdVkeU1TH4+IIh3UPN++b0cvk8/0crjX9s6Mm
+oixmQJ9KM7xHL2hIGeYZflK59SiAEW4TIX8nrCOvPlVixqO+g6ehIty4w8ucM/+T
+U3xjTnja7kYu4VTeCN+3RSFffoPukj3+JeMYXQIDAQABAoIBAGLHldRZCUga4imS
+1sXA0SrJhkBbNgl7ihJRNS5XPGRae4YC8EuIHk92rem47RIJLLEDnkn9YpEnQjzg
+RkfIAx6yVpRQA4XMjXJ1Ka7t165Q4FKQJ7ejHpBuAbDvyVMRckO0V0BDXJ+R7Njr
+kJtDcRzNihcHNn4m9MonS79muB957KHV0NoCSjKXs2pqe4WEO+7Uizw1lhd7/24u
+JatjrTzjTsRiL/MKYHyD2eOjhxcDunEgMQ+vpZlfebdyuaPrD7auzEpga7rVZhLk
+EMhXK11/U8MSC0a29WWQ+4ZYIV7aLWDsaVDsumF0OaqBOBiT32KDPN/Ws4nENpf9
+xpOYQgECgYEA/+QmC53iFpnJD6xIDO2Cljr8KpDvH0mzWDa4SxUpiEGSv+2Z4TyJ
+BKKonbHtouiPIzpPDb5O1SbpbH1eNK2MOWpilj6EnmG0l9odRWgbB2zvogtlmEtK
+DBpYs9a+LAXVm+X3Zavc6xDnavwPQ4ZR0l9NQNWJhSgXXLJTl6szjlkCgYEA2M62
+2czikGE7OnzA7W+QIXPCbCdZUnJsVpbQ67SPIkktlvd/9XHIU2N615RahkvvYGWh
+I5YdAd8eDK9EjxdHQLgHHu/krg8ftWlG5kyWjcO0hUtLQ1hdtOjGEs4Tg6Hjy/ez
+WfeC2iiZ1+SL6RPhy2+viXgQWdqKLy6ViUuqAaUCgYAJP/UEHHvstzhmYaLlHLzI
+s28kFsMeDWr3OFsnE6fBriUg3PTgCHEngr23nZPqfJ+X9WagJ43v9I0hh9Kc8t0L
+wkW4CqB+nSeLCa5fMOkxNoXfBKxyed4+W8FzFsMfEkLrdL+hpDnDIYRMALqIhVV1
+1k4TluR2tMFLb4LIC788WQKBgQCJyQWn8W/jdgegKfyqaQZeXCUpevBnV1TGyt5H
+jd6RWZRhpzVpFUDMziIZs6y8QLIGv0/jP9l7gQKl6RVXIuIjnVDZNnhMrkvmjNuE
+LRRZUBD/zVQtnpEfEfgfp1v7gf01eVxARu6gGsF61UKdhAcxtO8IHIe3sw2y4pYi
+RTXsCQKBgQDFHq8sYu8tji57D9dNtNOAWsnO8vPil25ogkaBhECHY6Duo41BbCNp
+4h5XdHomG4Fss2+hIQ9Z7p4TwQ4EpJOknfOjYlc1zNmTfznB68Izjdc9h5Dd++vb
+E9LZnE6rLDZoDVFHh2tDQkiWXR1p+nyFZnlYIws1WSkhvbMQZ/gwhQ==
+-----END RSA PRIVATE KEY-----

overlay/etc/ssh_host_rsa_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYtyB2UsyXI+A6Cz8l6OLkqv7Zwap6ddCtAL/2O+AmltRDcvWQ3n2HPdFiGSafy+JVJzW62vLS+OYevG19T8JarpjOjoh7i1cPyn2ir9enfq+Kfl/GgM6q9Qx3/cHF0Sa2JlmT55D1kQpgd1/nfZHCSQGMJWl9cQLAewu2Y3mtV6Yz6Yi5Og/H40uvze5MEX7xHSZKC/6q3WB1WR5TVMfj4giHdQ8375vRy+Tz/RyuNf2zoyaiLGZAn0ozvEcvaEgZ5hl+Urn1KIARbhMhfyesI68+VWLGo76Dp6Ei3LjDy5wz/5NTfGNOeNruRi7hVN4I37dFIV9+g+6SPf4l4xhd matthias@pc

overlay/etc/sudoers

@@ -0,0 +1,90 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias	WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users.  These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias	ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands.  Often used to group related commands together.
+# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# 			    /usr/bin/pkill, /usr/bin/top
+
+##
+## Defaults specification
+##
+## You may wish to keep some of the following environment variables
+## when running commands via sudo.
+##
+## Locale settings
+# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+##
+## Run X applications through sudo; HOME is used to find the
+## .Xauthority file.  Note that other programs use HOME to find   
+## configuration files and this may lead to privilege escalation!
+# Defaults env_keep += "HOME"
+##
+## X11 resource path settings
+# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+##
+## Desktop path settings
+# Defaults env_keep += "QTDIR KDEDIR"
+##
+## Allow sudo-run commands to inherit the callers' ConsoleKit session
+# Defaults env_keep += "XDG_SESSION_COOKIE"
+##
+## Uncomment to enable special input methods.  Care should be taken as
+## this may allow users to subvert the command being run via sudo.
+# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!/usr/local/bin/sudoreplay !log_output
+# Defaults!/sbin/reboot !log_output
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+%wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Uncomment to allow members of group sudo to execute any command
+# %sudo	ALL=(ALL) ALL
+
+## Uncomment to allow any user to run sudo if they know the password
+## of the user they are running the command as (root by default).
+# Defaults targetpw  # Ask for the password of the target user
+# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+
+## Read drop-in files from /etc/sudoers.d
+## (the '#' here does not indicate a comment)
+#includedir /etc/sudoers.d

qemu.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+qemu-system-i386 -cpu athlon -m 256 -nographic -serial mon:stdio -net nic,model=rtl8139 -net tap,helper=/usr/lib/qemu/qemu-bridge-helper -kernel buildroot/output/images/bzImage -initrd buildroot/output/images/rootfs.cpio.xz --append console=ttyS0

uClibc-0.9.33.panda.config

@@ -0,0 +1,273 @@
+#
+# Automatically generated make config: don't edit
+# Version: 0.9.33.2
+# Thu Apr  3 18:31:09 2014
+#
+# TARGET_alpha is not set
+# TARGET_arm is not set
+# TARGET_avr32 is not set
+# TARGET_bfin is not set
+# TARGET_c6x is not set
+# TARGET_cris is not set
+# TARGET_e1 is not set
+# TARGET_frv is not set
+# TARGET_h8300 is not set
+# TARGET_hppa is not set
+TARGET_i386=y
+# TARGET_i960 is not set
+# TARGET_ia64 is not set
+# TARGET_m68k is not set
+# TARGET_microblaze is not set
+# TARGET_mips is not set
+# TARGET_nios is not set
+# TARGET_nios2 is not set
+# TARGET_powerpc is not set
+# TARGET_sh is not set
+# TARGET_sh64 is not set
+# TARGET_sparc is not set
+# TARGET_v850 is not set
+# TARGET_vax is not set
+# TARGET_x86_64 is not set
+# TARGET_xtensa is not set
+
+#
+# Target Architecture Features and Options
+#
+TARGET_ARCH="i386"
+FORCE_OPTIONS_FOR_ARCH=y
+# CONFIG_GENERIC_386 is not set
+# CONFIG_386 is not set
+# CONFIG_486 is not set
+# CONFIG_586 is not set
+# CONFIG_586MMX is not set
+# CONFIG_686 is not set
+# CONFIG_PENTIUMII is not set
+# CONFIG_PENTIUMIII is not set
+# CONFIG_PENTIUM4 is not set
+# CONFIG_K6 is not set
+CONFIG_K7=y
+# CONFIG_ELAN is not set
+# CONFIG_CRUSOE is not set
+# CONFIG_WINCHIPC6 is not set
+# CONFIG_WINCHIP2 is not set
+# CONFIG_CYRIXIII is not set
+# CONFIG_NEHEMIAH is not set
+TARGET_SUBARCH="i686"
+
+#
+# Using ELF file format
+#
+ARCH_LITTLE_ENDIAN=y
+
+#
+# Using Little Endian
+#
+ARCH_HAS_MMU=y
+ARCH_USE_MMU=y
+UCLIBC_HAS_FLOATS=y
+UCLIBC_HAS_FPU=y
+DO_C99_MATH=y
+# DO_XSI_MATH is not set
+# UCLIBC_HAS_FENV is not set
+UCLIBC_HAS_LONG_DOUBLE_MATH=y
+KERNEL_HEADERS="/home/matthias/devel/buildroot/output/host/usr/i686-buildroot-linux-uclibc/sysroot/usr/include"
+HAVE_DOT_CONFIG=y
+
+#
+# General Library Settings
+#
+DOPIC=y
+HAVE_SHARED=y
+# FORCE_SHAREABLE_TEXT_SEGMENTS is not set
+LDSO_LDD_SUPPORT=y
+# LDSO_CACHE_SUPPORT is not set
+LDSO_PRELOAD_ENV_SUPPORT=y
+# LDSO_PRELOAD_FILE_SUPPORT is not set
+# LDSO_STANDALONE_SUPPORT is not set
+# LDSO_PRELINK_SUPPORT is not set
+# UCLIBC_STATIC_LDCONFIG is not set
+LDSO_RUNPATH=y
+LDSO_SEARCH_INTERP_PATH=y
+LDSO_LD_LIBRARY_PATH=y
+# LDSO_NO_CLEANUP is not set
+UCLIBC_CTOR_DTOR=y
+# LDSO_GNU_HASH_SUPPORT is not set
+# HAS_NO_THREADS is not set
+# LINUXTHREADS_OLD is not set
+# LINUXTHREADS_NEW is not set
+UCLIBC_HAS_THREADS_NATIVE=y
+UCLIBC_HAS_THREADS=y
+UCLIBC_HAS_TLS=y
+# PTHREADS_DEBUG_SUPPORT is not set
+UCLIBC_HAS_SYSLOG=y
+UCLIBC_HAS_LFS=y
+# MALLOC is not set
+# MALLOC_SIMPLE is not set
+MALLOC_STANDARD=y
+MALLOC_GLIBC_COMPAT=y
+UCLIBC_DYNAMIC_ATEXIT=y
+# COMPAT_ATEXIT is not set
+UCLIBC_SUSV3_LEGACY=y
+# UCLIBC_SUSV3_LEGACY_MACROS is not set
+UCLIBC_SUSV4_LEGACY=y
+# UCLIBC_STRICT_HEADERS is not set
+# UCLIBC_HAS_STUBS is not set
+UCLIBC_HAS_SHADOW=y
+UCLIBC_HAS_PROGRAM_INVOCATION_NAME=y
+UCLIBC_HAS___PROGNAME=y
+UCLIBC_HAS_PTY=y
+ASSUME_DEVPTS=y
+UNIX98PTY_ONLY=y
+UCLIBC_HAS_GETPT=y
+UCLIBC_HAS_LIBUTIL=y
+UCLIBC_HAS_TM_EXTENSIONS=y
+UCLIBC_HAS_TZ_CACHING=y
+UCLIBC_HAS_TZ_FILE=y
+UCLIBC_HAS_TZ_FILE_READ_MANY=y
+UCLIBC_TZ_FILE_PATH="/etc/TZ"
+UCLIBC_FALLBACK_TO_ETC_LOCALTIME=y
+
+#
+# Advanced Library Settings
+#
+UCLIBC_PWD_BUFFER_SIZE=256
+UCLIBC_GRP_BUFFER_SIZE=256
+
+#
+# Support various families of functions
+#
+UCLIBC_LINUX_MODULE_26=y
+# UCLIBC_LINUX_MODULE_24 is not set
+UCLIBC_LINUX_SPECIFIC=y
+UCLIBC_HAS_GNU_ERROR=y
+UCLIBC_BSD_SPECIFIC=y
+UCLIBC_HAS_BSD_ERR=y
+# UCLIBC_HAS_OBSOLETE_BSD_SIGNAL is not set
+# UCLIBC_HAS_OBSOLETE_SYSV_SIGNAL is not set
+# UCLIBC_NTP_LEGACY is not set
+# UCLIBC_SV4_DEPRECATED is not set
+UCLIBC_HAS_REALTIME=y
+UCLIBC_HAS_ADVANCED_REALTIME=y
+UCLIBC_HAS_EPOLL=y
+UCLIBC_HAS_XATTR=y
+UCLIBC_HAS_PROFILING=y
+UCLIBC_HAS_CRYPT_IMPL=y
+UCLIBC_HAS_SHA256_CRYPT_IMPL=y
+UCLIBC_HAS_SHA512_CRYPT_IMPL=y
+UCLIBC_HAS_CRYPT=y
+UCLIBC_HAS_NETWORK_SUPPORT=y
+UCLIBC_HAS_SOCKET=y
+UCLIBC_HAS_IPV4=y
+UCLIBC_HAS_IPV6=y
+# UCLIBC_HAS_RPC is not set
+UCLIBC_USE_NETLINK=y
+UCLIBC_SUPPORT_AI_ADDRCONFIG=y
+# UCLIBC_HAS_BSD_RES_CLOSE is not set
+UCLIBC_HAS_COMPAT_RES_STATE=y
+# UCLIBC_HAS_EXTRA_COMPAT_RES_STATE is not set
+UCLIBC_HAS_RESOLVER_SUPPORT=y
+UCLIBC_HAS_LIBRESOLV_STUB=y
+UCLIBC_HAS_LIBNSL_STUB=y
+
+#
+# String and Stdio Support
+#
+# UCLIBC_HAS_STRING_GENERIC_OPT is not set
+UCLIBC_HAS_STRING_ARCH_OPT=y
+UCLIBC_HAS_CTYPE_TABLES=y
+UCLIBC_HAS_CTYPE_SIGNED=y
+# UCLIBC_HAS_CTYPE_UNSAFE is not set
+UCLIBC_HAS_CTYPE_CHECKED=y
+# UCLIBC_HAS_CTYPE_ENFORCED is not set
+UCLIBC_HAS_WCHAR=y
+UCLIBC_HAS_LOCALE=y
+# UCLIBC_BUILD_ALL_LOCALE is not set
+UCLIBC_BUILD_MINIMAL_LOCALE=y
+# UCLIBC_PREGENERATED_LOCALE_DATA is not set
+UCLIBC_BUILD_MINIMAL_LOCALES=" en_US  de_DE"
+UCLIBC_HAS_XLOCALE=y
+UCLIBC_HAS_HEXADECIMAL_FLOATS=y
+# UCLIBC_HAS_GLIBC_DIGIT_GROUPING is not set
+UCLIBC_HAS_GLIBC_CUSTOM_PRINTF=y
+UCLIBC_PRINTF_SCANF_POSITIONAL_ARGS=9
+# UCLIBC_HAS_STDIO_BUFSIZ_NONE is not set
+# UCLIBC_HAS_STDIO_BUFSIZ_256 is not set
+# UCLIBC_HAS_STDIO_BUFSIZ_512 is not set
+# UCLIBC_HAS_STDIO_BUFSIZ_1024 is not set
+# UCLIBC_HAS_STDIO_BUFSIZ_2048 is not set
+UCLIBC_HAS_STDIO_BUFSIZ_4096=y
+# UCLIBC_HAS_STDIO_BUFSIZ_8192 is not set
+UCLIBC_HAS_STDIO_BUILTIN_BUFFER_NONE=y
+# UCLIBC_HAS_STDIO_BUILTIN_BUFFER_4 is not set
+# UCLIBC_HAS_STDIO_BUILTIN_BUFFER_8 is not set
+# UCLIBC_HAS_STDIO_SHUTDOWN_ON_ABORT is not set
+# UCLIBC_HAS_STDIO_GETC_MACRO is not set
+# UCLIBC_HAS_STDIO_PUTC_MACRO is not set
+UCLIBC_HAS_STDIO_AUTO_RW_TRANSITION=y
+# UCLIBC_HAS_FOPEN_LARGEFILE_MODE is not set
+UCLIBC_HAS_FOPEN_EXCLUSIVE_MODE=y
+# UCLIBC_HAS_FOPEN_CLOSEEXEC_MODE is not set
+UCLIBC_HAS_GLIBC_CUSTOM_STREAMS=y
+UCLIBC_HAS_PRINTF_M_SPEC=y
+UCLIBC_HAS_ERRNO_MESSAGES=y
+# UCLIBC_HAS_SYS_ERRLIST is not set
+UCLIBC_HAS_SIGNUM_MESSAGES=y
+# UCLIBC_HAS_SYS_SIGLIST is not set
+UCLIBC_HAS_GNU_GETOPT=y
+UCLIBC_HAS_STDIO_FUTEXES=y
+# UCLIBC_HAS_GNU_GETSUBOPT is not set
+
+#
+# Big and Tall
+#
+UCLIBC_HAS_REGEX=y
+# UCLIBC_HAS_REGEX_OLD is not set
+UCLIBC_HAS_FNMATCH=y
+# UCLIBC_HAS_FNMATCH_OLD is not set
+# UCLIBC_HAS_WORDEXP is not set
+UCLIBC_HAS_NFTW=y
+UCLIBC_HAS_FTW=y
+# UCLIBC_HAS_FTS is not set
+UCLIBC_HAS_GLOB=y
+UCLIBC_HAS_GNU_GLOB=y
+UCLIBC_HAS_UTMPX=y
+
+#
+# Library Installation Options
+#
+RUNTIME_PREFIX="/"
+DEVEL_PREFIX="/usr"
+MULTILIB_DIR="lib"
+HARDWIRED_ABSPATH=y
+
+#
+# Security options
+#
+# UCLIBC_BUILD_PIE is not set
+# UCLIBC_HAS_ARC4RANDOM is not set
+UCLIBC_HAS_SSP=y
+# UCLIBC_HAS_SSP_COMPAT is not set
+# SSP_QUICK_CANARY is not set
+PROPOLICE_BLOCK_ABRT=y
+# PROPOLICE_BLOCK_SEGV is not set
+UCLIBC_BUILD_SSP=y
+UCLIBC_BUILD_RELRO=y
+UCLIBC_BUILD_NOW=y
+UCLIBC_BUILD_NOEXECSTACK=y
+
+#
+# Development/debugging options
+#
+CROSS_COMPILER_PREFIX="/home/matthias/devel/buildroot/output/host/usr/bin/i686-buildroot-linux-uclibc-"
+UCLIBC_EXTRA_CFLAGS=""
+# DODEBUG is not set
+DOSTRIP=y
+# DOASSERTS is not set
+# SUPPORT_LD_DEBUG is not set
+# SUPPORT_LD_DEBUG_EARLY is not set
+# UCLIBC_MALLOC_DEBUGGING is not set
+# UCLIBC_HAS_BACKTRACE is not set
+WARNINGS="-Wall"
+# EXTRA_WARNINGS is not set
+# DOMULTI is not set
+# UCLIBC_MJN3_ONLY is not set