I am such a chud.

README.md

@@ -0,0 +1,6 @@
+# Coisas para leres que sao fixes wowowowowowow !!!!! (Assignment 2)
+- Os slides (duh)
+- Okay  o mais importante é os slides.
+
+- [X.509 (ssl.com)](https://www.ssl.com/faqs/what-is-an-x-509-certificate/)
+- [X.509 (youtube)](https://www.youtube.com/watch?v=kAaIYRJoJkc)

ROUTER.sh

@@ -1,69 +0,0 @@
-IF_DMZ="enp0s8"
-IF_INT="enp0s9"
-IF_EXT="enp0s10"
-NET_DMZ="23.214.219.128/25"   
-NET_INT="192.168.10.0/24"    
-IP_EXT_FW="87.248.214.97"     
-IP_DMZ_FW="23.214.219.254"    
-IP_INT_FW="192.168.10.254"    
-IP_DMZ_DNS="23.214.219.130"
-IP_DMZ_SMTP="23.214.219.131"
-IP_DMZ_WWW="23.214.219.132"
-IP_DMZ_VPN_GW="23.214.219.133"
-IP_DMZ_MAIL="23.214.219.134"
-IP_INT_FTP="192.168.10.2"
-IP_INT_DATASTORE="192.168.10.3"
-IP_DNS2="193.137.16.75"       
-IP_EDEN="193.136.212.1"       
-
-sudo yum install epel-release -y
-sudo yum install suricata -y  
-sudo suricata-update
-
-sudo ifconfig $IF_DMZ $IP_DMZ_FW netmask 255.255.255.128
-sudo ifconfig $IF_INT $IP_INT_FW netmask 255.255.255.0
-sudo ifconfig $IF_EXT $IP_EXT_FW netmask 255.255.255.0
-
-sudo iptables -F
-sudo iptables -t nat -F
-sudo iptables -t mangle -F
-sudo sysctl -w net.ipv4.ip_forward=1
-
-sudo iptables -P INPUT DROP      
-sudo iptables -P FORWARD DROP    
-sudo iptables -P OUTPUT ACCEPT
-
-sudo modprobe nf_conntrack_ftp
-sudo modprobe nf_nat_ftp
-
-sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
-sudo iptables -A INPUT -i lo -j ACCEPT
-sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
-sudo iptables -A INPUT -i $IF_INT -p tcp --dport 22 -j ACCEPT
-sudo iptables -A INPUT -i $IF_DMZ -s $IP_DMZ_VPN_GW -p tcp --dport 22 -j ACCEPT
-
-sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-sudo iptables -A FORWARD -p udp -d $IP_DMZ_DNS --dport 53 -j ACCEPT
-
-sudo iptables -A FORWARD -s $IP_DMZ_DNS -d $IP_DNS2 -p tcp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -s $IP_DNS2 -d $IP_DMZ_DNS -p tcp --dport 53 -j ACCEPT
-
-sudo iptables -A FORWARD -p tcp -d $IP_DMZ_SMTP --dport 25 -j ACCEPT   
-sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 110 -j ACCEPT  
-sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 143 -j ACCEPT  
-sudo iptables -A FORWARD -p tcp -d $IP_DMZ_WWW -m multiport --dports 80,443 -j ACCEPT 
-sudo iptables -A FORWARD -p udp -d $IP_DMZ_VPN_GW --dport 1194 -j ACCEPT 
-
-sudo iptables -A FORWARD -i $IF_DMZ -s $IP_DMZ_VPN_GW -d $NET_INT -j ACCEPT
-
-sudo iptables -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j SNAT --to-source $IP_EXT_FW
-sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p udp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p tcp -m multiport --dports 80,443,22,21 -j ACCEPT
-
-sudo iptables -t nat -A PREROUTING -i $IF_EXT -d $IP_EXT_FW -p tcp --dport 21 -j DNAT --to-destination $IP_INT_FTP
-sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_FTP -p tcp --dport 21 -j ACCEPT
-
-sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_EDEN -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
-sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_DNS2 -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
-sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_DATASTORE -p tcp --dport 22 -j ACCEPT

TODO.md

@@ -0,0 +1,8 @@
+# Objectivos de acordo com o enunciado 
+
+## Goals
+- [X] Configure a tunnel in the "road warrior"
+- [X] Enable two factor authentication with OpenSSL and Apache services
+- [X] Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
+
+

VM_CONFIG.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# NOTA(vasco): feito para correr como root
+if [[ "$USER" != "root" ]]; then
+    echo "corre o script como root"
+    exit 1
+fi
+
+yum install -y epel-release
+yum install -y openvpn iptables-services dhcp-client ntpsec
+systemctl stop firewalld
+systemctl disable firewalld
+systemctl mask firewalld
+systemctl enable iptables
+iptables -F
+
+CA_DIR="/etc/pki/CA"
+mkdir -p "${CA_DIR}/newcerts"
+mkdir -p "${CA_DIR}/private"
+touch "${CA_DIR}/index.txt"
+cp ca/serial "${CA_DIR}/serial"
+
+mkdir -p /etc/openvpn/server
+mkdir -p /etc/openvpn/client
+
+# NOTE(vasco): tive problemas com a sincronização de tempo
+# se nao tiver sincronizado, o TOTP nao funciona
+systemctl stop chronyd
+ntpdate pool.ntp.org
+systemctl start chronyd

VM_OPENSSL_APACHE.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# configuracao
+source VM_CONFIG.sh
+
+sudo yum install -y epel-release
+sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator 
+sudo yum install -y mod_session
+
+# utilizador
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+
+if_dentro="enp0s8"
+ip_dentro="10.60.0.1"
+ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
+
+# route de volta para comunicar com o warrior
+route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
+
+cp conf/openssl.cnf /etc/pki/tls/
+
+# copiar ca para esta VM
+cp ca/index.txt $CA_DIR
+cp ca/ca.crt $CA_DIR
+cp ca/ca.key $CA_DIR
+cp ca/serial $CA_DIR
+cp ca/dh2048.pem $CA_DIR
+
+# correr oscp
+killall openssl 2>/dev/null
+openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
+
+# apache
+mkdir -p /etc/httpd/ssl
+cp ca/ca.crt /etc/httpd/ssl/
+cp ca/apache.crt /etc/httpd/ssl/
+cp ca/apache.key /etc/httpd/ssl/
+cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
+cp conf/httpd.conf /etc/httpd/conf/httpd.conf
+cp conf/httpd-totp /etc/pam.d/httpd-totp
+
+# sim, é preciso fazer isto para carregar serviços
+echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
+echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
+echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
+
+# mega paginas webs
+cp -r www/* /var/www/html/
+chown -R apache:apache /var/www/html/
+
+httpd -X

VM_ROAD_WARRIOR.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# --- configuração --- #
+source VM_CONFIG.sh
+ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
+route add default gw 193.136.212.1 
+
+if ! grep -q "apache" /etc/hosts; then
+    echo "10.60.0.1 apache" >> /etc/hosts
+fi
+
+# --- vpn client --- #
+vpn_dir="/etc/openvpn/client/"
+cp ca/ta.key $vpn_dir 
+cp ca/ca.crt $vpn_dir 
+cp ca/user.key $vpn_dir 
+cp ca/user.crt $vpn_dir 
+cp conf/client.conf $vpn_dir 
+
+openvpn --config "${vpn_dir}/client.conf"

VM_VPN_GATEWAY.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# NOTE(vasco): 
+# Ao configurar a maquina virtual em si deixei a rede externa primeiro (enp0s8)
+# E a rede interna como a segunda interface (enp0s9).
+
+# --- configuração --- #
+source VM_CONFIG.sh
+yum install -y google-authenticator qrencode ntpsec
+
+# --- forwarding --- #
+if_fora="enp0s8"
+ip_fora="193.136.212.1"
+if_dentro="enp0s9"
+ip_dentro="10.60.0.3"
+mega_tunel="tun0"
+ip_mega_tunel="10.8.0.0/24"
+
+ifconfig $if_fora $ip_fora netmask 255.255.255.0
+ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
+
+echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
+
+iptables -I INPUT 1  -p udp --dport 1194 -j ACCEPT
+iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
+iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
+iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
+iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
+iptables-save > /etc/sysconfig/iptables
+
+# --- vpn server --- #
+vpn_dir="/etc/openvpn/server"
+cp ca/ta.key $vpn_dir 
+cp ca/ca.crt $vpn_dir 
+cp ca/vpn.key $vpn_dir 
+cp ca/vpn.crt $vpn_dir 
+cp ca/dh2048.pem $vpn_dir 
+cp conf/vpn.conf $vpn_dir 
+cp conf/ocsp-verify.sh $vpn_dir
+cp conf/totp /etc/pam.d/
+
+# --- utilizador --- #
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+
+openvpn --config /etc/openvpn/server/vpn.conf

assignment1/DMZ.sh

@@ -7,10 +7,10 @@ routerIp=23.214.219.254
 mask25=255.255.255.128
 
 dns=23.214.219.130
-mail=23.214.219.131
-vpn_gw=23.214.219.132
-www=23.214.219.133
-smtp=23.214.219.134
+mail=23.214.219.134
+vpn_gw=23.214.219.133
+www=23.214.219.132
+smtp=23.214.219.131
 
 dnsPort=53
 mailPort=888
@@ -26,7 +26,7 @@ sudo systemctl enable iptables
 sudo iptables -F
 sudo ifconfig enp0s8 $ip netmask $mask25
 sudo ip route add 192.168.10.0/24 via $routerIp
-sudo add default gw $routerIp
+sudo route add default gw $routerIp
 # alias dos ips
 sudo ip addr add $dns dev enp0s8
 sudo ip addr add $mail dev enp0s8

assignment1/INTERNET.sh

@@ -9,7 +9,7 @@ sudo systemctl disable firewalld
 sudo systemctl mask firewalld
 sudo systemctl enable iptables
 sudo iptables -F
-sudo ifconfig enp0s8 $dn2 netmask $mask24
+sudo ifconfig enp0s8 $dns2 netmask $mask24
 sudo route add default gw $routerIp
-sudo ip addr add $dns2 dev enp0s8
+#sudo ip addr add $dns2 dev enp0s8
 sudo ip addr add $eden dev enp0s8

assignment1/ROUTER.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+dns2="87.248.214.99"
+eden="87.248.214.100"
+
+# Router 1
+dmzIP="23.214.219.254"
+internalIP="192.168.10.254"
+externalIP="87.248.214.97"
+
+# DMZ /25
+dns="23.214.219.130"
+smtp="23.214.219.131"
+www="23.214.219.132"
+vpn_gw="23.214.219.133"
+mail="23.214.219.134"
+
+# Internal
+ftp="192.168.10.2"
+datastore="192.168.10.3"
+dhcpClient="192.168.10.4"
+
+# Interfaces
+dmzIF="enp0s8"
+internalIF="enp0s9"
+externalIF="enp0s10"
+
+sudo ifconfig $dmzIF $dmzIP netmask 255.255.255.128
+sudo ifconfig $internalIF $internalIP netmask 255.255.255.0
+sudo ifconfig $externalIF $externalIP netmask 255.255.255.0
+
+sudo yum install iptables-services -y
+sudo systemctl stop firewalld
+sudo systemctl disable firewalld
+sudo systemctl mask firewalld
+sudo systemctl enable iptables
+sudo iptables -F
+sudo iptables -t nat -F
+sudo iptables -t mangle -F
+sudo sysctl -w net.ipv4.ip_forward=1
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+sudo iptables -A INPUT -i lo -j ACCEPT
+sudo iptables -A OUTPUT -o lo -j ACCEPT
+
+#sudo iptables -t nat -A POSTROUTING -i $internalIF -o enp0s3 -j MASQUERADE #SUS
+sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL
+
+#DNS name resolution requests sent to outside servers and want a response:
+sudo iptables -A INPUT -i $externalIF -p udp --dport 53 -j ACCEPT
+
+#SSH connections to the router system that originate from the inside and want an answer:
+sudo iptables -A INPUT -i $internalIF -p tcp --dport 22 -j ACCEPT
+sudo iptables -A INPUT -i $dmzIF -s $vpn_gw -p tcp --dport 22 -j ACCEPT
+
+#The dns server should be able to resolve names using the internet (and others???)
+sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
+sudo iptables -I INPUT -j NFQUEUE --queue-bypass
+sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p udp --dport 53 -j ACCEPT
+
+#The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $dns -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US
+
+#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
+sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p tcp --dport 53 -j ACCEPT
+
+#SMTP connections to the smtp server and returns
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $smtp -p tcp --dport 587 -j ACCEPT 
+#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+#POP and IMAP connections to the www server
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 143 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 110 -j ACCEPT
+
+#HTTP and HTTPS connectins
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 443 -j ACCEPT
+
+#OpenVPN connections to the vpn-gw server
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $vpn_gw -p udp --dport 1194 -j ACCEPT 
+#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p udp --dport 1194 -j ACCEPT
+
+#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
+sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $ftp -j ACCEPT 
+sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $datastore -j ACCEPT 
+
+#FTP da internet WORRIED ???
+sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $ftp -p tcp --dport 21 -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED
+
+#SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface
+sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination $datastore
+sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination $datastore
+sudo iptables -t nat -A PREROUTING -i $externalIF -p tcp --dport 21 -j DNAT --to-destination $ftp
+sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses
+sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $eden -p tcp --dport 22 -j ACCEPT
+
+#$internalIF to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT
+sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $externalIF -j SNAT --to-source $externalIP
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p udp --dport 53 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 443 -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 21 -j ACCEPT

assignment1/relatorio.aux

@@ -5,10 +5,9 @@
 \babel@aux{portuguese}{}
 \@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{2}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {2}Firewall}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}External Network}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {4}Conclusion}{2}{}\protected@file@percent }
-\gdef \@abspage@last{2}
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}Tests utilizados}{5}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusion}{5}{}\protected@file@percent }
+\gdef \@abspage@last{5}

assignment1/relatorio.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17)  16 MAR 2026 16:24
+This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17)  22 MAR 2026 22:27
 entering extended mode
  \write18 enabled.
  %&-line parsing enabled.
@@ -89,52 +89,80 @@ LaTeX Info: Redefining \textulc on input line 49.
 LaTeX Info: Redefining \oldstylenums on input line 163.
 LaTeX Info: Redefining \textsw on input line 173.
 )
+(/usr/share/texmf-dist/tex/latex/listings/listings.sty
+\lst@mode=\count273
+\lst@gtempboxa=\box52
+\lst@token=\toks19
+\lst@length=\count274
+\lst@currlwidth=\dimen143
+\lst@column=\count275
+\lst@pos=\count276
+\lst@lostspace=\dimen144
+\lst@width=\dimen145
+\lst@newlines=\count277
+\lst@lineno=\count278
+\lst@maxwidth=\dimen146
+
+(/usr/share/texmf-dist/tex/latex/listings/lstpatch.sty
+File: lstpatch.sty 2024/09/23 1.10c (Carsten Heinz)
+)
+(/usr/share/texmf-dist/tex/latex/listings/lstmisc.sty
+File: lstmisc.sty 2024/09/23 1.10c (Carsten Heinz)
+\c@lstnumber=\count279
+\lst@skipnumbers=\count280
+\lst@framebox=\box53
+)
+(/usr/share/texmf-dist/tex/latex/listings/listings.cfg
+File: listings.cfg 2024/09/23 1.10c listings configuration
+))
+Package: listings 2024/09/23 1.10c (Carsten Heinz)
 LaTeX Font Info:    Trying to load font information for OT1+EBGaramond-LF on in
-put line 11.
+put line 28.
 
 (/usr/share/texmf-dist/tex/latex/ebgaramond/OT1EBGaramond-LF.fd
 File: OT1EBGaramond-LF.fd 2023/03/19 (autoinst) Font definitions for OT1/EBGara
 mond-LF.
 )
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 12.0pt on input line 11.
+(Font)              scaled to size 12.0pt on input line 28.
 
 (/usr/share/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def
 File: l3backend-pdftex.def 2024-05-08 L3 backend support: PDF output (pdfTeX)
-\l__color_backend_stack_int=\count273
-\l__pdf_internal_box=\box52
+\l__color_backend_stack_int=\count281
+\l__pdf_internal_box=\box54
 )
 (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
 \openout1 = `relatorio.aux'.
 
-LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-\c@mv@tabular=\count274
-\c@mv@boldtabular=\count275
+LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+\c@mv@tabular=\count282
+\c@mv@boldtabular=\count283
+\c@lstlisting=\count284
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 20.74pt on input line 12.
+(Font)              scaled to size 20.74pt on input line 29.
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 14.4pt on input line 12.
+(Font)              scaled to size 14.4pt on input line 29.
 LaTeX Font Info:    External font `cmex10' loaded for size
-(Font)              <14.4> on input line 12.
+(Font)              <14.4> on input line 29.
 LaTeX Font Info:    External font `cmex10' loaded for size
-(Font)              <7> on input line 12.
+(Font)              <7> on input line 29.
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 17.28pt on input line 13.
+(Font)              scaled to size 17.28pt on input line 30.
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/b/n' will be
-(Font)              scaled to size 17.28pt on input line 13.
+(Font)              scaled to size 17.28pt on input line 30.
 
 (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.toc
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/b/n' will be
@@ -155,31 +183,62 @@ LaTeX Font Info:    External font `cmex10' loaded for size
 
 {/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/fonts
 /enc/dvips/ebgaramond/ebg_dacnth.enc}]
+(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
+File: lstlang1.sty 2024/09/23 1.10c listings language file
+)
+(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
+File: lstlang1.sty 2024/09/23 1.10c listings language file
+)
+LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
+(Font)              scaled to size 10.0pt on input line 37.
+
+Overfull \hbox (7.49481pt too wide) in paragraph at lines 42--44
+\OT1/EBGaramond-LF/m/n/12 As tr[]es re-des tem va-rios servi[]os, o DMZ tem dns
+(23.214.219.130), mail(23.214.219.134),
+ []
+
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/b/n' will be
-(Font)              scaled to size 14.4pt on input line 19.
+(Font)              scaled to size 14.4pt on input line 45.
 
 
-[2] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
+[2]
+
+[3]
+LaTeX Font Info:    Font shape `OT1/cmtt/bx/n' in size <10> not available
+(Font)              Font shape `OT1/cmtt/m/n' tried instead on input line 93.
+
+
+[4{/usr/share/texmf-dist/fonts/enc/dvips/cm-super/cm-super-ts1.enc}]
+Overfull \hbox (23.24622pt too wide) in paragraph at lines 125--126
+\OT1/EBGaramond-LF/m/n/12 Ao realizar-mos este pro-jeto apren-de-mos so-bre a c
+ria[][]ao de sce-na-rios em VMs, a configura[][]ao
+ []
+
+
+
+[5] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
  ***********
 LaTeX2e <2024-11-01> patch level 2
 L3 programming layer <2025-01-18>
  ***********
  ) 
 Here is how much of TeX's memory you used:
- 2577 strings out of 474546
- 48289 string characters out of 5749982
- 436453 words of memory out of 5000000
- 25628 multiletter control sequences out of 15000+600000
- 572213 words of font info for 55 fonts, out of 8000000 for 9000
+ 4439 strings out of 474546
+ 72779 string characters out of 5749982
+ 968296 words of memory out of 5000000
+ 27469 multiletter control sequences out of 15000+600000
+ 573916 words of font info for 59 fonts, out of 8000000 for 9000
  352 hyphenation exceptions out of 8191
- 57i,7n,65p,220b,231s stack positions out of 10000i,1000n,20000p,200000b,200000s
+ 57i,7n,99p,546b,1693s stack positions out of 10000i,1000n,20000p,200000b,200000s
 </usr/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Bold.pfb></us
-r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb>
+r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb></usr/s
+hare/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt10.pfb></usr/share/texmf-dis
+t/fonts/type1/public/cm-super/sftt1000.pfb>
 Output written on /home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/rela
-torio.pdf (2 pages, 42851 bytes).
+torio.pdf (5 pages, 78451 bytes).
 PDF statistics:
- 22 PDF objects out of 1000 (max. 8388607)
- 13 compressed objects within 1 object stream
+ 42 PDF objects out of 1000 (max. 8388607)
+ 26 compressed objects within 1 object stream
  0 named destinations out of 1000 (max. 500000)
  1 words of extra memory for PDF output out of 10000 (max. 10000000)
 

assignment1/relatorio.tex

@@ -0,0 +1,126 @@
+\documentclass[12pt,a4paper]{article}
+\usepackage[portuguese]{babel}
+\usepackage[lining]{ebgaramond}
+\usepackage{listings}
+
+\lstdefinestyle{mystyle}{
+    basicstyle=\ttfamily\footnotesize,
+    breakatwhitespace=false,         
+    breaklines=true,                 
+    captionpos=b,                    
+    keepspaces=true,                 
+    numbers=left,                    
+    numbersep=5pt,                  
+    showspaces=false,                
+    showstringspaces=false,
+    showtabs=false,                  
+    tabsize=2
+}
+
+\lstset{style=mystyle}
+
+\title{Practical Assignment \#1}
+\author{
+    João Neto -- 2023234004\\[1em]
+    Vasco Alves -- 2022228207
+}
+
+\begin{document}
+\maketitle
+\tableofcontents
+\newpage
+
+\section{Introduction}
+O objetivo principal deste trabalho era aprender IPTables e como configurar um com o Suricata um sistema de filtração e deteção de ataques. Para esse fim, foi simulado um sistema dividido em três redes e um router para conectar-las. As três redes são a DMZ (23.214.219.128/25, enp0s8), Internal network (192.168.10.0/24, enp0s9) e Internet (87.248.214.0/24, enp0s10).
+
+\begin{lstlisting}[language=bash]
+Rede,Interface,Gama IP
+DMZ,enp0s8,23.214.219.128/25
+Internal,enp0s9,192.168.10.0/24
+Internet,enp0s10,87.248.214.0/24
+\end{lstlisting}
+As três redes tem varios serviços, o DMZ tem dns(23.214.219.130), mail(23.214.219.134), vpn-gw(23.214.219.133), www(23.214.219.132) e smpt(23.214.219.131). A Internal network tem ftp(192.168.10.2), datastore(192.168.10.3) e clientes (nos testes os clientes tem ip 192.168.10.4, mas está configurado para dar para qualquer edereço). Por fim a rede Internet tem dns2 (87.248.214.99) e eden (87.248.214.100), existe também outros serviços (87.248.214.98).
+Para facilitar a recriação deste sistema foi criado 4 ficheiros .sh (um para cada rede e o router), e disponibilizamos os ficheiros suricata.rules e suricata.yaml, para o suricata que estiver ligado ao Router.  Os ficheiros .sh vão ter comandos para configurar o sistema para este exercicio.
+\section{Firewall}
+\subsection{Packet fileter without NAT}
+O policy que foi escolhido foi:
+\begin{lstlisting}[language=bash]
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+\end{lstlisting}
+Foi escolhido porque é mais facil dar DROP a todos os pacotes que não foi criado regras do que criar uma regra de DROP para todos os protocolos e possibilidades, o OUTPUT ficou para ACCEPT porque não existe razão para dar DROP dos pacotes que estamos a enviar neste trabalho.
+Para o router conseguir resolver DNS requests e para aceitar coneções SSH da rede interna ou da VPN gateway foi utilizado estes comandos:
+\begin{lstlisting}[language=bash]
+sudo iptables -A INPUT -i enp0s10 -p udp --dport 53 -j ACCEPT
+sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
+sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
+\end{lstlisting}
+Para conseguirmos a confirguração pedida entre redes foi utilizado estes commandos:
+\begin{lstlisting}[language=bash]
+sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT
+\end{lstlisting}
+Inicialmente as implementações de respostas a forward eram especificas para cada regra isto é por exemplo:
+\begin{lstlisting}[language=bash]
+sudo iptables -A FORWARD -o enp0s8 -i enp0s10 -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+\end{lstlisting}
+No entanto isso facilmente originava confusão entre nós, então decimos utilizar estas duas regras:
+\begin{lstlisting}[language=bash]
+sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+\end{lstlisting}
+Neste cenario o uso destas regras faz sentido, mas pode existir outros cenarios no futuro que não queremos uma resposta, e nesse caso temos de criar as regras necessarias.
+\subsection{Packet filtering with NAT}
+Para conecções com origem/destino na internet foi utilizado DNAT/SNAT e iptables para "esconder" o ip para a internet que querer aceder a rede interna para não terem acesso ao edereço ip e iproutes para bloquear certos pacotes de entrar, para conseguir a configuração utilizamos estes comandos:
+\begin{lstlisting}[language=bash]
+sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT
+sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
+sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
+sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
+sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
+sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --dport 53 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 443 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT
+\end{lstlisting}
+
+\section{Intrusion Detection}
+As regras que utilizamos para o suricata foram estas:
+\begin{lstlisting}[language=bash]
+drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
+drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
+drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
+drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
+\end{lstlisting}
+A primeira é para port scaning, a segunda e a terceira é para o caso de SQL injection, e a ultima é para XSS atacks.
+Também atualizamos o iptables para passar para o suricata os pacotes para analizar e bloquear com:
+\begin{lstlisting}[language=bash]
+sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
+sudo iptables -I INPUT -j NFQUEUE --queue-bypass
+\end{lstlisting}
+
+\section{Tests utilizados}
+Netcat foi utilizado para maior parte dos testes excepto para FTP, em que devido ás suas caracteristicas especificas, utilizamos os serviços para ter a certeza que funcionava com a nossa configuração. Utilizamos estes comandos curl para testar se eram bloqueados:
+\begin{lstlisting}[language=bash]
+curl -i "http://23.214.219.132/index.php?id=1%20union%20select%201,2,3"
+curl -i "http://23.214.219.132/login.php?user='or%201=1"
+curl -i "http://23.214.219.132/search.php?q=<script>alert('XSS')</script>"
+\end{lstlisting}
+
+\section{Conclusion}
+Ao realizar-mos este projeto aprendemos sobre a criação de scenarios em VMs, a configuração de uma firewall utilizando IPTables e a configuração de um IDS/IPS system utilizando Suricata
+\end{document}

assignment1/relatorio.toc

@@ -0,0 +1,8 @@
+\babel@toc {portuguese}{}\relax 
+\contentsline {section}{\numberline {1}Introduction}{2}{}%
+\contentsline {section}{\numberline {2}Firewall}{2}{}%
+\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}%
+\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}%
+\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}%
+\contentsline {section}{\numberline {4}Tests utilizados}{5}{}%
+\contentsline {section}{\numberline {5}Conclusion}{5}{}%

assignment1/suricata.rules

@@ -0,0 +1,5 @@
+drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
+drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
+drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
+drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
+

ca/1000.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4096 (0x1000)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 10:50:26 2026 GMT
+            Not After : Apr 22 10:50:26 2027 GMT
+        Subject: CN=gateway
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
+                    f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
+                    97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
+                    de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
+                    0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
+                    76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
+                    c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
+                    a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
+                    d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
+                    86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
+                    83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
+                    51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
+                    ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
+                    91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
+                    f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
+                    07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
+                    8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
+                    7c:21
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
+        73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
+        e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
+        34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
+        cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
+        16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
+        60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
+        0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
+        6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
+        13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
+        7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
+        4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
+        48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
+        32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
+        b6:00:f9:b9
+-----BEGIN CERTIFICATE-----
+MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
+NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
+/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
+oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
+hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
+otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
+6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
+L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
+vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
+nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
++KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
+/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
+S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
+wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
+-----END CERTIFICATE-----

ca/1001.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4097 (0x1001)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 10:50:26 2026 GMT
+            Not After : Apr 22 10:50:26 2027 GMT
+        Subject: CN=warrior
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
+                    36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
+                    1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
+                    25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
+                    02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
+                    80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
+                    fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
+                    e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
+                    41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
+                    d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
+                    be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
+                    bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
+                    d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
+                    0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
+                    25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
+                    95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
+                    98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
+                    8f:59
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
+        23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
+        b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
+        a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
+        d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
+        67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
+        0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
+        5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
+        39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
+        3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
+        a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
+        71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
+        71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
+        a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
+        d3:09:27:84
+-----BEGIN CERTIFICATE-----
+MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
+NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
+FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
+/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
+08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
+d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
+JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
+MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
+vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
+Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
+L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
+ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
+zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
+MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
+-----END CERTIFICATE-----

ca/1002.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4098 (0x1002)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 12:33:59 2026 GMT
+            Not After : Apr 22 12:33:59 2027 GMT
+        Subject: CN=apache
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
+                    27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
+                    1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
+                    65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
+                    ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
+                    60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
+                    76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
+                    51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
+                    22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
+                    3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
+                    0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
+                    fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
+                    10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
+                    e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
+                    a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
+                    3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
+                    4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
+                    13:a9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
+        b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
+        13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
+        e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
+        db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
+        81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
+        d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
+        cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
+        09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
+        a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
+        88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
+        c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
+        94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
+        73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
+        32:60:ba:8c
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
+MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
+1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
+W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
+hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
+0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
+0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
+v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
+W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
+xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
+/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
+ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
+OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
+2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
+-----END CERTIFICATE-----

ca/1003.pem

@@ -0,0 +1,77 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4099 (0x1003)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 14:14:59 2026 GMT
+            Not After : Apr 22 14:14:59 2027 GMT
+        Subject: CN=apache.coimbra
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
+                    27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
+                    1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
+                    65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
+                    ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
+                    60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
+                    76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
+                    51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
+                    22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
+                    3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
+                    0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
+                    fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
+                    10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
+                    e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
+                    a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
+                    3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
+                    4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
+                    13:a9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                IP Address:10.60.0.1, DNS:apache
+            X509v3 Subject Key Identifier: 
+                13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
+        5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
+        a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
+        e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
+        79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
+        d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
+        2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
+        54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
+        45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
+        8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
+        0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
+        e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
+        ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
+        a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
+        db:7b:fa:1a
+-----BEGIN CERTIFICATE-----
+MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
+MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
+NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
+/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
+1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
+BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
+Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
+EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
+eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
+BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
+b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
+VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
+aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
+nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
+wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
+-----END CERTIFICATE-----

ca/apache.crt

@@ -0,0 +1,77 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4099 (0x1003)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 14:14:59 2026 GMT
+            Not After : Apr 22 14:14:59 2027 GMT
+        Subject: CN=apache.coimbra
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
+                    27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
+                    1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
+                    65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
+                    ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
+                    60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
+                    76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
+                    51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
+                    22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
+                    3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
+                    0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
+                    fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
+                    10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
+                    e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
+                    a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
+                    3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
+                    4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
+                    13:a9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                IP Address:10.60.0.1, DNS:apache
+            X509v3 Subject Key Identifier: 
+                13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
+        5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
+        a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
+        e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
+        79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
+        d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
+        2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
+        54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
+        45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
+        8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
+        0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
+        e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
+        ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
+        a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
+        db:7b:fa:1a
+-----BEGIN CERTIFICATE-----
+MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
+MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
+NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
+/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
+1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
+BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
+Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
+EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
+eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
+BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
+b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
+VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
+aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
+nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
+wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
+-----END CERTIFICATE-----

ca/apache.crt.old

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4098 (0x1002)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 12:33:59 2026 GMT
+            Not After : Apr 22 12:33:59 2027 GMT
+        Subject: CN=apache
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
+                    27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
+                    1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
+                    65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
+                    ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
+                    60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
+                    76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
+                    51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
+                    22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
+                    3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
+                    0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
+                    fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
+                    10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
+                    e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
+                    a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
+                    3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
+                    4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
+                    13:a9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
+        b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
+        13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
+        e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
+        db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
+        81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
+        d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
+        cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
+        09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
+        a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
+        88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
+        c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
+        94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
+        73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
+        32:60:ba:8c
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
+MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
+1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
+W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
+hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
+0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
+0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
+v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
+W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
+xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
+/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
+ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
+OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
+2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
+-----END CERTIFICATE-----

ca/apache.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICxjCCAa4CAQAwVzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
+BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRcwFQYDVQQDDA5hcGFjaGUuY29p
+bWJyYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCI+zIXm52VFUKl
+syAOJxq9qhBqWZwYQMuBgHAzGiI0CG+UDJccaNRpWX5QZcFGKv2dTpYTR1jah4YO
+rK2tSK3RsW5hK94EwV/PYPWmvT39s+ug24+fZ1uRdqqlh5qDVxqEPRHCs3GEUUjT
+OI4O8sWWVbVuhkzwIp0ZE64jIerV/uQdnPtCOoSBQwMuxb3tC35IUIPgCxWHvWWb
+DdB+VY0C6QOv/n0ZKO9GaywCBDMFLnOUEK5UJdKCVRAidHtEfMbT5TVeEK+eZ0kK
+H/67AGAmqO5LZi999HYkPnOB5HlTPDDmJQCA+9IM+ufbARVSTsTsn5W0HaDneqJZ
+d8AkE6kCAwEAAaAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDocECjwAAYIG
+YXBhY2hlMA0GCSqGSIb3DQEBCwUAA4IBAQBzs+QEnIvT5ArumDP7/7TeEcOeTmfh
+GkLMHKn2+lRH055KE+sv2k2l+PW4zrPLdEWw82CW7zy4ilpXjzywGIXZY0dCAWWH
+wc/mRqbE6b4gdatU+LEqkcUiiCKkAh+stG1QOYB4yhISR0N/KWC4GIBsNIen8jjO
++qQunBa/wb7XRvHWCl4ihLMSA4PjijkxPOAjnGe6swPCo8gl39477bdAYL2Qrrr2
+FxkZRZMZG1cSX2lV8DhBV4/AZAzZMGFHc4GOzcyzPNJ3PWFotv+jNQ1DxbTFmOYI
+m6A0coUdCw87lYuWlH8J3s0CUUb7Swd1dKrTjk7UDOTG1VK7q7xYaMkJ
+-----END CERTIFICATE REQUEST-----

ca/apache.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQiPsyF5udlRVC
+pbMgDicavaoQalmcGEDLgYBwMxoiNAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeG
+DqytrUit0bFuYSveBMFfz2D1pr09/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI
+0ziODvLFllW1boZM8CKdGROuIyHq1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71l
+mw3QflWNAukDr/59GSjvRmssAgQzBS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJ
+Ch/+uwBgJqjuS2YvffR2JD5zgeR5Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qi
+WXfAJBOpAgMBAAECggEAC8SDGlVLNoYEbF2h4U/zJHbp+yGpO14CAAnnh81WbvIt
+PLCn0jor7zqfrnlWeKTfRa8EEYN2ffzc83NuCqHx7T8dSluI6G8vw1qWP96AJNil
+d8k8wprN8BSiE+ih4ZYCSxCFyrQIQMJk/N1QfnG5AO3mGcYqJXrSlTdmTSgV4KTH
+HMhcbE3oBi5sixfYuhz7JmoN2MtvUH7T1XQ93IK/EDANCHeOYfVDlQMv+VKqUsEA
+4tB1j2Mk+MENIbxg2vswsDzi4X3geU9kDkZ+V/ahzQSKnoUJtC81QftGst7gia7i
+Kl51DWvw3SXclDn//5ZSaWd6T0a0Gc8f73yC0vzKIQKBgQD9TVBrSTZTvJcJhhMQ
+Tk7Epe96nWPw3PwKPntAaCcWaNi+AXOWw5oKX1Okilrsbxz5P6yH/jTvFZF33zpT
+nhS30ew41GTSL0j3gCWK25I0SJOeth2dycyjd/yljotOGOz667vTGHleso7NYthD
+s+iU6ceb7EuU9T0JjhHDsrVK8QKBgQDSwZmOwMAq0evNFgKB0QiipABIWhm7As1n
+O0M439zA2bVo8Z3UAQb7YOBG/EoH+I/1HakJBM0BVyGRzkg4Krq0Dd8iL4gESj8E
+niCtIC874AjhemVjHDPNwI/m93Czg8tqfd3r82rOa5HJWW4WYGeHPTjvd0puS8/6
+SWTyBgSkOQKBgANxmKVMwoNS7g7AFuRC3ElKJD5bg29T4c1V2iEfCWEBnei/Zk3n
+bOG1OBLlmqTaQd+VoQfcSeXyOh8SFt3qKUfyf66qHJDK+cf7owcHQy6YygD/Ytmx
+U6npSLMLhBNUvWwP5mbRT10dOlnKfTw2ZvQXVZJmHQTybJkDqHQrqtFRAoGAA1t6
+Kr//T69QZk/3ckH2NUEPkBd/WW9N/lr/UySdy6SsMyPGM95gUhjU+cyDEWVwRaNX
+UgF1kpPkwQHcPKjRmJSv/Udsj0TvhA9QzfE5T2bePVlJzC5i1OBAapl+fh2XW/bt
+Vhjmlqs4A1EdY9XdUFY1Vfs8gE1M3tvUc9aMtGECgYA3ebYLBwDB48gbYfnv8o3P
+rY2hBfBsvfSKeYT/NPxG/XR035h9BnBcNG2L7U7GKmbxdULYZ2nEOSjqTxTvlHUO
+ncGr7M00D9hpzTX+Yfr3em+lGsZxVfU7sKq1fWF/BdF7gCf8cdHk66gR19kYhi38
+cEB0Z02sLDDP2AYOawrliA==
+-----END PRIVATE KEY-----

ca/ca.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIUHeUZwwOlaXM3yPbokh5CjXEFw/YwDQYJKoZIhvcNAQEL
+BQAwUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0Nv
+aW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQy
+MjEwNDgwMloXDTI3MDQyMjEwNDgwMlowUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgM
+B0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQD
+DApDb2ltYnJhVlBOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs1ft
+wTq/HG1SavpgkRSP/ZO3hvW8lCR8e8ica/w7ogJwMoTAHz0axMpY9MQ6SmXXvXEh
+/DY0wwM60jJ8f332fk3otcWzHznEK+EC2xrZSvnikWYSWcaDe6PzPtu0w9//y/Cl
+Jt8ocvC1qyN20skhCP8nuTCW7o0nO+glPEHAl1fSuHuA/0tXbpROsxpi3cqzWypB
+ufnDyIg4vxKbhQdtJn0UMvA2g92gTpxl9Dvt4L68L2e/Oz5B2l+USEIHxfkS+N1v
+p8O22H+KV4+4Le76RJ/DOzV+pAieY4/bWIFQ5CsB6SvcHwP0CxOa1KOeHZbdyyDe
+TBCmDTR3K4ZBy/ii2wIDAQABo1MwUTAdBgNVHQ4EFgQUrM15zIAXqo0WzJex6TZe
+ACq9W9UwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAlkndsM3ikWZibO3l5UBBVSQjgjdf
+8CdE3UyrzuTOTFGWW8ALD1PTMjZ/uFR6mX5pn3Afd6CcRvm/SP/ybh4q+7oBlJCT
+hjJo/r8NAsaN1TubFSaLsQTzilZDCK6Go+WvcNgar0pwgMunqphBycuLOkT3cxli
+ubGzplv33gA6EPwZ7LaSfMRf/mVeLutUyP0SKyos3/Je1lAz8Wel245JPJ2mI8fT
+HopjnVWScOPedFKt/nh//RVTjZDvPGH5Lvglg9ko+Lc62JF/5XIqIS25TwcUskXK
+KfotGiwJM1VHyi49PWEC1Asu7C9ljMbHy/UsISPGxUOq/oy3OQoj7DXEng==
+-----END CERTIFICATE-----

ca/ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzV+3BOr8cbVJq
++mCRFI/9k7eG9byUJHx7yJxr/DuiAnAyhMAfPRrEylj0xDpKZde9cSH8NjTDAzrS
+Mnx/ffZ+Tei1xbMfOcQr4QLbGtlK+eKRZhJZxoN7o/M+27TD3//L8KUm3yhy8LWr
+I3bSySEI/ye5MJbujSc76CU8QcCXV9K4e4D/S1dulE6zGmLdyrNbKkG5+cPIiDi/
+EpuFB20mfRQy8DaD3aBOnGX0O+3gvrwvZ787PkHaX5RIQgfF+RL43W+nw7bYf4pX
+j7gt7vpEn8M7NX6kCJ5jj9tYgVDkKwHpK9wfA/QLE5rUo54dlt3LIN5MEKYNNHcr
+hkHL+KLbAgMBAAECggEAPpkTUJ3LtQVnfhWUfS87LxxPM9k0EFVH6gDUsFBjFCJb
+vRZe5Mh0PnoOYKjZW7x+eA4z+Y+GDQdkkZezouB5mA5jiobOBbkpAtPQJmARtjzQ
+W0XQY+uJWy+XqLoRN0lJRIrjalT8Dlp8XpbLU7mGQVimKdqO5Ab6ycs2q/ibW3dj
+am9L/AaV8YW99xWeRVi8OKn1Oyhpaplnb7IDdeDx8/nCSplVx1EggsV7XPStfL2R
+us8/sE525OCo7mriXBLph62r7C1oFxxeASIjpPD5+gh09CCoMcodETlCBKPia7Q4
+ha/nnsjXRPZIq4b2y4BYzlCVnCldwKzr+QW+s0EZKQKBgQDZRV2kR4k9ytF1kG85
+DCW8ogk03BZ2x9Wk6sEU3lUtR3YfyHe3zFrZ2lDynknVAxXABPQ8XG8i24O0ZQ/h
+oiRu9LtUIf+rYVrZke8DiPEuGUdTMLeLMBUhWtSpG5kNrpr/hdt/lXnnszTd5Xon
+YGpa2qQAB2eki+uxnJMbAHopRQKBgQDTT9V2FEUa+GG5mbQXClbXqbd7+8LoKH7l
+VYzQxaWSWgW1o9/0NOBY5Jw6PoWdhbf0IzA2bYeKIChp6IwhEh9+A+Vdp0Hupz/Z
+tDlHThWXUBqYTPM1mXX1KyEoNjGQiMMpeuOc0sUJZvMfFWrzkn0kG8VsB9u8n1ND
+CQ+O3MaNnwKBgEQJ5+ApEr5KBDvnphzcQ/kFWRK3lUVPIQVLCnnpggzy4vfjBDKH
+iS/NoSnJDd/p3mbKZl18qMTmryDPwSBscTJZ60vWdcUKcLPPcmTN/pDsE5zmlaO9
+w/A1DIGEhfJ16k34chtLCOjZAsY2NYGdPNEExPTJXNh3hLCTErIS/S5tAoGAITum
+A6sObz5vCCSPOSxsGgDcFYizz5VG18SLn+3lq02zJiz+tMZ4HiLeGx7oHq0AEEpU
+c8roDSYflQB4wV67SzNLqF38tY7iMNfyRi+Wn7R+akN34I8hCQzeaxeS1ftcTjLA
+h1JyoJbrV5Ejv+ji+4HOm73kphacnqdXJg28wFsCgYEAs4VbAruXv3thxJ8a7Y4n
+8FRwdDV2nJRGYRR6WdE8qCLFi5rhoI2/sqblp2i/j8e419YWzj+pRqDMCWlePg+i
+7Ne5swH3UQXb+3sS/q0BUnYuJDnpmae/qJ4gDU1NvHZnrqz047hfvHw9gAcCh4a2
+IZGzyqYAUSqhzm9epjEZ9+w=
+-----END PRIVATE KEY-----

ca/cheese.cfg

@@ -0,0 +1,12 @@
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+default_days = 365
+database = index.txt
+serial = serial
+copy_extensions = copy
+new_certs_dir = .
+default_md = sha256
+policy = policy_any
+[ policy_any ]
+commonName = supplied

ca/create_all_keys.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
+cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
+cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
+cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
+
+[[ -e "serial" ]]       || echo 1000 > serial
+[[ -e "index.txt" ]]    || touch index.txt
+[[ -e "ca.key" ]]       || openssl genrsa -out "ca.key" 2048
+[[ -e "ca.crt" ]]       || openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
+[[ -e "vpn.key" ]]      || openssl genrsa -out "vpn.key" 2048
+[[ -e "vpn.csr" ]]      || openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
+[[ -e "vpn.crt" ]] 	    || openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
+[[ -e "dh2048.pem" ]]   || openssl dhparam -out "dh2048.pem" 2048
+[[ -e "ta.key" ]]       || openvpn --genkey secret "ta.key"
+[[ -e "user.key" ]]     || openssl genrsa -out user.key
+[[ -e "user.csr" ]]     || openssl req -new -key user.key -out user.csr -subj "$cert_user"
+[[ -e "user.crt" ]] 	|| openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
+[[ -e "apache.key" ]]   || openssl genrsa -out apache.key
+[[ -e "apache.csr" ]]   || openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
+[[ -e "apache.crt" ]] 	|| openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg

ca/dh2048.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBDAKCAQEAvqMnND0GPZb1287Irc8grekth4JCb5Mfz4iig9GR0AJNzIj+/hf6
+Cnz3+5F6OD7XDyY7Prgq/dZ6KhZAnKOSQ4r6rDbgcVqPoU5g8ykKuhI3daAOr/Ut
+EauKJN4kcTDARvdk9gebWNIDRrbuV0wv7QDsO3TIznn24MTnYUm3ReExv58fmqX6
+Ttr74clxnUC660HX084sxhxAA9Mfewy+8KCxy1MF2MttZP6DY3IWEVokfK2W/ZlE
+UsFIMNlblKK/JBn7Y/6/FZN/V8zwxFCQBhuvOvaNbtraejkeUnl7VdqQ6T4Rmvid
+0jN5ddbuyyu+pm7WPU94ilLyPQECexnx7wIBAgICAOE=
+-----END DH PARAMETERS-----

ca/index.txt

@@ -0,0 +1,4 @@
+V	270422105026Z		1000	unknown	/CN=gateway
+V	270422105026Z		1001	unknown	/CN=warrior
+V	270422123359Z		1002	unknown	/CN=apache
+V	270422141459Z		1003	unknown	/CN=apache.coimbra

ca/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

ca/index.txt.attr.old

@@ -0,0 +1 @@
+unique_subject = yes

ca/index.txt.old

@@ -0,0 +1,3 @@
+V	270422105026Z		1000	unknown	/CN=gateway
+V	270422105026Z		1001	unknown	/CN=warrior
+V	270422123359Z		1002	unknown	/CN=apache

ca/revoke_user.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

ca/serial

@@ -0,0 +1 @@
+1004

ca/serial.old

@@ -0,0 +1 @@
+1003

ca/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+8ab6c529070f93ad262f6ba5ec506c5e
+3e89f24851df40259a2e5fce5b98117c
+4ccba0c1c5a045d802ee4638c1f047fb
+f2537cb038f1faf976e1cf05ad2c5cc2
+23be82d9bdd89180ff235bc995116c83
+f08bc102313dd043fa3dcb924665fc36
+408fd7bc620c6939e0a42f90e37a9ea7
+078e323acbe6b844405b929fecbcc539
+e5022c1e9a2b76503b63d35aeeb70cb4
+cf260ac014c5914b30ee0020a737bcc5
+d08a810e512769245993d9075572f1c0
+4971992ba8782b2b7e6189b03c8e1448
+842e42983c9af8c32d007237e9b597db
+2c6cf399d16f153136307605297e3bbb
+cb1b9b1cc9c4cb2f2684ad5d50dd0448
+3480fb0a4cc3af1553e5b40645eae3f0
+-----END OpenVPN Static key V1-----

ca/user.crt

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4097 (0x1001)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 10:50:26 2026 GMT
+            Not After : Apr 22 10:50:26 2027 GMT
+        Subject: CN=warrior
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
+                    36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
+                    1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
+                    25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
+                    02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
+                    80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
+                    fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
+                    e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
+                    41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
+                    d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
+                    be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
+                    bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
+                    d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
+                    0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
+                    25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
+                    95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
+                    98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
+                    8f:59
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
+        23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
+        b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
+        a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
+        d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
+        67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
+        0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
+        5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
+        39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
+        3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
+        a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
+        71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
+        71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
+        a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
+        d3:09:27:84
+-----BEGIN CERTIFICATE-----
+MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
+NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
+FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
+/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
+08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
+d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
+JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
+MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
+vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
+Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
+L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
+ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
+zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
+MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
+-----END CERTIFICATE-----

ca/user.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
+BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAd3YXJyaW9yMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2F42OIW7+BUpkCoDRyY2rUe4
+gMIcsjVTNKPIeXMae8UG+Q77YekWgYFNVawlfZb0pBpG0AqvSGW3HpsCSkqvU2Qg
+T6/Yq/eZwreAsoAkAHynQ/c1aUf8vM76Go6BwytV6lfI7HY7G1jpZcFml8U5Yh/H
+8mSzajFBqWYA9Ug8MZtwp8rwuCjTz/uGJfCTF60/yGDdp6G+tOj8eUdTaO3rIbX3
+qvW/IkXZEFrbvkHDCUdy9GvWIWV3Q3mJDc1yWBTiJVULF+iX1NAOnH2cOG5SUMsl
+pQD8y2m7CfA68YqD53yVB0ZYEUEljVyRAuzSg0yY0KqtsPpnbCJ5h95a9QGPWQID
+AQABoAAwDQYJKoZIhvcNAQELBQADggEBAKBuw6o5zucZ3cULpuQBZiBtvodrV1ht
+V7NCqQe5UoFP0wywUCQyB1A4rAT+Of3yJxKLYiBrq8u9/ra6zGfXTOxZSSpm+1cN
+iZMVb3c57Hir3cS3sG/tLi147168GpBxiV87WLgBozw2ki0x9fApx5crLZY9/FlM
+qCwTF8g/Pu6c/gXf+y/aGzcElx0tTpR5FvJopFJ/PNNJSmJZ22Mtbynvztnk8xB6
+vzX3+0lp9eNv7X1IwcaDk45B1Fv+7OiyVZ57hOrsUsr4whmb7jctpEm5UzL4cHuE
+nMjY5Eqe9Gsct5g7PO+LVH8CF1joBLShgqOIH+1k797iS5maYWHdYW0=
+-----END CERTIFICATE REQUEST-----

ca/user.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYXjY4hbv4FSmQ
+KgNHJjatR7iAwhyyNVM0o8h5cxp7xQb5Dvth6RaBgU1VrCV9lvSkGkbQCq9IZbce
+mwJKSq9TZCBPr9ir95nCt4CygCQAfKdD9zVpR/y8zvoajoHDK1XqV8jsdjsbWOll
+wWaXxTliH8fyZLNqMUGpZgD1SDwxm3CnyvC4KNPP+4Yl8JMXrT/IYN2nob606Px5
+R1No7eshtfeq9b8iRdkQWtu+QcMJR3L0a9YhZXdDeYkNzXJYFOIlVQsX6JfU0A6c
+fZw4blJQyyWlAPzLabsJ8DrxioPnfJUHRlgRQSWNXJEC7NKDTJjQqq2w+mdsInmH
+3lr1AY9ZAgMBAAECggEAaYNcDqlM9pifWbHbQl2kyVDR7Vx78P3nMyLx1yQmFJiL
+I3bGaUNpWcNMCsz1xW6Ro9s6kCa9vuD3cYHnFoKgSFrqFOIsmAQZZCbnqGSr6d7g
+FNlfnxVfb1XCCqRXLG2cKrkffwzTGy17OEedt8KSjsLv10l7YvxdSHY5XmQZEpkU
+l9O6olSvhaPQxx3RynR0rTdyESZMLMj2SqHpSlHg6TVvTjRH5EspMTpJiU/cNiqv
+b57OH02gh1huS0DKV3aPvR8+6jlP0Ec0djcwXatQxzesFjHutVR1f5RBh36O6zJ0
+9Nx2wxppFPsFVB5olJWzIkMH2MalYyIK5+0Lpl3PDwKBgQD04wRGe+EZrCcfLJy+
+wpsBqoUeclhDtfz1aMlmhCurWdIQKiEn1lYVMopxn+FvZy3pyE9ymn7aSsmb6PT4
+f1j3rOjYcWKceyUCdEsYDRq8ciW7bhKVwXd+763CI485x63ZkKcKe2b7v1GIhkII
+7Kp/Nwh5tXxCp6ta+0hJO9nEqwKBgQDiL+CDlgkEVM0MsjuSS2arHwfolXEaoApy
+CwX6abCOkV3RiMmuMGKidQJ3v0K+vI3WlG/fW9s6ZRe9mSj/Qu3hq3el5ozzSpW9
+FOI41cTOHdvKDpN21Cgk9gMBt0Slp2+qrv+OT4zCheQV29mGZ0dudr5/fMzrAxnk
+nbhkXlpUCwKBgQC5mgHYhfVypraz+vUF46rl1V61V8ar8xe4zGWwzEXoxdffJn8g
+mWN/B2JEgf+zlokG4inM22l/eyVYhHR+js5YUXXc7frmTLMdLBTqMqxr3TvZ1bBC
+TnKKA5A3TwozqbKK7gacfDDuZu+dwNv1taH3bzd+P13hiwDloQQFdVY0pwKBgEC1
+S7i5apj3nbXdI5fFxHh+JygN4M6qLHLV3n72T5Fp2vo/9NrFcuJhMTSK3hBtJvLV
+gm/W+o/pLfKK56SnRCDEijVHENnlY5M1b0atOWFyP1e99cgQB/ATBWcvRA9UKGkf
+KXNQJMfdwBPU0pVV5KSgif00+fbd60FxMbhdGeBjAoGBAO4GIfg1FgIixd3BjuW8
+vCcYqqyRphtiHUeZMoVeIVO+CwD4tm7Rj7mRux/3lU8qRFdD/5O5oFE5MR6gvyno
+aBt/fPzA40/zjsDMdILaL6IoJUw1B3OsRUoNTupHxqkBl3gJV1WUnWMQftzNAYuy
+GJzEUr6jpE6MJyt3osZwfurm
+-----END PRIVATE KEY-----

ca/vpn.crt

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4096 (0x1000)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
+        Validity
+            Not Before: Apr 22 10:50:26 2026 GMT
+            Not After : Apr 22 10:50:26 2027 GMT
+        Subject: CN=gateway
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
+                    f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
+                    97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
+                    de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
+                    0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
+                    76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
+                    c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
+                    a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
+                    d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
+                    86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
+                    83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
+                    51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
+                    ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
+                    91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
+                    f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
+                    07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
+                    8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
+                    7c:21
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
+            X509v3 Authority Key Identifier: 
+                AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
+        73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
+        e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
+        34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
+        cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
+        16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
+        60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
+        0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
+        6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
+        13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
+        7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
+        4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
+        48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
+        32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
+        b6:00:f9:b9
+-----BEGIN CERTIFICATE-----
+MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
+EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
+MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
+NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
+/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
+oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
+hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
+otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
+6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
+L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
+vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
+nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
++KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
+/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
+S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
+wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
+-----END CERTIFICATE-----

ca/vpn.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
+BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAdnYXRld2F5MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvEZrDhI/wmQN3TbnhqL2mASG
+IXOFO8zOfcV0+Y2X+MkBHOmI2xD8QKgqRHbeB705WMO6s5rSAZESyH8OelFW9qSt
+TmOSjgW5nVp2N2BYYAoQ8m4Va3ahNJHFz8eGAM0/U8LpRYyGScKhNvnKO6UwdpL/
+puX6QGfZkeokkKWk4BUq2s4bTvmGfp8z3ukk3Llg+snw4HmDo9OzyWE3nSar6b0h
+aHRRAuCiNiSexl0i8/Z2jRer40ai3KPk+LyiS1mLdvSRfi9IebZyG9VF4p/TjbL2
+RVMHlU2OdnO4VBAXY8QHv7+mck/qvrcdODc6lSaPNoGgUwfTSTJ63jx/YbZ8IQID
+AQABoAAwDQYJKoZIhvcNAQELBQADggEBAAqV168ZttquI1P85iodBEo4pkefV9g7
+DNOtjf/BQ4SZUmtMBSH95aH1o+EjhYy+522IJ7yTOke5uTsr4R0uD/D7EX9hKnp5
+Qx2t/QZc+q3VKzOMV687VfBfq2RErMGSvJmk7cH40HyDlh4Ts5NZO3CAwaiIovKc
+ddcZfrO3naktT8jwayWA16pk+vxf0G3jwJqbeizyS0hl12+dwPr/+ESRHCQoSkUH
+wG5mL4eRW5E0NyuH9iGvOHms6WDrPU0qp2Rztql+FYZB+qGPJ3pdsajCIjJG7n4E
+n3D5ofg5q3dlLHAwueMcMLGL9hpjXRGLZturgB5JdUp9+1fMhgxYfFY=
+-----END CERTIFICATE REQUEST-----

ca/vpn.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8RmsOEj/CZA3d
+NueGovaYBIYhc4U7zM59xXT5jZf4yQEc6YjbEPxAqCpEdt4HvTlYw7qzmtIBkRLI
+fw56UVb2pK1OY5KOBbmdWnY3YFhgChDybhVrdqE0kcXPx4YAzT9TwulFjIZJwqE2
++co7pTB2kv+m5fpAZ9mR6iSQpaTgFSrazhtO+YZ+nzPe6STcuWD6yfDgeYOj07PJ
+YTedJqvpvSFodFEC4KI2JJ7GXSLz9naNF6vjRqLco+T4vKJLWYt29JF+L0h5tnIb
+1UXin9ONsvZFUweVTY52c7hUEBdjxAe/v6ZyT+q+tx04NzqVJo82gaBTB9NJMnre
+PH9htnwhAgMBAAECggEABIq6WGuOSDU7tGN3sGLMChzJ05LC2w90x8n0qXSF/wVy
+Vm031PkS7MhhxKcNcihZcs+9+Ek62bjTOC0Af2jo7ShJ2gNC7NQshyRAh9N2LlLv
+17laIO6Kswb1O673h5tr9KxWDkx2jN76HqZl/4xbn/Cp5C/WGqmmsQNyAF9Om+08
+M/5jB3aVT4PFBoyOXd3WDkuxG1wEfFZPrrbOu7T06duzMH8yYnxFX42UyDOVNT73
+iqZsxLzlOjLiAaVEZE+2WpZICnwaa04OaOimGHgYEcr4DFQwgUvkVQBvg6sDHVk2
+R9GpBsf7BJceimpOAzw3zQaJ/BftFgli6/gHCZpJAQKBgQDgxxbBIxyVHYeaddAJ
+cDMHTCr2wsk63gUxdqilDC/HZWpCtB1AI02IyxjPVQ87FxtQrCrGXAeztrqYRbKB
+7bPu4UbYP1XCm8o0jNIsFObrMKv1KFLTycZEmvhjivFrQMXLunyPmciV1HKoPg1w
+fZqJjn6X6nJyYEZBYDX6XmaX8QKBgQDWbVNxMEw4cpEdpl9lMTpry87XS1SpOKSR
+YLqa5yhXMC+5l54B3a/xxoo3wY8YJLixWy67PXakKZ4iWhmAxzQocAJ4ML0ztLep
+Z6fGjmE4XyBKQRIz4NaHZ76bh3SwSc07XirTahib6CPjpVc4b5h7+4JNcnmpIiq7
+yFs0RfjXMQKBgAOQRHUVaGuYx0CUo5Kyu6xe8cNtvSD4yh5JokzTj6Jaoj+ieWA9
+7wm/JoqK763hJOa3hAoXBWw89mJZoIXczeB4o9Xj0yk9rQv+O4rFXg/WerNtSzre
+VQ1bY5q4ZjFsGnarYzQnnP17G8I9EZt58kxB/RHNfrj/e72nl9N7UacRAoGBAKeS
+/t/5X8fJeTFTwT+i7kYqG/bTL1GkK7BViN/gAP3KcbG4FMrehk8L2x7hzMOQhypL
+2USJLzvyLlwoT7/9bfygNL3bUTGkbNgeYtbglIfqh6CgI+qZLu7ZG/QOMxpGQva/
+i/Z29s545/tTTsuTIvbZwqZl7UBJrF3eobBDcsoxAoGAbtIHtMulH7WJYu57DdC2
+AD/xc0YBESCDN8wV73XZrOTluuCXDGOiQow4jWZM9SgFosVY0DrAM4pu6JWso93x
+xAPexrca18YxCs2UwT66AYzDXOcijl1F9fUitf3WC/sZWmO3sd1FVFuLRGlq8mXY
+kGgsbmgiuKROuuMqB2fHgWo=
+-----END PRIVATE KEY-----

chave-pgp-do-rogerio.txt

@@ -0,0 +1,65 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.1
+
+mQGNBGmLZjwBDACvUK1m3UikneSbyYrP0vbHMz3Dt5u0+1+/UoFHKrcIF0TeLMmeOL6s3iRW
+JoSuB0YEmiO01BMEtUHC3Bt6/fu1TjMTLGEwo4dltw/hakvjELfpKPecIo7NAX1XCmiw7f+M
+2kTfRXGlu0F0kKc+AD+xPC0tunfpacPX/xGtquPz0xp2XbKktNkj8NoUBO7BRtwrfjBXL7ZV
+irlVofs6j7w8Ka9SRtP8GLqsW+LFDQrbsDM2exvp7u61mKvTpuafOUqkqIIrXw4aDOIxjwON
+gjunZ4k38kZADxR+uzzwNFnn15qtLNECUMpOJDPplBDg0uVRQjn1BJ44AkcdwLM3unMp9BvO
+8DKg2Q6kmd5+qu3OH+BVaqDAD+5sED/LC+QGeTIEHGNbTP3hs6dGyeCcNQnORvn5JoMImUk0
+mmV/KV+qpGhi9PSxN44Kau4fWsaWIO33w1vMSnPf/s77dBT0uLT45G/1/b1N3WbD6eKTt+iC
+/+Ovp+MmWv6Fd2fPXEvwedUAEQEAAbQeUm9nZXJpbyBDIDxyb2djb3N0YUBkZWkudWMucHQ+
+iHUEEBYKAB0WIQTzZrv2P/XfDSKZTqn605rfvJqhwQUCaZMIVAAKCRD605rfvJqhwW/8AQDq
+k4kNVJOuOjHiq+F9K7X/QFJp3+z109x/ZpVGtP6aGgD6AlzWjGubsavImEMVN9QKr7tYEOWy
+NHldePm87lnDuQSJAbMEEAEIAB0WIQSORfJtzGpnilRlTysk/REF2WdojAUCaZL1XwAKCRAk
+/REF2WdojPPkC/40CesTUAcCnvKe/UHTbn483zcW8RSsXRzQZDE4iaOZQ2jCS9uzT+SaVNy5
+J8n3PNfghq19yZeyfWZrBHQBCqFwEvYqXZ/z1Qmz8wFvtDX+B5o15kuGO28/epXR7iqx/v53
++le7VmuBR6ri2kq6uT1xzotd6NYcmZpRprnzaGvCUWtuPWhG7SHjZ1TZIJuJ5cmGG8bq/wu/
+n+fcSwa3evCUR0ErkqpcC+Z9Ll8wGuSioov5A3B9UW+QWoC68VyC53RSyanNAYI3czJu5Ltq
+qXNxOv1xC1gew8FvBuxCF/3z++h2W+E5HO02zRwtqglr5ZBr4UmI0E4s8xWq0DWBU+iLwwXq
+GVNZFiJ+fNVHW6cu4deMOMVNrGJlVmlki+GkIFanlrVOwWq2+vsJFYYvHa5zBwjRRqhK5tRk
+OOa0qD3KLsCzKpiCSNb+g7TEjHqmpB/h3/MFf5mVlIiOnGYTDWBlMwZLllpLMc/3/mFm5nfX
+ofuPGl2BHUv0kdSKSa6QiEOJAbMEEAEIAB0WIQSTCl6/mmEFADoHYKEIKzRkXO0zjQUCaZMV
+9QAKCRAIKzRkXO0zjZoDC/9fcB7uDf3QSrIGm+zO//sALNCe0FSOQ5Rn8ZzMOTn3HBI5i7ct
+dZntTZuYFLa0HHWUxHBoCSwMnP5oNG91xpRTxsYpucFkKMljSiSKPgoOGxEaJDW2rK39CbzY
+xDSa9bhnbXzLWn4laTI8n6iip95IWXuqfIqYc6jfVC3YOBg+8rJ8nAJr6CWIX/6k4bavKVQQ
+4bWeuICqUlbNRhZF1BZtCPrFbrChcB+n7CqK0EGkOoySekMr/6VzwgNmuCa2m8Gi9YqzrLLd
+AzPl0mfruNHhHLBrnM0rNMMOaR39/+0xSl6c3JcsQWmgBUM1lt0th1n/yKHJMM802IyQefhR
+aJhg++xjP61vOLuJa7pb5UWiyupstKemX+8f6X970bvYPj0OaSwy4ewgxU2D5Paqd7qonnct
+eYosMnB87ZfS67LcK6YRdqjJeThaQmFujta2hUM6ZczlqGaTsOmZ/GBxIvXGYBrcrnv4d6cj
+nSGwXKKSHD2EWSNsxfIBILkQDEotD5uJAbMEEAEIAB0WIQS/yqosJXwrVXFgqQa1WXCyNLIK
+ZQUCaZMSBAAKCRC1WXCyNLIKZeU7C/4t2QA7MGNJC+uDk4p/VMfqLFz4yoJOQmAyqI+jbJwn
+T+cu2airiE74Nt77kEHjDzyD47LSGjsFe/ynK+Ey/9SeRrzA/NBngP919LW2nSwonfAIiDZ4
+dHD/aeRVCdX6Ni6PY/dc5b5ztMEgu0XBlUtWMkrrPaTmiCQ1wX5IuxrSLwldbgA8ME2TZYh7
+XQ1LUt1n15FipmdBaXxTK5FrqqWeLLxfPdntZVMQnh2nyaqAF6aEZBRj47UrcbJEIM399G8P
+nVExdvOqcCi/CDY15BVBmx/EkWTnudta7fOQgiJiOJ3WLDXvMTEEG06I/dw+eZgGLwl7Ep/x
+zrTP65tF032dxbNy1RONOijlj+l/NuOM7pFofx6yCzmRprbydyb9uM1ysRSV0GI1YW2krFzj
+ZZosZvPB470svviF8adgIQBV5TZQCzWBY+Bc5gimpZwcWCI+ByQfRAimerOgPqz/r2jQglgP
+u4PwnChSTrfNMKyAfpHIKgXAj2ar6X3IvHCkv/OJAdgEEwEIAEIWIQQ3eZDCVL86W7QFeUkd
+N5xZDJkDjwUCaYtmPAIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQ
+HTecWQyZA49onAv9GbcIpT9a52ZfSLfoXUWAVsYrCwfPb6OG+7NwJXwUPf69gK2ZSWZLrcPl
+7gLYKkWsQ2LS9Pb+kirfENk9Xvw+DMBk0KKlvsC3dOFl4srkdvuAoWvR4x5lCKBBusjM2ByR
+kRtN68a3xhLrNIHF7uxFefMIyetCJhGl1Z4rgRzslFjsjeZqv5hs7lYBtodrKXvWOfyEvZRw
+Zpibyu3v+6YgpZKdq/YQd/DNMBgCWJZOUvKbj/XiCVQ+zKBDEZpjM56TqSyqaTs7OyTXlZGX
+WRYXbtOeEf5NFlUT57FetrSszStJKow7AlLBfPlcwFgDEEKNiLf0asfdnfHepR3MT5ULNdut
+hLniGbN8HItqY94dipc0D2l3q/REY7VrsZa3vBmWdMecCLMDLO37CzIqjUO+tIGWOFhXpH86
+ARRb3C4mi39aTk8XlAQ6nUctrQSHd+oRFKRqXznAGIHHo83L7z5XvRwZ/ehZww+h0QL4JEgm
+Jaja3SZFkqf1/yGwT1EyqfVzuQGNBGmLZjwBDAC7UT7SgI/lKTAP5fyrDXDaIsVKCPZ0K+ui
+BqR+Po765zZyuZnCd8IMaeGJZipa4Jc2HRBfb2t/4drDWChhjiMtSk2jA+Ke+z/Gg8yCskg2
+aSjhiKb4dZkCWwg0+Avca3ad8F3G+pbP/aubTH2FydrJP0dQW7sPChKPEhDH83g4ek7w3CXs
+tSLQ8f3orxxqNvDr3BuVK4Lej1zgXMhSUWcTNqFje1jUwG+V03FoHfvM67HTGmnOngu9fCX0
+QbIc0x++zJg3MvPZ+hsSnJ3EemVMc5SMH/GCwIUTufEdpkCLmjETvCFT9JaVwBtgFvsF6adq
+7JMD7wcogGMVXDqrWMONZJPhiLPK9AI57zi7a31AFJEfyMMaBT3io5KdzfM0LCkpI/VT/tsO
+tM/adnID1cFt47WjeQQ0Ed0kH4fk91/wZaMAlgYeN2TSaYjb0v4RkSIWlYz2KyZ2XPaUtYyS
+Md6CmOHchTUTJ9x/qvXD53FYjnkX309c1a9Z++76R+QU6IkAEQEAAYkBvAQYAQgAJhYhBDd5
+kMJUvzpbtAV5SR03nFkMmQOPBQJpi2Y8AhsMBQkDwmcAAAoJEB03nFkMmQOPy/EL/2NTDXEI
+6ZshBZgK1UOxIWLaKuK4LwMimz3IpfWH6E1acSV4oEn5S+kGCzCeWwbOqhjFP5YYlcN3IMJX
+KddpFVn+LiN178qJZM+WxbJdRlc3n9+F2693zGMxmNtgjJ9TDCjar8nyoxWcpKXOtjxf204T
+HZAq/r2l/NHvrqZ4KJ5RU5I1Gb43UcarxZHBHy6N1Z323Zt5UMgA3WWMeXB+r374IBg4g5/l
+WCfhytvZtwVIDDERFMqpyikhlrOzLJQgVoPHUt7PCslvAaVlz1Mkj7JkF+gwizJ+zsCIkJ2Z
+YYk5nfVtDf2xEasrZgs3XF6yhXKHIS1DyIELaLzr6UkLz0H/pwgjHGG9G6pcuMeuS4vR7MEE
+7OssNRo43LjtGT9WglRhMqjqiqAIZUM6NFZ2AQQci5tOj3nNQQHovVaPm0PcC1fv99eMsDBX
+o7LiabG3y38e2q2TzbNl7v3zTXimQKtYzoff6kGr9JnKr1pD/63qZlrTrVEq/SyMrKmWN3Aq
+Rw==
+=as3M
+-----END PGP PUBLIC KEY BLOCK-----

conf/client.conf

@@ -0,0 +1,19 @@
+client
+dev tun
+proto udp
+remote 193.136.212.1 1194   # ip da vpn gateway
+persist-tun
+persist-key
+
+# certificados
+ca /etc/openvpn/client/ca.crt
+cert /etc/openvpn/client/user.crt
+key /etc/openvpn/client/user.key
+
+# auth
+cipher AES-256-GCM
+auth SHA256
+
+auth-user-pass
+tls-auth /etc/openvpn/client/ta.key 1
+reneg-sec 0

conf/httpd-totp

@@ -0,0 +1,3 @@
+auth    required    pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache
+auth    required    pam_unix.so use_first_pass
+account required    pam_unix.so

conf/httpd.conf

@@ -0,0 +1,20 @@
+ServerRoot "/etc/httpd"
+
+Include conf.modules.d/*.conf
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
+
+User apache
+Group apache
+
+Listen 80
+Listen 443
+
+Include conf.d/*.conf
+
+DocumentRoot "/var/www/html"
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>

conf/ocsp-verify.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+depth=$1
+if [ "$depth" -eq 0 ]; then
+    if [ -n "$tls_serial_0" ]; then
+        # é preciso converter o serial para hexadecimal porque o openssl espera em hex
+        hex_serial=$(printf '%x' "$tls_serial_0")
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+        if echo "$status" | grep -q "good"; then
+            exit 0 # sucesso
+        fi
+
+        exit 1 # revogado ou não encontrado
+    fi
+    exit 1
+fi

conf/ssl.conf

@@ -0,0 +1,64 @@
+<VirtualHost *:443>
+    ServerName 10.60.0.1
+    DocumentRoot /var/www/html
+
+    SSLEngine on
+    SSLCertificateFile /etc/httpd/ssl/apache.crt
+    SSLCertificateKeyFile /etc/httpd/ssl/apache.key
+    SSLCACertificateFile /etc/httpd/ssl/ca.crt
+
+    # mutual authentication
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+
+    # ocsp validation
+    SSLOCSPEnable on
+    SSLOCSPDefaultResponder "http://10.60.0.1:8888"
+    SSLOCSPOverrideResponder on
+    SSLOCSPUseRequestNonce off
+
+    # session management 
+    Session On
+    SessionCookieName session path=/;HttpOnly;Secure
+
+    # proteger
+    <Location "/">
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        AuthFormLoginRequiredLocation "/login.html"
+        Require valid-user
+    </Location>
+
+    # public login page
+    <Location "/login.html">
+        AuthType None
+        Require all granted
+    </Location>
+
+    # login handler
+    <Location "/dologin">
+        SetHandler form-login-handler
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        Require all granted
+        AuthFormLoginSuccessLocation "/index.html"
+        AuthFormLoginRequiredLocation "/login.html?error=1"
+    </Location>
+
+    # logout handler
+    <Location "/logout">
+        SetHandler form-logout-handler
+        AuthFormLogoutLocation "/login.html?loggedout=1"
+    </Location>
+
+</VirtualHost>
+
+# redirect para https
+<VirtualHost *:80>
+    ServerName 10.60.0.1
+    Redirect permanent / https://10.60.0.1/
+</VirtualHost>

conf/totp

@@ -0,0 +1,3 @@
+auth    required    pam_google_authenticator.so forward_pass
+auth    required    pam_unix.so use_first_pass
+account required    pam_unix.so

conf/vpn.conf

@@ -0,0 +1,29 @@
+local 193.136.212.1
+port 1194
+proto udp
+dev tun
+
+verb 4
+
+# Bro is too honorable
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/vpn.crt
+key /etc/openvpn/server/vpn.key
+dh /etc/openvpn/server/dh2048.pem
+
+topology subnet
+server 10.8.0.0 255.255.255.0
+push "route 10.60.0.0 255.255.255.0"
+
+# OCSP and Revocation
+script-security 2
+tls-verify /etc/openvpn/server/ocsp-verify.sh
+# auth
+cipher AES-256-GCM
+auth SHA256
+
+# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
+plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
+tls-auth /etc/openvpn/server/ta.key 0
+
+

enunciado.txt

@@ -0,0 +1,143 @@
+FSI 2025/2026
+Practical Assignment #2
+
+1. Goals
+•
+
+Configure a VPN tunnel in the “road warrior” scenario.
+
+•
+
+Enable two-factor user authentication with OpenVPN and Apache services.
+
+•
+
+Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
+
+2. General description
+Figure 1 illustrates the scenario considered for our practical assignment. As illustrated, secure communications are
+supported by a VPN tunnel established between a remote client (road warrior) and the VPN gateway, with the purpose of
+enabling accesses to services in the Internal Network, particularly a web server running Apache. To enable the VPN tunnel,
+we will use OpenVPN (https://openvpn.net).
+
+Figure 1 – Scenario for the Practical Assignment #1
+
+Regarding authentication, the two communication entities participating in the VPN tunnel (road warrior and the VPN
+gateway) should possess valid X.509 certificates, which are created with a private Certification Authority (CA). Users
+establishing remote connections to the VPN gateway (road warriors), as well as users connecting to the Apache server, will
+also use two-factor authentication, as described below. Apache must also implement client authentication via X.509
+certificates. Figure 2 provides an illustration of the interactions between all the entities involved in this setup.
+
+Figure 2 – X.509 mutual authentication and OCSP
+
+As we can observe in Figure 2, the VPN gateway and the Apache web server must verify the status of validity of certificates
+using OCSP (Online Certificate Status Protocol) and revocation information from the CA. OCSP verification in not
+required for the road warrior. Next, we describe the configuration requirements for the various components of the
+assignment.
+
+3. Configuration requirements
+VPN tunnel for remote access (road warriors)
+As illustrated in Figure 1, remote clients (road warriors) are able to connect to the Coimbra VPN gateway, and using the
+tunnel remotely access hosts in the Internal network. The following configuration requirements should be considered:
+•
+
+In order to establish a VPN tunnel with the Coimbra gateway, the road warrior must be in the possession of a valid
+X.509 certificate, issued by the private CA of the scenario.
+
+•
+
+The road warrior and the Coimbra VPN gateway must perform mutual authentication using X.509 digital certificates.
+
+•
+
+The Coimbra VPN gateway should verify the validity of the X.509 certificate presented by the road warrior using OCSP
+and, in case the certificate is revoked, the gateway should refuse the connection.
+
+•
+
+In order to authorize the remote user, the Coimbra gateway should also enforce two other authentication steps: the user
+must present a valid username and password, plus a one-time password (OTP, or an authentication token).
+
+Web server
+2
+
+The road warrior user should be able to contact the Apache web server with HTTPS through the VPN tunnel. The
+following configuration requirements should be considered:
+•
+
+Apache should enforce two-factor authentication in order to authorize accesses from clients: the client (browser) should
+present a valid X.509 certificate (issued with the private CA of the scenario) and the user should also present a valid onetime password (or authentication token).
+
+•
+
+As in the VPN, the validity of the X.509 certificate presented by the client should be checked in the CA using OCSP.
+
+Two-factor user authentication
+As previously discussed, VPN establishment and HTTPS accesses to Apache make use of one-time passwords
+(authentication tokens), which may be generated by an appropriate application. One-time passwords may be generated using
+the TOTP (Time-based One-time Password Algorithm). This algorithm employs a secret key shared between the user
+(client) and the remote service, plus a timestamp (obtained from the current system time), to obtain a one-time password.
+In order to generate a one-time password, the user may use an application such as Google Authenticator, illustrated in
+Figure 3. This application periodically generates a new one-time password that can be used to authenticate the user with the
+remote service. This application is available for iOS and Android 1.
+Certification authority
+As already discussed, the goal is to use OpenSSL to configure a private Certification Authority, as well as to issue and revoke
+X.509 digital certificates for the VPN gateways and remote users. The following configuration requirements should be
+considered:
+•
+
+The Certification Authority is used to issue certificates for the VPN gateway, VPN client and Apache web server.
+
+•
+
+The Certification Authority allows the revocation of certificates previously issued.
+
+•
+
+The Certification Authority also supports a OCSP responder.
+
+For Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en and
+for Apple iOS: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
+1
+
+3
+
+Figure 3 – Google Authenticator app, to generate a one-time password to access services enabled with two-factor authentication
+
+4. Delivery of the Practical Assignment
+With the assignment, please deliver also a report, containing the following information:
+•
+
+Descriptions of the configurations for the implementation of the previous requirements.
+
+•
+
+A description of how the private Certification Authority was created using OpenSSL.
+
+•
+
+A description of how X.509 certificates were issued and revoked using the private Certification Authority.
+
+•
+
+A description of the tests performed to validate the functionalities implemented.
+
+•
+
+Remaining information considered relevant.
+
+For the delivery of the assignment, put your report, as well as the relevant configuration files, in a single archive. This archive
+should be signed using your PGP key and encrypted using the PGP key of your PL teacher.
+Note: Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
+Delivery deadline:
+•
+
+The deadline for the delivery of the assignment (configuration files and report) is May 3rd 2026.
+
+•
+
+Submission via Inforestudante.
+
+4
+
+

relatorio.tex

@@ -1,29 +0,0 @@
-\documentclass[12pt,a4paper]{article}
-\usepackage[portuguese]{babel}
-\usepackage[lining]{ebgaramond}
-
-\title{Practical Assignment \#1}
-\author{
-    João Neto -- \\[1em]
-    Vasco Alves -- 2022228207
-}
-
-\begin{document}
-\maketitle
-\tableofcontents
-\newpage
-
-\section{Introduction}
-
-\section{Firewall}
-Sigmasigmaboy123
-\subsection{Packet fileter with NAT}
-\subsection{Packet filtering without NAT}
-\subsection{External Network}
-\subsection{Internal Network}
-
-\section{Intrusion Detection}
-
-\section{Conclusion}
-
-\end{document}

relatorio.toc

@@ -1,9 +0,0 @@
-\babel@toc {portuguese}{}\relax 
-\contentsline {section}{\numberline {1}Introduction}{2}{}%
-\contentsline {section}{\numberline {2}Firewall}{2}{}%
-\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}%
-\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}%
-\contentsline {subsection}{\numberline {2.3}External Network}{2}{}%
-\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}%
-\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}%
-\contentsline {section}{\numberline {4}Conclusion}{2}{}%

relatorio/relatorio.aux

@@ -0,0 +1,30 @@
+\relax 
+\providecommand \babel@aux [2]{\global \let \babel@toc \@gobbletwo }
+\@nameuse{bbl@beforestart}
+\catcode `"\active 
+\providecommand\hyper@newdestlabel[2]{}
+\providecommand\HyField@AuxAddToFields[1]{}
+\providecommand\HyField@AuxAddToCoFields[2]{}
+\babel@aux{portuguese}{}
+\@writefile{toc}{\contentsline {section}{\numberline {1}Introdução}{3}{section.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{10}{subsection.5.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{10}{subsubsection.5.2.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{11}{subsection.5.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{11}{subsubsection.5.3.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{11}{section.6}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{11}{section.7}\protected@file@percent }
+\gdef \@abspage@last{11}

relatorio/relatorio.listing

@@ -0,0 +1 @@
+openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

relatorio/relatorio.tex

@@ -0,0 +1,571 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage[portuguese]{babel}
+\usepackage[lining]{ebgaramond}
+\usepackage{style}
+
+\setlength{\parindent}{0em}
+\setlength{\parskip}{2ex}
+
+\title{Practical Assignment \#2}
+\author{
+    João Neto -- 2023234004\\[1em]
+    Vasco Alves -- 2022228207
+}
+
+\begin{document}
+\maketitle
+
+\newpage
+\tableofcontents
+
+\newpage
+
+\section{Introdução}
+
+Este projeto tem como âmbito implementar, uma rede virtual privada (VPN) num cenário
+de road-warrior, configurar \textit{two-factor authentication} (2FA) com os serviços
+OpenVPN e Apache, e gerir certificados X.509 utilizando OCSP.
+
+% NOTE(vasco): Eu acho que basta explicar o cenario e explicar como decidimos 
+% implementar <- yeah agree, also esta introdução acho que é boa fala sobre o objetivo
+% e o cenario, e porque é que o nosso cenario é como é. Não sei se a parte das razões de
+%segurança devia estar nesta parte ou na conclusão como perpetiva futura e reflexão, mas aqui
+%também não está mal.
+
+% Para tal, foi implementado um servidor e um cliente OpenVPN, certificados por uma
+% autoridade central (CA) que em si é \textit{self-signed}. Para além disto, foi implementado
+% um sistema de autenticação de dois factores através do plugin
+% \textit{google-authenticator} para o OpenVPN e para o servidor de Apache.
+
+Decidimos utilizar apenas três máquinas virtuais: o cliente (ou \textit{road warrior}),
+a \textit{gateway} que utiliza OpenVPN e um servidor interno com OpenSSL e Apache. 
+Isto simplifica a elaboração do projecto, mas por razões de segurança poderia querer
+separar a máquina de OpenSSL de outras máquinas destinadas a serviços da rede interna,
+pois esta contém o \textit{certificate authority} (CA). 
+
+% Ambos o OpenVPN eo  servidor Apache utilizam 2FA,
+% recebendo o utilizador, e uma password que é uma concatenação da palavra-passe do utilizador
+% e de uma password temporária (TOTP) de 6 dígitos. O servidor de Apache implementa a mesma autenticação.
+
+\begin{tabular}{l l l}
+   {\bf Nome} & {\bf Script} & {\bf Rede} \\\toprule
+   Road Warrior & VM\_ROAD\_WARRIOR.sh & Rede Externa 193.168.0.0/24 \\
+   VPN Gateway & VM\_OPENVPN\_GATEWAY.sh & Router \\
+   OpenSSL / Apache & VM\_OPENSSL\_APACHE.sh & Rede Interna 10.60.0.0/24 \\
+\end{tabular}
+
+\section{Preparação Inicial}
+
+\subsection{Criação de Certificados}
+
+Os certificados utilizados foram auto-certificados por uma autoridade central que ``pertence''
+à máquina de OpenSSL. Esta mesma faz a gestão da lista de revogação.
+
+Todas as chaves foram criadas no mesmo computador, com as variáveis que estão
+neste código. Aspetos importantes para mais tarde serão os parâmetros de Comon Name (CN)
+pois servem para a validação do certificado ambos pelo OpenSSL e pelo browser.
+
+Nós optamos por assumir que num cenario real, teriamos acesso fisico ás maquinas, por isso em vez 
+de utilizar, por exemplo SCP ou FTP, escolhemos partilhar os ficheiros a partir da maquina host. No entanto outra abordagem também estaria correta.
+%John LIMBUS HIMSELF
+
+\begin{codeblock}[bash]{create\_all\_keys.sh}
+cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
+cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
+cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
+cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
+
+openssl genrsa -out "ca.key" 2048
+openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
+openssl genrsa -out "vpn.key" 2048
+openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
+openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
+openssl dhparam -out "dh2048.pem" 2048
+openvpn --genkey secret "ta.key"
+openssl genrsa -out user.key
+openssl req -new -key user.key -out user.csr -subj "$cert_user"
+openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
+openssl genrsa -out apache.key
+openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
+openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg
+openssl --genkey secret ta.key
+\end{codeblock}
+
+Como o CA foi criado ``\textit{in place}'', e não na sua pasta prédefinida, foi necessário utilizar 
+um configuração própria para definir os ficheiros \textit{index.txt} e \textit{serial}.
+
+\begin{codeblock}[bash]{cheese.cfg}
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+default_days = 365
+database = index.txt
+serial = serial
+copy_extensions = copy
+new_certs_dir = .
+default_md = sha256
+policy = policy_any
+[ policy_any ]
+commonName = supplied
+\end{codeblock}
+
+\subsection{Configuração geral}
+Para evitar repetição e redundancia; e para garantir consistencia na elaboração do projeto criamos varios shell scripts, um destinado a cada maquina virtual.
+
+Para configurar as VMs era preciso introduzir os mesmos comandos várias vezes, o que levava muitas vezes a erros de escrita,
+ou a correr o mesmo comando várias vezes, por isso criamos vários ficheiros .sh para conseguir facilitar o processo.
+A utilização de ficheiros .sh também vem com outros positivos pois facilita a testagem, e a recriação do cenário rapidamente.
+
+No entanto para os serviços que configuramos, instalar, desativar e dar flush às iptables não foi suficiente, tivemos que criar
+pastas e sincronizar os relógios de todas as VMs visto que elas estarem ligeiramente atrasadas nunca conseguíamos acertar na 
+password do google-authenticator visto que utiliza o tempo local para calcular a sua chave.
+
+\begin{codeblock}[bash]{VM\_CONFIG.sh}
+yum install -y epel-release
+yum install -y openvpn iptables-services dhcp-client
+systemctl stop firewalld
+systemctl disable firewalld
+systemctl mask firewalld
+systemctl enable iptables
+iptables -F
+
+CA_DIR="/etc/pki/CA"
+mkdir -p "${CA_DIR}/newcerts"
+mkdir -p "${CA_DIR}/private"
+touch "${CA_DIR}/index.txt"
+cp ca/serial "${CA_DIR}/serial"
+
+mkdir -p /etc/openvpn/server
+mkdir -p /etc/openvpn/client
+
+# NOTE(vasco): tive problemas com a sincronizacao de tempo
+# se nao tiver sincronizado, o TOTP nao funciona
+systemctl stop chronyd
+ntpdate pool.ntp.org
+systemctl start chronyd
+\end{codeblock}
+
+
+\section{VPN Gateway}
+
+\subsection{Configuração da Máquina}
+
+Como já foi dito anteriormente, cada máquina vem com um \textit{script}
+que instala toda a configuração necessária.
+
+Para que a gateway funcione como router entre a rede externa e a rede interna,
+foi necessário ativar o \textit{IP forwarding} no kernel e configurar as regras
+de \textit{iptables} para permitir o tráfego da VPN e realizar o mascaramento
+de IP (NAT).
+
+% NOTA(vasco): Não temos regras de DROP a packets
+% talvez deviamos mudar isso nao sei <- não diz nada no enunciado ¯\_(ツ)_/¯
+% também o trabalho não é sobre ip tables por isso it does make sense não fazer drop
+%e utilizar as regras apenas para encaminhar corretamente.
+% Colocar isso na conclusão tho
+
+\begin{codeblock}[bash]{VM\_VPN\_GATEWAY.sh}
+#!/bin/bash
+
+# --- configuracao --- #
+source VM_CONFIG.sh
+yum install -y google-authenticator qrencode ntpsec
+
+# --- forwarding --- #
+if_fora="enp0s8"
+ip_fora="193.136.212.1"
+if_dentro="enp0s9"
+ip_dentro="10.60.0.3"
+mega_tunel="tun0"
+ip_mega_tunel="10.8.0.0/24"
+
+ifconfig $if_fora $ip_fora netmask 255.255.255.0
+ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
+
+echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
+
+iptables -I INPUT 1  -p udp --dport 1194 -j ACCEPT
+iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
+iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
+iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
+iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
+iptables-save > /etc/sysconfig/iptables
+
+# --- vpn server --- #
+vpn_dir="/etc/openvpn/server"
+cp ca/ta.key $vpn_dir 
+cp ca/ca.crt $vpn_dir 
+cp ca/vpn.key $vpn_dir 
+cp ca/vpn.crt $vpn_dir 
+cp ca/dh2048.pem $vpn_dir 
+cp conf/vpn.conf $vpn_dir 
+cp conf/ocsp-verify.sh $vpn_dir
+cp conf/totp /etc/pam.d/
+
+# --- utilizador --- #
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+
+openvpn --config /etc/openvpn/server/vpn.conf
+\end{codeblock}
+
+\subsection{Configuração do Serviço OpenVPN}
+
+
+O servidor OpenVPN utiliza um certificado X.509 assinado pelo nosso \textit{Certificate Authority} (CA).
+E faz uso de um script \texttt{oscp-verify.sh} para validar ou revogar os certificados através do servidor OCSP.
+
+\begin{codeblock}{vpn.conf}
+local 193.136.212.1
+port 1194
+proto udp
+dev tun
+
+verb 4
+
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/vpn.crt
+key /etc/openvpn/server/vpn.key
+dh /etc/openvpn/server/dh2048.pem
+
+topology subnet
+server 10.8.0.0 255.255.255.0
+push "route 10.60.0.0 255.255.255.0"
+
+# ocsp and revocation
+script-security 2
+tls-verify /etc/openvpn/server/ocsp-verify.sh
+# auth
+cipher AES-256-GCM
+auth SHA256
+
+plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
+tls-auth /etc/openvpn/server/ta.key 0
+\end{codeblock}
+
+Foi criado o ficheiro \texttt{totp} com a configuração de autenticação a 
+ser utilizada pelo plugin de PAM para o openvpn.
+
+\begin{codeblock}{totp}
+auth    required    pam_google_authenticator.so forward_pass
+auth    required    pam_unix.so use_first_pass
+account required    pam_unix.so
+\end{codeblock}
+
+Este script simplesmente comunica com o servidor OpenSSl
+e verifica o resultado.
+
+\begin{codeblock}{ocsp\_verify.sh}
+#!/bin/bash
+depth=$1
+if [ "$depth" -eq 0 ]; then
+    if [ -n "$tls_serial_0" ]; then
+        # e preciso converter o serial para hexadecimal porque o openssl espera em hex
+        hex_serial=$(printf '%x' "$tls_serial_0")
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+        if echo "$status" | grep -q "good"; then
+            exit 0 # sucesso
+        fi
+        exit 1 # revogado ou nao encontrado
+    fi
+    exit 1
+fi
+\end{codeblock}
+
+\subsection{Erros}
+
+Um dos erros que encontramos pelo caminho foi que o OpenSSL OCSP espera que o 
+\textit{serial} esteja num formato diferente do que o esperado. Foi necessário
+converter para hexadecimal primeiro.
+
+Adicionalmente, devido às restrições de segurança do \textit{systemd},
+tentamos desativar o \texttt{ProtectHome} no serviço do OpenVPN
+para que o plugin PAM consiga ler os ficheiros de segredo do Google Authenticator
+localizados nas diretorias \textit{home} dos utilizadores. Mas isto não 
+foi suficiente, por isso acabamos por correr os serviços pela linha
+de comandoos.
+
+\subsection{Configurar o utilizador com TOTP}
+
+Primeiro, na gateway, entramos como o utilizador desejado e obtemos a chave
+do gerador de palavras passes temporárias. Ao inserir a chave no 
+\texttt{google authenticator} podemos obter um código QR,  a nossa primeira
+chave de 6 dígitos.
+
+\begin{figure}[h]
+    \centering
+    \includegraphics[width=8em]{google-authenticator}
+\end{figure}
+
+\begin{codeblock}[bash]{}
+su john
+google-authenticator
+\end{codeblock}
+
+\section{VPN Client (Road Warrior)}
+
+\subsection{Configuração da Máquina}
+Para a configuração da Máquina, configuramos o edereço, o default gateway e adicionamos apache aos Hosts:
+
+\begin{codeblock}{VM\_ROAD\_WARRIOR.sh}
+#!/bin/bash
+
+# --- configuracao --- #
+source VM_CONFIG.sh
+ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
+route add default gw 193.136.212.1 
+
+if ! grep -q "apache" /etc/hosts; then
+    echo "10.60.0.1 apache" >> /etc/hosts
+fi
+
+# --- vpn client --- #
+vpn_dir="/etc/openvpn/client/"
+cp ca/ta.key $vpn_dir 
+cp ca/ca.crt $vpn_dir 
+cp ca/user.key $vpn_dir 
+cp ca/user.crt $vpn_dir 
+cp conf/client.conf $vpn_dir 
+
+openvpn --config "${vpn_dir}/client.conf"
+\end{codeblock}
+
+
+% Esta configuração foi necessaria, porque sem edereço a VM não conseguia-se identificar na rede. Sem o default gateway
+% os edereços desconhecidos seriam enviados para a porta da internet, e adicionamos apache aos Hosts para que fosse igual
+% ao domain para não haver erros.
+%(I dunno about this Apache part??) Also sinto que ainda precisa de mais um bocado.
+Também foram movidos os certificados e chaves necessarias para as pastas do serviço openvpn, para que o Road Warrior
+consiga comunicar e ser validado pela gateway.
+
+
+\subsection{Configuração do Cliente OpenVPN}
+
+O cliente encontra-se na rede externa (\texttt{193.136.212.10}) e liga-se à VPN
+gateway na porta 1194. Para garantir a segurança, utilizamos autenticação mútua (os certificados X.509)
+e um \textit{two factor authentication} (2FA) como palavras-passe temporárias, geradas através do
+\textit{Google Authenticator}.
+
+\begin{codeblock}{client.conf}
+client
+dev tun
+proto udp
+remote 193.136.212.1 1194
+ca ca.crt
+cert user.crt
+key user.key
+auth-user-pass
+cipher AES-256-GCM
+auth SHA256
+\end{codeblock}
+
+\subsection{Testes}
+Para verificar que a autenticação foi corretamente implementada, inserimos a password de um utilizador sem os digitos do TOTP, e identificamos que utilizar somente a password não é suficiente para autenticar. Igualmente ao utilizar ambos a autenticação é bem sucedida. 
+
+Para verificar que o tunel foi estabelecido, primeiro corremos na linha de comandos \texttt{ip a}. Observamos a existencia de uma nova interface tun0, ou seja o tunel foi corretamente establecido. Depois demos ping ao route e depois ao servidor interno, que resultou em pacotes devolvidos para ambos. 
+
+
+
+% TODO: screenshots? dizer que erros exatos nos obtemos a cada etapa
+% TODO: erros ortograficos lol 
+
+Para verificar que o OCSP funciona correctamente, o cliente conectou ao servidor OpenVPN:
+primeiro, sem o servidor OCSP a correr, uma segunda vez com ele a correr e com o certificado correcto
+e uma terceira vez com um certificado revogado. Fizemos estes testes sabendo que o 
+cliente e o servidor já estavam correctamente configurados.
+
+Verificamos que, como é suposto: sem OCSP não é possivel autenticar; com OCSP e com certificado válido,
+podemos autenticar; e com OCSP mas com certificado revogado, a autenticação falha.
+
+\section{Servidor Apache e OCSP}
+Para a configuração da ultima maquina, temos o OpenSSL e Apache no mesmo servidor, por isso temos de configurar
+as pastas necessarias, os utilizadores do serviço, configurar os edereços e uma route:
+\begin{codeblock}{VM\_OPENSSL\_APACHE.sh}
+#!/bin/bash
+# configuracao
+source VM_CONFIG.sh
+
+sudo yum install -y epel-release
+sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator 
+sudo yum install -y mod_session
+
+# utilizador
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+
+if_dentro="enp0s8"
+ip_dentro="10.60.0.1"
+ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
+
+# route de volta para comunicar com o warrior
+route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
+
+cp conf/openssl.cnf /etc/pki/tls/
+
+# copiar ca para esta VM
+cp ca/index.txt $CA_DIR
+cp ca/ca.crt $CA_DIR
+cp ca/ca.key $CA_DIR
+cp ca/serial $CA_DIR
+cp ca/dh2048.pem $CA_DIR
+
+# correr oscp
+killall openssl 2>/dev/null
+openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
+
+# apache
+mkdir -p /etc/httpd/ssl
+cp ca/ca.crt /etc/httpd/ssl/
+cp ca/apache.crt /etc/httpd/ssl/
+cp ca/apache.key /etc/httpd/ssl/
+cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
+cp conf/httpd.conf /etc/httpd/conf/httpd.conf
+cp conf/httpd-totp /etc/pam.d/httpd-totp
+
+echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
+echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
+echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
+
+cp -r www/* /var/www/html/
+chown -R apache:apache /var/www/html/
+
+httpd -X
+\end{codeblock}
+
+\subsection{Configuração da Máquina}
+
+Como já referimos a Máquina tem ambos o serviço OpenSSL e Apache, por isso vai precisar de dois .conf files para
+configurar-los. O httpd.conf tem as portas e modulos enquanto o ssl.conf tem a configuração da autenticação mútua, e o OCSP:
+\begin{codeblock}{httpd.conf}
+ServerRoot "/etc/httpd"
+
+Include conf.modules.d/*.conf
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
+
+User apache
+Group apache
+
+Listen 80
+Listen 443
+
+Include conf.d/*.conf
+
+DocumentRoot "/var/www/html"
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+\end{codeblock}
+
+\begin{codeblock}{ssl.conf}
+<VirtualHost *:443>
+    ServerName 10.60.0.1
+    DocumentRoot /var/www/html
+
+    SSLEngine on
+    SSLCertificateFile /etc/httpd/ssl/apache.crt
+    SSLCertificateKeyFile /etc/httpd/ssl/apache.key
+    SSLCACertificateFile /etc/httpd/ssl/ca.crt
+
+    # mutual authentication
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+
+    # ocsp validation
+    SSLOCSPEnable on
+    SSLOCSPDefaultResponder "http://10.60.0.1:8888"
+    SSLOCSPOverrideResponder on
+    SSLOCSPUseRequestNonce off
+
+    # session management 
+    Session On
+    SessionCookieName session path=/;HttpOnly;Secure
+
+    # proteger
+    <Location "/">
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        AuthFormLoginRequiredLocation "/login.html"
+        Require valid-user
+    </Location>
+
+    # public login page
+    <Location "/login.html">
+        AuthType None
+        Require all granted
+    </Location>
+
+    # login handler
+    <Location "/dologin">
+        SetHandler form-login-handler
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        Require all granted
+        AuthFormLoginSuccessLocation "/index.html"
+        AuthFormLoginRequiredLocation "/login.html?error=1"
+    </Location>
+
+    # logout handler
+    <Location "/logout">
+        SetHandler form-logout-handler
+        AuthFormLogoutLocation "/login.html?loggedout=1"
+    </Location>
+
+</VirtualHost>
+
+# redirect para https
+<VirtualHost *:80>
+    ServerName 10.60.0.1
+    Redirect permanent / https://10.60.0.1/
+</VirtualHost>
+\end{codeblock}
+
+\subsubsection{Testes}
+\begin{itemize}
+    \item \textbf{Domínio:} Verificou-se que o acesso só é permitido utilizando o endereço correto, pois se for inserido outro dominio, não é direcionado para o site do Apache.
+    \item \textbf{Redirecionamento HTTPS:} Ao testar quando colocamos http, e o dominio certo, era redirecionado para https.
+    \item \textbf{Autenticação com o Certificado:} O acesso foi negado ao apresentar certificados inválidos ou ausentes no browser, devolvendo um erro com sobre não conseguir establecer connexão porque falta de certificado.
+\end{itemize}
+
+Para Testar o OCSP, fizemos os seguintes paços:
+\begin{enumerate}
+    \item Estabelecer a ligação VPN e verificar a conectividade à rede interna.
+    \item No diretório da autoridade de certificação (máquina \textit{host}), revogar o certificado do utilizador:
+\begin{codeblock}[bash]{revoke.sh}
+openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
+\end{codeblock}
+    \item Atualizar o ficheiro \texttt{index.txt} no servidor OCSP e reiniciar o serviço para carregar o novo estado de revogação.
+    \item Tentar estabelecer uma nova ligação VPN e verificar que a autenticação falha devido à resposta \texttt{revoked} do responder OCSP.
+\end{enumerate}
+
+
+\section{Teste Integrado}
+
+%What we already do everything right?????
+
+\section{Conclusão}
+
+% Conclusão!!!!
+
+Atingimos o objetivo deste trabalho, conseguimos configurar o VPN tunnel,
+o two-factor authentication e conseguimos criar e retirar acesso aos
+certificados que emitimos. Utilizar mais maquinas para simular um cenario
+maior seria redundante, teriamos que emitir mais certificados mas não iamos
+aprender muito mais. Se fossemos aplicar o que fizemos no trabalho anterior
+podiamos dar DROP aos pacotes que não nos interessa nesta cenario,
+e implementar suricata para identificar possiveis ataques nos serviços.
+
+%È estranho que para uma cadeira de cybersegurança nós implementamos
+%pouca you know segurança.
+
+% Para aprofundar (???) yeah
+
+\end{document}

relatorio/relatorio.toc

@@ -0,0 +1,22 @@
+\babel@toc {portuguese}{}\relax 
+\contentsline {section}{\numberline {1}Introdução}{3}{section.1}%
+\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}%
+\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}%
+\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}%
+\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}%
+\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}%
+\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}%
+\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}%
+\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}%
+\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}%
+\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}%
+\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}%
+\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}%
+\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}%
+\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}%
+\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{10}{subsection.5.2}%
+\contentsline {subsubsection}{\numberline {5.2.1}Testes}{10}{subsubsection.5.2.1}%
+\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{11}{subsection.5.3}%
+\contentsline {subsubsection}{\numberline {5.3.1}Testes}{11}{subsubsection.5.3.1}%
+\contentsline {section}{\numberline {6}Teste Integrado}{11}{section.6}%
+\contentsline {section}{\numberline {7}Conclusão}{11}{section.7}%

relatorio/style.sty

@@ -0,0 +1,64 @@
+\usepackage[margin=1in]{geometry}
+\usepackage{raleway}
+\renewcommand{\familydefault}{\sfdefault}
+\usepackage{ulem}
+\usepackage{wrapfig}
+\usepackage{graphicx,tabularx,booktabs}
+\usepackage{paracol}
+\usepackage[dvipsnames]{xcolor}
+\usepackage{enumitem,amssymb}
+\usepackage[colorlinks=true,urlcolor=blue,linkcolor=MidnightBlue]{hyperref}
+\graphicspath{{./img/}}
+
+\usepackage{enumitem,amssymb}
+\newlist{todolist}{itemize}{2}
+\setlist[todolist]{noitemsep, topsep=0pt,label=$\square$}
+
+\usepackage{pifont}
+\usepackage{amssymb}
+
+\usepackage[most]{tcolorbox}
+\tcbuselibrary{listings, skins, breakable}
+
+\lstdefinestyle{mystyle}{
+    basicstyle=\ttfamily\footnotesize,
+    breakatwhitespace=false,         
+    breaklines=true,                 
+    captionpos=b,                    
+    keepspaces=true,                 
+    numbers=left,                    
+    numbersep=5pt,                  
+    showspaces=false,                
+    showstringspaces=false,
+    showtabs=false,                  
+    tabsize=2,
+    commentstyle=\color{gray},
+    keywordstyle=\color{MidnightBlue}\bfseries,
+    stringstyle=\color{ForestGreen}
+}
+
+\newtcblisting{codeblock}[2][]{
+    enhanced,
+    breakable,
+    colback=gray!2!white,
+    colframe=gray!20!black,
+    attach boxed title to top left={yshift*=-\tcboxedtitleheight/2, xshift=4mm},
+    boxed title style={
+        colback=gray!20!black,
+        outer arc=0pt,
+        arc=0pt,
+        top=1pt,
+        bottom=1pt,
+    },
+    fonttitle=\bfseries\ttfamily\footnotesize,
+    title={#2},
+    listing only,
+    listing options={
+        style=mystyle,
+        language=#1,
+    }
+}
+
+\setlength{\parskip}{1em}%
+\setlength{\parindent}{0em}%
+

www/index.html

@@ -0,0 +1,13 @@
+<html>
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Coimbra VPN</title>
+</head>
+<body>
+    <h1>Coimbra VPN</h1>
+    <p>Lorem ipsum dolor, sit amet consectetur adipisicing elit.
+     Minima porro unde praesentium sint itaque optio, deserunt eum est voluptatum, natus nihil repellat amet impedit? Fugiat fugit ex quis molestiae sit.</p>
+    
+</body>
+</html>

www/login.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <title>Coimbra VPN</title>
+    </head>
+    <body>
+        <h1>Two-Factor Auth</h1>
+        <p>Enter your UNIX credentials and TOTP code</p>
+
+        <form action="/dologin" method="POST">
+
+            <label for="username">Username</label>
+            <input type="text" id="username" name="httpd_username" placeholder="username">
+
+            <br>
+
+            <label for="password">UNIX Password (password + 6 digit TOTP)</label>
+            <input type="password" id="password" name="httpd_password" placeholder="password + TOTP" required>
+
+            <button type="submit">Login</button>
+        </form>
+    </body>
+</html>