+
+f=/etc/openvpn/client/$name.crt
+if ! $shell "test -s $f"; then
+ # if common name is not unique, you get empty file. and if we didn't silence
+ # build-key, you'd see an error "TXT_DB error number 2"
+ echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+ exit 1
+fi
+
+$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
+# From example config, from debian stretch as of 1-2017
+client
+dev tun
+proto udp
+remote $host 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca $name-ca.crt
+cert $name.crt
+key $name.key
+# disabled for better performance
+#comp-lzo
+verb 3
+
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up "$script"
+down "$script"
+
+# matching server config
+cipher AES-256-CBC
+
+
+# example config has the commented line, but this other thing looks stronger,
+# and I've seen it in a vpn provider I trust
+# ns-cert-type server
+remote-cert-tls server
+
+# more resilient when running as nonroot
+persist-key
+
+# See comments in server side configuration.
+# The minimum of the client & server config is what is used by openvpn.
+reneg-sec 432000
+
+tls-auth $name-ta.key 1
+EOF
+
+if [[ $client_host ]] && $custom_script; then
+ $shell "dd of=$script" <$script
+ $shell "chmod +x $script"
+fi
+
+$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'