+
+cat > /etc/openvpn/client/$name.conf <<EOF
+# From example config, from debian stretch as of 1-2017
+client
+dev tun
+proto udp
+remote $host 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca $name-ca.crt
+cert $name.crt
+key $name.key
+# disabled for better performance
+#comp-lzo
+verb 3
+
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+
+# matching server config
+cipher aes-256-cbc
+
+
+# example config has the commented line, but this other thing looks stronger,
+# and I've seen it in a vpn provider I trust
+# ns-cert-type server
+remote-cert-tls server
+
+# more resilient when running as nonroot
+persist-key
+EOF