-source vars # dun care about setting cert cn etc from the non-example values
-./clean-all
-# accept default prompts
-echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
-
-# This builds the server's key/cert. argument is the name of the file,
-# but it also is the default common name of the cert.
-# 'server' is the default name in our conf file for the name of the file
-# and I've seen no reason to change it.
-# Note, this is not idempotent.
-{ echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
-./build-dh
-cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
-cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn
-gzip -df /etc/openvpn/server.conf.gz
+if [[ -e openssl-1.0.0.cnf && ! -e openssl.cnf ]]; then
+ # there's a debian bug about this.
+ ln -s openssl-1.0.0.cnf openssl.cnf
+fi
+
+server_dir=/etc/openvpn/server
+mkdir -p $server_dir
+chmod 700 $server_dir
+conf=$server_dir/$name.conf
+
+
+new=true
+ca_origin=$rsadir/pki/ca.crt
+keyfiles=(
+ $rsadir/pki/private/$name.key
+ $rsadir/pki/issued/$name.crt
+)
+if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
+ new=false
+ ca_origin=$rsadir/ca.crt
+ keyfiles=(
+ $rsadir/keys/$name.key
+ $rsadir/keys/$name.crt
+ )
+fi
+
+keys_exist=true
+for f in ${keyfiles[@]}; do
+ if [[ ! -e $f ]]; then
+ keys_exist=false
+ break
+ fi
+done
+
+f=$server_dir/dh2048.pem
+if [[ ! -e $f ]]; then
+ openssl dhparam -out $f 2048
+fi
+
+f=$server_dir/ta-$name.key
+if [[ ! -e $f ]]; then
+ openvpn --genkey --secret $server_dir/ta-$name.key
+fi
+
+
+if ! $keys_exist; then
+ # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
+ if $new; then
+ echo 'set_var EASYRSA_NS_SUPPORT "yes"' >vars
+ ./easyrsa init-pki
+ ./easyrsa --batch build-ca nopass
+ ./easyrsa --days=3650 build-server-full $name nopass
+ else
+ # dun care about settning cert cn etc from the non-example values
+ source vars
+ # doesnt exist in buster
+ ./clean-all # note: removes and creates /etc/openvpn/easy-rsa/keys
+ # accept default prompts
+ echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
+
+ # This builds the server's key/cert. argument is the name of the file,
+ # but it also is the default common name of the cert.
+ # 'server' is the default name in our conf file for the name of the file
+ # and I've seen no reason to change it.
+ # Note, this is not idempotent.
+ { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server $name
+ ./build-dh
+ fi
+fi
+
+if [[ -e /usr/share/doc/openvpn/examples/sample-config-files/server.conf ]]; then
+ cat /usr/share/doc/openvpn/examples/sample-config-files/server.conf >$conf
+else
+ # pre-bullsye name
+ gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >$conf
+fi
+
+cafile=$server_dir/ca-$name.crt
+cp $ca_origin $cafile
+cp ${keyfiles[@]} $server_dir
+# for legacy systems
+for f in ${keyfiles[@]} $cafile; do
+ ln -sf server/${f##*/} /etc/openvpn
+done
+
+cat >>$conf <<EOF
+
+# I cat an extra blank line to start because the example config does
+# not have a final newline. ....
+
+# not in example config, but openvpn outputs a warning about insecure
+# cipher without a setting like this (the default i can understand due
+# to compatibility issues, but not changing the example config... not
+# cool).
+# requires the same setting on the client side.
+cipher AES-256-CBC
+# just sets up the ability to have client specific configs
+client-config-dir /etc/openvpn/client-config
+
+# duplicate in newer sample configs
+tls-auth ta-$name.key 0 # This file is secret
+
+# depending on sample config, this may not be there, which means i can't
+# talk to $ip4.1, there might be some other way, but stretch's
+# sample config says:
+# Should be subnet (addressing via IP)
+# unless Windows clients v2.0.9 and lower have to
+# be supported (then net30, i.e. a /30 per client)
+# Defaults to net30 (not recommended)
+topology subnet
+
+status /var/log/openvpn/openvpn-status-$name.log
+ifconfig-pool-persist /var/log/openvpn/ipp-$name.txt
+ca ca-$name.crt
+cert $name.crt
+key $name.key
+client-config-dir /etc/openvpn/client-config-$name
+server $ip4.0 255.255.255.0
+EOF
+mkdir -p /etc/openvpn/client-config-$name
+