- removed init- and config-files shipped with the openvpn package

- changed the description for the management port option
- changed PKI options from "Value" to "FileUpload"
- added "pkcs12" option to basic theme
- cleaned the recipes by removing defaults and adding
  approved config options we use for some years now.
- ... more to come.

7 files changed, 180 insertions, 691 deletions

diff --git a/applications/luci-openvpn/luasrc/i18n/openvpn.en.lua b/applications/luci-openvpn/luasrc/i18n/openvpn.en.lua
index b56e5780d..0e48944cd 100644
--- a/applications/luci-openvpn/luasrc/i18n/openvpn.en.lua
+++ b/applications/luci-openvpn/luasrc/i18n/openvpn.en.lua
@@ -114,7 +114,7 @@ openvpn_param_disable_occ="Disable options consistency check"
 openvpn_param_gremlin="Special stress testing mode"
 openvpn_param_comp_lzo="Use fast LZO compression"
 openvpn_param_comp_noadapt="Don't use adaptive lzo compression"
-openvpn_param_management="Enable TCP server on ip:port"
+openvpn_param_management="Enable management interface on <IP> <port>"
 openvpn_param_management_client="Management interface will connect as a TCP client"
 openvpn_param_management_query_passwords="Query management channel for private key"
 openvpn_param_management_hold="Start OpenVPN in a hibernating state"
diff --git a/applications/luci-openvpn/luasrc/model/cbi/openvpn-advanced.lua b/applications/luci-openvpn/luasrc/model/cbi/openvpn-advanced.lua
index b1941e15f..834dceb24 100644
--- a/applications/luci-openvpn/luasrc/model/cbi/openvpn-advanced.lua
+++ b/applications/luci-openvpn/luasrc/model/cbi/openvpn-advanced.lua
@@ -23,85 +23,85 @@ local knownParams = {
 
 	{ "service", {
 		-- initialisation and daemon options
-		{ ListValue,	"verb",					{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 } },
-		{ Flag,			"mlock",				0 },
-		{ Flag,			"disable_occ",			0 },
-	--	{ Value,		"user",					"root" },
-	--	{ Value,		"group",				"root" },
-		{ Value,		"cd",					"/etc/openvpn" },
-		{ Value,		"chroot",				"/var/run" },
-	--	{ Value,		"daemon",				"Instance-Name" },
-	--	{ Value,		"syslog",				"Instance-Name" },
-		{ Flag,			"passtos",				0 },
-	--	{ Value,		"inetd",				"nowait Instance-Name" },
-		{ Value,		"log",					"/var/log/openvpn.log" },
-		{ Value,		"log_append",			"/var/log/openvpn.log" },
-		{ Flag,			"suppress_timestamps",	0 },
-	--	{ Value,		"writepid",				"/var/run/openvpn.pid" },
-		{ Value,		"nice",					0 },
-		{ Flag,			"fast_io",				0 },
-		{ Value,		"echo",					"some params echoed to log" },
-		{ ListValue,	"remap_usr1",			{ "SIGHUP", "SIGTERM" } },
-		{ Value,		"status",				"/var/run/openvpn.status 5" },
-		{ Value,		"status_version",		{ 1, 2 } },	-- status
-		{ Value,		"mute",					5 },
-
-		{ Value,		"up",					"/usr/bin/ovpn-up" },
-		{ Value,		"up_delay",				5 },
-		{ Value,		"down",					"/usr/bin/ovpn-down" },
-		{ Flag,			"down_pre",				0 },
-		{ Flag,			"up_restart",			0 },
-		{ Value,		"route_up",				"/usr/bin/ovpn-routeup" },
-		{ Value,		"ipchange",				"/usr/bin/ovpn-ipchange",	{ mode="p2p" } },
-		{ DynamicList,	"setenv",				{ "VAR1 value1", "VAR2 value2" } },
-		{ Value,		"tls_verify",			"/usr/bin/ovpn-tlsverify" },
-		{ Value,		"client_connect",		"/usr/bin/ovpn-clientconnect" },
-		{ Flag,			"client_disconnect",	0 },
-		{ Value,		"learn_address",		"/usr/bin/ovpn-learnaddress" },
+		{ ListValue,	"verb",						{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 } },
+		{ Flag,			"mlock",					0 },
+		{ Flag,			"disable_occ",				0 },
+	--	{ Value,		"user",						"root" },
+	--	{ Value,		"group",					"root" },
+		{ Value,		"cd",						"/etc/openvpn" },
+		{ Value,		"chroot",					"/var/run" },
+	--	{ Value,		"daemon",					"Instance-Name" },
+	--	{ Value,		"syslog",					"Instance-Name" },
+		{ Flag,			"passtos",					0 },
+	--	{ Value,		"inetd",					"nowait Instance-Name" },
+		{ Value,		"log",						"/var/log/openvpn.log" },
+		{ Value,		"log_append",				"/var/log/openvpn.log" },
+		{ Flag,			"suppress_timestamps",		0 },
+	--	{ Value,		"writepid",					"/var/run/openvpn.pid" },
+		{ Value,		"nice",						0 },
+		{ Flag,			"fast_io",					0 },
+		{ Value,		"echo",						"some params echoed to log" },
+		{ ListValue,		"remap_usr1",			{ "SIGHUP", "SIGTERM" } },
+		{ Value,		"status",					"/var/run/openvpn.status 5" },
+		{ Value,		"status_version",			{ 1, 2 } },	-- status
+		{ Value,		"mute",						5 },
+
+		{ Value,		"up",						"/usr/bin/ovpn-up" },
+		{ Value,		"up_delay",					5 },
+		{ Value,		"down",						"/usr/bin/ovpn-down" },
+		{ Flag,			"down_pre",					0 },
+		{ Flag,			"up_restart",				0 },
+		{ Value,		"route_up",					"/usr/bin/ovpn-routeup" },
+		{ Value,		"ipchange",					"/usr/bin/ovpn-ipchange",	{ mode="p2p" } },
+		{ DynamicList,	"setenv",					{ "VAR1 value1", "VAR2 value2" } },
+		{ Value,		"tls_verify",				"/usr/bin/ovpn-tlsverify" },
+		{ Value,		"client_connect",			"/usr/bin/ovpn-clientconnect" },
+		{ Flag,			"client_disconnect",		0 },
+		{ Value,		"learn_address",			"/usr/bin/ovpn-learnaddress" },
 		{ Value,		"auth_user_pass_verify",	"/usr/bin/ovpn-userpass via-env" },
 	} },
 
 	{ "networking", {
 		-- socket config
-		{ ListValue,	"mode",					{ "p2p", "server" } },
-		{ Value,		"local",				"0.0.0.0" },
-		{ Value,		"port",					1194 },
-		{ Value,		"lport",				1194 },
-		{ Value,		"rport",				1194 },
-		{ Flag,			"float",				0 },
-		{ Flag,			"nobind",				0 },
-
-		{ Value,		"dev",					"tun0" },
-		{ ListValue,	"dev_type",				{ "tun", "tap" } },
-		{ Value,		"dev_node",				"/dev/net/tun" },
-		{ Flag,			"tun_ipv6",				0 },
-
-		{ Value,		"ifconfig",				"10.200.200.3 10.200.200.1" },
+		{ ListValue,	"mode",				{ "p2p", "server" } },
+		{ Value,		"local",			"0.0.0.0" },
+		{ Value,		"port",				1194 },
+		{ Value,		"lport",			1194 },
+		{ Value,		"rport",			1194 },
+		{ Flag,			"float",			0 },
+		{ Flag,			"nobind",			0 },
+
+		{ Value,		"dev",				"tun0" },
+		{ ListValue,	"dev_type",			{ "tun", "tap" } },
+		{ Value,		"dev_node",			"/dev/net/tun" },
+		{ Flag,			"tun_ipv6",			0 },
+
+		{ Value,		"ifconfig",			"10.200.200.3 10.200.200.1" },
 		{ Flag,			"ifconfig_noexec",		0 },
 		{ Flag,			"ifconfig_nowarn",		0 },
 
-		{ DynamicList,	"route",				"10.123.0.0 255.255.0.0" },
+		{ DynamicList,	"route",			"10.123.0.0 255.255.0.0" },
 		{ Value,		"route_gateway",		"10.234.1.1" },
 		{ Value,		"route_delay",			0 },
 		{ Flag,			"route_noexec",			0 },
 
-		{ ListValue,	"mtu_disc",				{ "yes", "maybe", "no" } },
-		{ Flag,			"mtu_test",				0 },
-		{ Flag,			"comp_lzo",				0 },
+		{ ListValue,	"mtu_disc",			{ "yes", "maybe", "no" } },
+		{ Flag,			"mtu_test",			0 },
+		{ Flag,			"comp_lzo",			0 },
 		{ Flag,			"comp_noadept",			0,		{ comp_lzo=1 } },
-		{ Value,		"link_mtu",				1500 },
-		{ Value,		"tun_mtu",				1500 },
+		{ Value,		"link_mtu",			1500 },
+		{ Value,		"tun_mtu",			1500 },
 		{ Value,		"tun_mtu_extra",		1500 },
-		{ Value,		"fragment",				1500,	{ proto="udp" } },
-		{ Value, 		"mssfix",				1500,	{ proto="udp" } },
-		{ Value,		"sndbuf",				65536 },
-		{ Value,		"rcvbuf",				65536 },
+		{ Value,		"fragment",			1500,	{ proto="udp" } },
+		{ Value, 		"mssfix",			1500,	{ proto="udp" } },
+		{ Value,		"sndbuf",			65536 },
+		{ Value,		"rcvbuf",			65536 },
 		{ Value,		"txqueuelen",			100 },
-		{ Value,		"shaper",				10240 },
+		{ Value,		"shaper",			10240 },
 
-		{ Value,		"inactive",				240 },
+		{ Value,		"inactive",			240 },
 		{ Value,		"keepalive",			"10 60" },
-		{ Value,		"ping",					30 },
+		{ Value,		"ping",				30 },
 		{ Value,		"ping_exit",			120 },
 		{ Value,		"ping_restart",			60 },
 		{ Flag,			"ping_timer_rem",		0 },
@@ -109,56 +109,56 @@ local knownParams = {
 		{ Flag,			"persist_tun",			0 },
 		{ Flag,			"persist_key",			0 },
 		{ Flag,			"persist_local_ip",		0 },
-		{ Flag,			"persist_remote_ip",	0 },
+		{ Flag,			"persist_remote_ip",		0 },
 
 		-- management channel
 		{ Value,		"management",			"127.0.0.1 31194 /etc/openvpn/mngmt-pwds" },
-		{ Flag,			"management_query_passwords",										0 },	-- management
+		{ Flag,			"management_query_passwords",	0 },	-- management
 		{ Flag,			"management_hold",		0 },	-- management
-		{ Flag,			"management_log_cache",	100 },	-- management
+		{ Flag,			"management_log_cache",		100 },	-- management
 	} },
 
 	{ "vpn", {
-		{ Value,		"server",				"10.200.200.0 255.255.255.0", { server_mode="1" } },
-		{ Value,		"server_bridge",		"10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250", { server_mode="1" } },
-		{ DynamicList,	"push",					{ "redirect-gateway", "comp-lzo" }, { server_mode="1" } },
-		{ Flag,			"push_reset",			0, { server_mode="1" } },
-		{ Flag,			"disable",				0, { server_mode="1" } },
-		{ Value,		"ifconfig_pool",		"10.200.200.100 10.200.200.150 255.255.255.0", { server_mode="1" } },
+		{ Value,		"server",					"10.200.200.0 255.255.255.0", { server_mode="1" } },
+		{ Value,		"server_bridge",			"10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250", { server_mode="1" } },
+		{ DynamicList,	"push",						{ "redirect-gateway", "comp-lzo" }, { server_mode="1" } },
+		{ Flag,			"push_reset",				0, { server_mode="1" } },
+		{ Flag,			"disable",					0, { server_mode="1" } },
+		{ Value,		"ifconfig_pool",			"10.200.200.100 10.200.200.150 255.255.255.0", { server_mode="1" } },
 		{ Value,		"ifconfig_pool_persist",	"/etc/openvpn/ipp.txt 600", { server_mode="1" } },
-		{ Flag,			"ifconfig_pool_linear",	0, { server_mode="1" } },
-		{ Value,		"ifconfig_push",		"10.200.200.1 255.255.255.255", { server_mode="1" } },
-		{ Value,		"iroute",				"10.200.200.0 255.255.255.0", { server_mode="1" } },
-		{ Flag,			"client_to_client",		0, { server_mode="1" } },
-		{ Flag,			"duplicate_cn",			0, { server_mode="1" } },
-		{ Value,		"client_config_dir",	"/etc/openvpn/ccd", { server_mode="1" } },
-		{ Flag,			"ccd_exclusive",		0, { server_mode="1" } },
-		{ Value,		"tmp_dir",				"/var/run/openvpn", { server_mode="1" } },
-		{ Value,		"hash_size",			"256 256", { server_mode="1" } },
-		{ Value,		"bcast_buffers",		256, { server_mode="1" } },
-		{ Value,		"tcp_queue_limit",		64, { server_mode="1" } },
-		{ Value,		"max_clients",			10, { server_mode="1" } },
+		{ Flag,			"ifconfig_pool_linear",		0, { server_mode="1" } },
+		{ Value,		"ifconfig_push",			"10.200.200.1 255.255.255.255", { server_mode="1" } },
+		{ Value,		"iroute",					"10.200.200.0 255.255.255.0", { server_mode="1" } },
+		{ Flag,			"client_to_client",			0, { server_mode="1" } },
+		{ Flag,			"duplicate_cn",				0, { server_mode="1" } },
+		{ Value,		"client_config_dir",		"/etc/openvpn/ccd", { server_mode="1" } },
+		{ Flag,			"ccd_exclusive",			0, { server_mode="1" } },
+		{ Value,		"tmp_dir",					"/var/run/openvpn", { server_mode="1" } },
+		{ Value,		"hash_size",				"256 256", { server_mode="1" } },
+		{ Value,		"bcast_buffers",			256, { server_mode="1" } },
+		{ Value,		"tcp_queue_limit",			64, { server_mode="1" } },
+		{ Value,		"max_clients",				10, { server_mode="1" } },
 		{ Value,		"max_routes_per_client",	256, { server_mode="1" } },
-		{ Value,		"connect_freq",			"3 10", { server_mode="1" } },
+		{ Value,		"connect_freq",				"3 10", { server_mode="1" } },
 		{ Flag,			"client_cert_not_required",	0, { server_mode="1" } },
 		{ Flag,			"username_as_common_name",	0, { server_mode="1" } },
-		{ Flag,			"client",				0, { server_mode="0" }, { server_mode="" } },
-		{ Flag,			"pull",					0, { client="1" } },
-		{ Value,		"auth_user_pass",		"/etc/openvpn/userpass.txt", { client="1" } },
-		{ ListValue,	"auth_retry",			{ "none", "nointeract", "interact" }, { client="1" } },
-		{ Value,		"explicit_exit_notify",	1, { client="1" } },
-		{ DynamicList,	"remote",				"1.2.3.4", { client="1" } },		-- client
-		{ Flag,			"remote_random",		1, { client="1" } },				-- client
-		{ ListValue,	"proto",				{ "udp", "tcp-client", "tcp-server" }, { client="1" } },
-		{ Value,		"connect_retry",		5,	{ proto="tcp-client" }, { client="1" } },				-- client && proto=tcp-client
-		{ Value,		"http_proxy_server", 	"192.168.1.100 8080", { client="1" } },	-- client
-		{ Flag,			"http_proxy_retry",		0, { client="1" } },				-- client && http_proxy_server
-		{ Value,		"http_proxy_timeout",	5, { client="1" } },				-- client && http_proxy_server
-		{ DynamicList,	"http_proxy_option",	{ "VERSION 1.0", "AGENT OpenVPN/2.0.9" }, { client="1" } },	-- client && http_proxy_server
-		{ Value,		"socks_proxy_server", 	"192.168.1.200 1080", { client="1" } },	-- client
-		{ Value,		"socks_proxy_retry",	5, { client="1" } },					-- client && socks_proxy_server
-		{ Value,		"resolv_retry",			"infinite", { client="1" } },			-- client
-		{ ListValue,	"redirect_gateway",		{ "", "local", "def1", "local def1" }, { client="1" } }, -- client
+		{ Flag,			"client",					0, { server_mode="0" }, { server_mode="" } },
+		{ Flag,			"pull",						0, { client="1" } },
+		{ Value,		"auth_user_pass",			"/etc/openvpn/userpass.txt", { client="1" } },
+		{ ListValue,	"auth_retry",				{ "none", "nointeract", "interact" }, { client="1" } },
+		{ Value,		"explicit_exit_notify",		1, { client="1" } },
+		{ DynamicList,	"remote",					"1.2.3.4", { client="1" } },		-- client
+		{ Flag,			"remote_random",			1, { client="1" } },				-- client
+		{ ListValue,	"proto",					{ "udp", "tcp-client", "tcp-server" }, { client="1" } },
+		{ Value,		"connect_retry",			5,	{ proto="tcp-client" }, { client="1" } },				-- client && proto=tcp-client
+		{ Value,		"http_proxy_server", 		"192.168.1.100 8080", { client="1" } },	-- client
+		{ Flag,			"http_proxy_retry",			0, { client="1" } },				-- client && http_proxy_server
+		{ Value,		"http_proxy_timeout",		5, { client="1" } },				-- client && http_proxy_server
+		{ DynamicList,	"http_proxy_option",		{ "VERSION 1.0", "AGENT OpenVPN/2.0.9" }, { client="1" } },	-- client && http_proxy_server
+		{ Value,		"socks_proxy_server", 		"192.168.1.200 1080", { client="1" } },	-- client
+		{ Value,		"socks_proxy_retry",		5, { client="1" } },					-- client && socks_proxy_server
+		{ Value,		"resolv_retry",				"infinite", { client="1" } },			-- client
+		{ ListValue,	"redirect_gateway",			{ "", "local", "def1", "local def1" }, { client="1" } }, -- client
 	} },
 
 	{ "cryptography", {
@@ -174,11 +174,11 @@ local knownParams = {
 		{ Flag,			"no_iv",				0 },
 		{ Flag,			"tls_server",			0, { tls_client="" }, { tls_client="0" } },
 		{ Flag,			"tls_client",			0, { tls_server="" }, { tls_server="0" } },
-		{ Value,		"ca",					"/etc/easy-rsa/keys/ca.crt" },
-		{ Value,		"dh",					"/etc/easy-rsa/keys/dh1024.pem" },
-		{ Value,		"cert",					"/etc/easy-rsa/keys/some-client.crt" },
-		{ Value,		"key",					"/etc/easy-rsa/keys/some-client.key" },
-		{ Value,		"pkcs12",				"/etc/easy-rsa/keys/some-client.pk12" },
+		{ FileUpload,	"ca",					"/etc/easy-rsa/keys/ca.crt" },
+		{ FileUpload,	"dh",					"/etc/easy-rsa/keys/dh1024.pem" },
+		{ FileUpload,	"cert",					"/etc/easy-rsa/keys/some-client.crt" },
+		{ FileUpload,	"key",					"/etc/easy-rsa/keys/some-client.key" },
+		{ FileUpload,	"pkcs12",				"/etc/easy-rsa/keys/some-client.pk12" },
 		{ ListValue,	"key_method",			{ 1, 2 } },
 		{ Value,		"tls_cipher",			"DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5" },
 		{ Value,		"tls_timeout",			2 },
@@ -194,6 +194,7 @@ local knownParams = {
 		{ Flag,			"auth_nocache",			0 },
 		{ Value,		"tls_remote",			"remote_x509_name" },
 		{ ListValue,	"ns_cert_type",			{ "client", "server" } },
+		{ ListValue,	"remote_cert_tls",		{ "client", "server" } },
 		{ Value,		"crl_verify",			"/etc/easy-rsa/keys/crl.pem" },
  	} }
 }
diff --git a/applications/luci-openvpn/luasrc/model/cbi/openvpn-basic.lua b/applications/luci-openvpn/luasrc/model/cbi/openvpn-basic.lua
index cadf558bf..1d4cc4d7a 100644
--- a/applications/luci-openvpn/luasrc/model/cbi/openvpn-basic.lua
+++ b/applications/luci-openvpn/luasrc/model/cbi/openvpn-basic.lua
@@ -42,11 +42,12 @@ local basicParams = {
 	{ Flag,			"client_to_client",		0 },
 	{ DynamicList,	"remote",				"vpnserver.example.org" },
 
-	{ Value,		"secret",				"/etc/openvpn/secret.key 1" },
-	{ Value,		"ca",					"/etc/easy-rsa/keys/ca.crt" },
-	{ Value,		"dh",					"/etc/easy-rsa/keys/dh1024.pem" },
-	{ Value,		"cert",					"/etc/easy-rsa/keys/some-client.crt" },
-	{ Value,		"key",					"/etc/easy-rsa/keys/some-client.key" },
+	{ FileUpload,	"secret",				"/etc/openvpn/secret.key 1" },
+	{ FileUpload,	"pkcs12",				"/etc/easy-rsa/keys/some-client.pk12" },
+	{ FileUpload,	"ca",					"/etc/easy-rsa/keys/ca.crt" },
+	{ FileUpload,	"dh",					"/etc/easy-rsa/keys/dh1024.pem" },
+	{ FileUpload,	"cert",					"/etc/easy-rsa/keys/some-client.crt" },
+	{ FileUpload,	"key",					"/etc/easy-rsa/keys/some-client.key" },
 }
 
 
diff --git a/applications/luci-openvpn/root/etc/config/openvpn b/applications/luci-openvpn/root/etc/config/openvpn
deleted file mode 100644
index 9831ad15a..000000000
--- a/applications/luci-openvpn/root/etc/config/openvpn
+++ /dev/null
@@ -1,383 +0,0 @@
-#################################################
-# Sample OpenVPN 2.0 config file for            #
-# multi-client server.                          #
-#################################################
-
-config openvpn sample_server
-
-	# Set to 1 to enable this instance:
-	option enable 0
-
-	# Which local IP address should OpenVPN
-	# listen on? (optional)
-#	option local 0.0.0.0
-
-	# Which TCP/UDP port should OpenVPN listen on?
-	# If you want to run multiple OpenVPN instances
-	# on the same machine, use a different port
-	# number for each one.  You will need to
-	# open up this port on your firewall.
-	option port 1194
-
-	# TCP or UDP server?
-#	option proto tcp
-	option proto udp
-
-	# "dev tun" will create a routed IP tunnel,
-	# "dev tap" will create an ethernet tunnel.
-	# Use "dev tap0" if you are ethernet bridging
-	# and have precreated a tap0 virtual interface
-	# and bridged it with your ethernet interface.
-	# If you want to control access policies
-	# over the VPN, you must create firewall
-	# rules for the the TUN/TAP interface.
-	# On non-Windows systems, you can give
-	# an explicit unit number, such as tun0.
-	# On Windows, use "dev-node" for this.
-	# On most systems, the VPN will not function
-	# unless you partially or fully disable
-	# the firewall for the TUN/TAP interface.
-#	option dev tap
-	option dev tun
-
-	# SSL/TLS root certificate (ca), certificate
-	# (cert), and private key (key).  Each client
-	# and the server must have their own cert and
-	# key file.  The server and all clients will
-	# use the same ca file.
-	#
-	# See the "easy-rsa" directory for a series
-	# of scripts for generating RSA certificates
-	# and private keys.  Remember to use
-	# a unique Common Name for the server
-	# and each of the client certificates.
-	#
-	# Any X509 key management system can be used.
-	# OpenVPN can also use a PKCS #12 formatted key file
-	# (see "pkcs12" directive in man page).
-	option ca ca.crt
-	option cert server.crt
-	# This file should be kept secret:
-	option key server.key
-
-	# Diffie hellman parameters.
-	# Generate your own with:
-	#   openssl dhparam -out dh1024.pem 1024
-	# Substitute 2048 for 1024 if you are using
-	# 2048 bit keys.
-	option dh dh1024.pem
-
-	# Configure server mode and supply a VPN subnet
-	# for OpenVPN to draw client addresses from.
-	# The server will take 10.8.0.1 for itself,
-	# the rest will be made available to clients.
-	# Each client will be able to reach the server
-	# on 10.8.0.1. Comment this line out if you are
-	# ethernet bridging. See the man page for more info.
-	option server "10.8.0.0 255.255.255.0"
-
-	# Maintain a record of client <-> virtual IP address
-	# associations in this file.  If OpenVPN goes down or
-	# is restarted, reconnecting clients can be assigned
-	# the same virtual IP address from the pool that was
-	# previously assigned.
-	option ifconfig_pool_persist ipp.txt
-
-	# Configure server mode for ethernet bridging.
-	# You must first use your OS's bridging capability
-	# to bridge the TAP interface with the ethernet
-	# NIC interface.  Then you must manually set the
-	# IP/netmask on the bridge interface, here we
-	# assume 10.8.0.4/255.255.255.0.  Finally we
-	# must set aside an IP range in this subnet
-	# (start=10.8.0.50 end=10.8.0.100) to allocate
-	# to connecting clients.  Leave this line commented
-	# out unless you are ethernet bridging.
-#	option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"
-
-	# Push routes to the client to allow it
-	# to reach other private subnets behind
-	# the server.  Remember that these
-	# private subnets will also need
-	# to know to route the OpenVPN client
-	# address pool (10.8.0.0/255.255.255.0)
-	# back to the OpenVPN server.
-#	list push "route 192.168.10.0 255.255.255.0"
-#	list push "route 192.168.20.0 255.255.255.0"
-
-	# To assign specific IP addresses to specific
-	# clients or if a connecting client has a private
-	# subnet behind it that should also have VPN access,
-	# use the subdirectory "ccd" for client-specific
-	# configuration files (see man page for more info).
-
-	# EXAMPLE: Suppose the client
-	# having the certificate common name "Thelonious"
-	# also has a small subnet behind his connecting
-	# machine, such as 192.168.40.128/255.255.255.248.
-	# First, uncomment out these lines:
-#	option client_config_dir ccd
-#	list route "192.168.40.128 255.255.255.248"
-	# Then create a file ccd/Thelonious with this line:
-	#   iroute 192.168.40.128 255.255.255.248
-	# This will allow Thelonious' private subnet to
-	# access the VPN.  This example will only work
-	# if you are routing, not bridging, i.e. you are
-	# using "dev tun" and "server" directives.
-
-	# EXAMPLE: Suppose you want to give
-	# Thelonious a fixed VPN IP address of 10.9.0.1.
-	# First uncomment out these lines:
-#	option client_config_dir ccd
-#	list route "10.9.0.0 255.255.255.252"
-#	list route "192.168.100.0 255.255.255.0"
-	# Then add this line to ccd/Thelonious:
-	#   ifconfig-push "10.9.0.1 10.9.0.2"
-
-	# Suppose that you want to enable different
-	# firewall access policies for different groups
-	# of clients.  There are two methods:
-	# (1) Run multiple OpenVPN daemons, one for each
-	#     group, and firewall the TUN/TAP interface
-	#     for each group/daemon appropriately.
-	# (2) (Advanced) Create a script to dynamically
-	#     modify the firewall in response to access
-	#     from different clients.  See man
-	#     page for more info on learn-address script.
-#	option learn_address ./script
-
-	# If enabled, this directive will configure
-	# all clients to redirect their default
-	# network gateway through the VPN, causing
-	# all IP traffic such as web browsing and
-	# and DNS lookups to go through the VPN
-	# (The OpenVPN server machine may need to NAT
-	# the TUN/TAP interface to the internet in
-	# order for this to work properly).
-	# CAVEAT: May break client's network config if
-	# client's local DHCP server packets get routed
-	# through the tunnel.  Solution: make sure
-	# client's local DHCP server is reachable via
-	# a more specific route than the default route
-	# of 0.0.0.0/0.0.0.0.
-#	list push "redirect-gateway"
-
-	# Certain Windows-specific network settings
-	# can be pushed to clients, such as DNS
-	# or WINS server addresses.  CAVEAT:
-	# http://openvpn.net/faq.html#dhcpcaveats
-#	list push "dhcp-option DNS 10.8.0.1"
-#	list push "dhcp-option WINS 10.8.0.1"
-
-	# Uncomment this directive to allow different
-	# clients to be able to "see" each other.
-	# By default, clients will only see the server.
-	# To force clients to only see the server, you
-	# will also need to appropriately firewall the
-	# server's TUN/TAP interface.
-#	option client_to_client 1
-
-	# Uncomment this directive if multiple clients
-	# might connect with the same certificate/key
-	# files or common names.  This is recommended
-	# only for testing purposes.  For production use,
-	# each client should have its own certificate/key
-	# pair.
-	#
-	# IF YOU HAVE NOT GENERATED INDIVIDUAL
-	# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
-	# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
-	# UNCOMMENT THIS LINE OUT.
-#	option duplicate_cn 1
-
-	# The keepalive directive causes ping-like
-	# messages to be sent back and forth over
-	# the link so that each side knows when
-	# the other side has gone down.
-	# Ping every 10 seconds, assume that remote
-	# peer is down if no ping received during
-	# a 120 second time period.
-	option keepalive "10 120"
-
-	# For extra security beyond that provided
-	# by SSL/TLS, create an "HMAC firewall"
-	# to help block DoS attacks and UDP port flooding.
-	#
-	# Generate with:
-	#   openvpn --genkey --secret ta.key
-	#
-	# The server and each client must have
-	# a copy of this key.
-	# The second parameter should be '0'
-	# on the server and '1' on the clients.
-	# This file is secret:
-#	option tls_auth "ta.key 0"
-
-	# Select a cryptographic cipher.
-	# This config item must be copied to
-	# the client config file as well.
-	# Blowfish (default):
-#	option cipher BF-CBC
-	# AES:
-#	option cipher AES-128-CBC
-	# Triple-DES:
-#	option cipher DES-EDE3-CBC
-
-	# Enable compression on the VPN link.
-	# If you enable it here, you must also
-	# enable it in the client config file.
-	option comp_lzo 1
-
-	# The maximum number of concurrently connected
-	# clients we want to allow.
-#	option max_clients 100
-
-	# The persist options will try to avoid
-	# accessing certain resources on restart
-	# that may no longer be accessible because
-	# of the privilege downgrade.
-	option persist_key 1
-	option persist_tun 1
-
-	# Output a short status file showing
-	# current connections, truncated
-	# and rewritten every minute.
-	option status openvpn-status.log
-
-	# By default, log messages will go to the syslog (or
-	# on Windows, if running as a service, they will go to
-	# the "\Program Files\OpenVPN\log" directory).
-	# Use log or log-append to override this default.
-	# "log" will truncate the log file on OpenVPN startup,
-	# while "log-append" will append to it.  Use one
-	# or the other (but not both).
-#	option log         openvpn.log
-#	option log_append  openvpn.log
-
-	# Set the appropriate level of log
-	# file verbosity.
-	#
-	# 0 is silent, except for fatal errors
-	# 4 is reasonable for general usage
-	# 5 and 6 can help to debug connection problems
-	# 9 is extremely verbose
-	option verb 3
-
-	# Silence repeating messages.  At most 20
-	# sequential messages of the same message
-	# category will be output to the log.
-#	option mute 20
-
-
-##############################################
-# Sample client-side OpenVPN 2.0 config file #
-# for connecting to multi-client server.     #
-##############################################
-
-config openvpn sample_client
-
-	# Set to 1 to enable this instance:
-	option enable 0
-
-	# Specify that we are a client and that we
-	# will be pulling certain config file directives
-	# from the server.
-	option client 1
-
-	# Use the same setting as you are using on
-	# the server.
-	# On most systems, the VPN will not function
-	# unless you partially or fully disable
-	# the firewall for the TUN/TAP interface.
-#	option dev tap
-	option dev tun
-
-	# Are we connecting to a TCP or
-	# UDP server?  Use the same setting as
-	# on the server.
-#	option proto tcp
-	option proto udp
-
-	# The hostname/IP and port of the server.
-	# You can have multiple remote entries
-	# to load balance between the servers.
-	list remote "my_server_1 1194"
-#	list remote "my_server_2 1194"
-
-	# Choose a random host from the remote
-	# list for load_balancing.  Otherwise
-	# try hosts in the order specified.
-#	option remote_random 1
-
-	# Keep trying indefinitely to resolve the
-	# host name of the OpenVPN server.  Very useful
-	# on machines which are not permanently connected
-	# to the internet such as laptops.
-	option resolv_retry infinite
-
-	# Most clients don't need to bind to
-	# a specific local port number.
-	option nobind 1
-
-	# Try to preserve some state across restarts.
-	option persist_key 1
-	option persist_tun 1
-
-	# If you are connecting through an
-	# HTTP proxy to reach the actual OpenVPN
-	# server, put the proxy server/IP and
-	# port number here.  See the man page
-	# if your proxy server requires
-	# authentication.
-	# retry on connection failures:
-#	option http_proxy_retry 1
-	# specify http proxy address and port:
-#	option http_proxy "192.168.1.100 8080"
-
-	# Wireless networks often produce a lot
-	# of duplicate packets.  Set this flag
-	# to silence duplicate packet warnings.
-#	option mute_replay_warnings 1
-
-	# SSL/TLS parms.
-	# See the server config file for more
-	# description.  It's best to use
-	# a separate .crt/.key file pair
-	# for each client.  A single ca
-	# file can be used for all clients.
-	option ca ca.crt
-	option cert client.crt
-	option key client.key
-
-	# Verify server certificate by checking
-	# that the certicate has the nsCertType
-	# field set to "server".  This is an
-	# important precaution to protect against
-	# a potential attack discussed here:
-	#  http://openvpn.net/howto.html#mitm
-	#
-	# To use this feature, you will need to generate
-	# your server certificates with the nsCertType
-	# field set to "server".  The build_key_server
-	# script in the easy_rsa folder will do this.
-#	option ns_cert_type server
-
-	# If a tls_auth key is used on the server
-	# then every client must also have the key.
-#	option tls_auth "ta.key 1"
-
-	# Select a cryptographic cipher.
-	# If the cipher option is used on the server
-	# then you must also specify it here.
-#	option cipher x
-
-	# Enable compression on the VPN link.
-	# Don't enable this unless it is also
-	# enabled in the server config file.
-	option comp_lzo 1
-
-	# Set log file verbosity.
-	option verb 3
-
-	# Silence repeating messages
-#	option mute 20
diff --git a/applications/luci-openvpn/root/etc/config/openvpn_recipes b/applications/luci-openvpn/root/etc/config/openvpn_recipes
index 94e879b91..d7402c3a4 100644
--- a/applications/luci-openvpn/root/etc/config/openvpn_recipes
+++ b/applications/luci-openvpn/root/etc/config/openvpn_recipes
@@ -2,94 +2,108 @@
 # Routed point-to-point server
 #
 config openvpn_recipe server_tun_ptp
-	option _description	"Simple server configuration for a routed point-to-point VPN"
-	option _role		"server"
+	option _description		"Simple server configuration for a routed point-to-point VPN"
+	option _role			"server"
 	option dev			"tun"
-	option port			"1194"
-	option ifconfig		"10.0.0.1 10.0.0.2"
-	option secret		"shared-secret.key"
+	option ifconfig			"10.0.0.1 10.0.0.2"
+	option secret			"shared-secret.key"
+	option keepalive		"10 60"
+	option comp_lzo			"1"
+	option verb			"3"
+        option mssfix			"1420"
+	option management		"127.0.0.1 31194"
 
 #
 # Routed point-to-point client
 #
 config openvpn_recipe client_tun_ptp
-	option _description	"Simple client configuration for a routed point-to-point VPN"
-	option _role		"client"
+	option _description		"Simple client configuration for a routed point-to-point VPN"
+	option _role			"client"
 	option dev			"tun"
-	list   remote 		"mypeer.dyndns.org"
-	option port 		"1194"
-	option ifconfig		"10.0.0.2 10.0.0.1"
-	option secret		"shared-secret.key"
-	option nobind		"1"
-
+	list   remote			"vpnserver.example.org"
+	option ifconfig			"10.0.0.2 10.0.0.1"
+	option secret			"shared-secret.key"
+	option nobind			"1"
+	option comp_lzo			"1"
+	option verb			"3"
+	option management		"127.0.0.1 31194"
 
 #
 # Routed multi-client server
 #
 config openvpn_recipe server_tun
-	option _description	"Server configuration for a routed multi-client VPN"
-	option _role		"server"
+	option _description		"Server configuration for a routed multi-client VPN"
+	option _role			"server"
 	option dev			"tun"
-	option port			"1194"
-	option server		"10.0.100.0 255.255.255.0"
+	option server			"10.0.100.0 255.255.255.0"
 	option ca			"ca.crt"
-	option cert 		"server.crt"
+	option cert			"server.crt"
 	option key 			"server.key"
 	option dh 			"dh1024.pem"
-	option client_to_client	"1"
-	option keepalive	"10 120"
-	option comp_lzo		"1"
+	option keepalive		"10 60"
+	option comp_lzo			"1"
+	option verb			"3"
+        option mssfix			"1420"
+	option management		"127.0.0.1 31194"
 
 #
 # Routed client
 #
 config openvpn_recipe client_tun
-	option _description	"Client configuration for a routed multi-client VPN"
-	option _role		"client"
-	option client		"1"
-	option dev 			"tun"
-	list   remote		"vpnserver.example.org 1194"
-	option ca 			"ca.crt"
-	option cert			"my_client.crt"
-	option key 			"my_client.key"
-	option dh 			"dh1024.pem"
-	option ns_cert_type	"server"
-	option keepalive	"10 120"
-	option comp_lzo		"1"
-	option nobind		"1"
-
+	option _description		"Client configuration for a routed multi-client VPN"
+	option _role			"client"
+	option client			"1"
+	option dev			"tun"
+	list   remote			"vpnserver.example.org"
+	option pkcs12			"my_client.p12"
+	option remote_cert_tls		"server"
+	option comp_lzo			"1"
+	option nobind			"1"
+	option persist_key		"1"
+	option persist_tun		"1"
+	option verb			"3"
+	option reneg_sec		"0"
+	option explicit_exit_notify	"1"
+	option float			"1"
+	option management		"127.0.0.1 31194"
 
 #
 # Multi-client ethernet bridge server
 #
 config openvpn_recipe server_tap_bridge
-	option _description	"Server configuration for an ethernet bridge VPN"
-	option _role		"server"
+	option _description		"Server configuration for an ethernet bridge VPN"
+	option _role			"server"
 	option dev			"tap"
-	option port			"1194"
-	option server_bridge "192.168.1.1 255.255.255.0 192.168.1.128 192.168.1.254"
+	option server_bridge		"192.168.1.1 255.255.255.0 192.168.1.128 192.168.1.254"
 	option ca			"ca.crt"
-	option cert 		"server.crt"
+	option cert			"server.crt"
 	option key 			"server.key"
 	option dh 			"dh1024.pem"
-	option client_to_client	"1"
-	option keepalive	"10 120"
-	option comp_lzo		"1"
+	option keepalive		"10 60"
+	option comp_lzo			"1"
+	option verb			"3"
+        option mssfix			"1420"
+	option management		"127.0.0.1 31194"
 
 #
 # Ethernet bridge client
 #
 config openvpn_recipe client_tap_bridge
-	option _description	"Client configuration for an ethernet bridge VPN"
-	option _role		"client"
-	option client		"1"
+	option _description		"Client configuration for an ethernet bridge VPN"
+	option _role			"client"
+	option client			"1"
 	option dev 			"tap"
-	list   remote		"vpnserver.example.org 1194"
+	list   remote			"vpnserver.example.org"
 	option ca 			"ca.crt"
 	option cert			"my_client.crt"
 	option key 			"my_client.key"
 	option dh 			"dh1024.pem"
-	option ns_cert_type	"server"
-	option keepalive	"10 120"
-	option comp_lzo		"1"
-	option nobind		"1"
+	option remote_cert_tls		"server"
+	option comp_lzo			"1"
+	option nobind			"1"
+	option persist_key		"1"
+	option verb			"3"
+	option reneg_sec		"0"
+	option explicit_exit_notify	"1"
+	option float			"1"
+	option management		"127.0.0.1 31194"
diff --git a/applications/luci-openvpn/root/etc/init.d/openvpn b/applications/luci-openvpn/root/etc/init.d/openvpn
deleted file mode 100644
index baa683ff4..000000000
--- a/applications/luci-openvpn/root/etc/init.d/openvpn
+++ /dev/null
@@ -1,144 +0,0 @@
-#!/bin/sh /etc/rc.common
-# OpenVPN init script
-# Copyright (C) 2008 Jo-Philipp Wich
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-# $Id$
-
-START=95
-BIN=/usr/sbin/openvpn
-SSD=start-stop-daemon
-
-LIST_SEP="
-"
-
-append_param() {
-	local v="$1"
-	case "$v" in
-		*_*_*_*) v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;;
-		*_*_*)   v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;;
-		*_*)     v=${v%%_*}-${v#*_} ;;
-	esac
-	ARGS="$ARGS --$v"
-	return 0
-}
-
-append_bools() {
-	local p; local v; local s="$1"; shift
-	for p in $*; do
-		config_get_bool v "$s" "$p"
-		[ "$v" == 1 ] && append_param "$p"
-	done
-}
-
-append_params() {
-	local p; local v; local s="$1"; shift
-	for p in $*; do
-		config_get v "$s" "$p"
-		IFS="$LIST_SEP"
-		for v in $v; do
-			[ -n "$v" ] && append_param "$p" && ARGS="$ARGS $v"
-		done
-		unset IFS
-	done
-}
-
-append_params_quoted() {
-	local p; local v; local s="$1"; shift
-	for p in $*; do
-		config_get v "$s" "$p"
-		IFS="$LIST_SEP"
-		for v in $v; do
-			[ -n "$v" ] && append_param "$p" && ARGS="$ARGS '$v'"
-		done
-		unset IFS
-	done
-}
-
-start_service() {
-	local s="$1"
-	local enable=0
-
-	# disabled?
-	config_get_bool enable "$s" enable 0
-	[ "$enable" == 0 ] && return 0
-
-	PID="/var/run/openvpn-$s.pid"
-	ARGS=""
-
-	# append flags
-	append_bools "$s" \
-		auth_nocache ccd_exclusive client client_cert_not_required \
-		client_disconnect client_to_client comp_lzo comp_noadapt disable \
-		disable_occ down_pre duplicate_cn fast_io float http_proxy_retry \
-		ifconfig_noexec ifconfig_nowarn ifconfig_pool_linear management_hold \
-		management_query_passwords mktun mlock mtu_test mute_replay_warnings \
-		nobind no_iv no_replay passtos persist_key persist_local_ip \
-		persist_remote_ip persist_tun ping_timer_rem pull push_reset \
-		remote_random rmtun route_noexec single_session socks_proxy_retry \
-		suppress_timestamps test_crypto tls_client tls_exit tls_server \
-		tun_ipv6 up_delay up_restart username_as_common_name
-
-	# append params
-	append_params "$s" \
-		auth auth_user_pass auth_user_pass_verify bcast_buffers ca cd cert \
-		chroot cipher client_config_dir client_connect config connect_freq \
-		connect_retry crl_verify cryptoapicert dev dev_node dev_type dh down \
-		echo engine explicit_exit_notify fragment group hand_window hash_size \
-		http_proxy http_proxy_option http_proxy_timeout ifconfig ifconfig_pool \
-		ifconfig_pool_persist ifconfig_push inactive ipchange iroute keepalive \
-		key key_method keysize learn_address link_mtu local log log_append \
-		lport management management_log_cache max_clients \
-		max_routes_per_client mode mssfix mtu_disc mute nice ns_cert_type ping \
-		ping_exit ping_restart pkcs12 plugin port proto rcvbuf \
-		redirect_gateway remap_usr1 remote reneg_bytes reneg_pkts reneg_sec \
-		replay_persist replay_window resolv_retry route route_delay \
-		route_gateway route_up rport server server_bridge setenv shaper sndbuf \
-		socks_proxy status status_version syslog tcp_queue_limit tls_auth \
-		tls_cipher tls_remote tls_timeout tls_verify tmp_dir tran_window \
-		tun_mtu tun_mtu_extra txqueuelen up user verb
-
-	# append multi-value params
-	append_params_quoted "$s" \
-		push
-
-
-	[ -n "$ARGS" ] && \
-		eval "$SSD -q -b -m -p $PID -x $BIN -S -- --syslog 'openvpn($s)' $ARGS"
-}
-
-kill_service() {
-	local s="$1"
-	local S="${2:-TERM}"
-	local enable=0
-
-	# disabled?
-	config_get_bool enable "$s" enable 0
-	[ "$enable" == 0 ] && return 0
-
-	PID="/var/run/openvpn-$s.pid"
-
-	$SSD -q -p $PID -x $BIN -K -s $S
-}
-
-hup_service()  { kill_service "$1" HUP;  }
-stop_service() { kill_service "$1" TERM; }
-
-start() {
-	config_load openvpn
-	config_foreach start_service openvpn
-}
-
-stop() {
-	config_load openvpn
-	config_foreach stop_service openvpn
-}
-
-reload() {
-	config_load openvpn
-	config_foreach hup_service openvpn
-}
-
-restart() {
-	stop; sleep 5; start
-}
diff --git a/applications/luci-openvpn/root/lib/uci/schema/default/openvpn b/applications/luci-openvpn/root/lib/uci/schema/default/openvpn
index 2a31ff499..5bb8cad9d 100644
--- a/applications/luci-openvpn/root/lib/uci/schema/default/openvpn
+++ b/applications/luci-openvpn/root/lib/uci/schema/default/openvpn
@@ -278,7 +278,7 @@ comp-noadapt
 When used in conjunction with --comp-lzo, this option will disable OpenVPN's adaptive compression algorithm
 
 management IP port [pw-file]
-Enable a TCP server on IP:port to handle daemon management functions
+Enable management interface on <IP> <port> to handle daemon management functions
 
 management-query-passwords
 Query management channel for private key password and --auth-user-pass username/password