From afc8f78c528ee67e8193080db8a75f120f19643d Mon Sep 17 00:00:00 2001
From: Grzegorz Ojrzanowski <grzegorz@catalyst.net.nz>
Date: Fri, 19 Aug 2016 12:12:46 +1200
Subject: [PATCH 1/2] Add key-direction 1 to .ovpn profile if tls_auth is being
 used

---
 manifests/client.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/client.pp b/manifests/client.pp
index e0bd3e66..4159aaa2 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -415,7 +415,7 @@
 
     concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/tls_auth_close_tag":
       target  => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
-      content => "</tls-auth>\n",
+      content => "</tls-auth>\nkey-direction 1\n",
       order   => '13'
     }
   }

From 7e2a03771abdedd8fd1a3319241cb2b176578f60 Mon Sep 17 00:00:00 2001
From: Grzegorz Ojrzanowski <grzegorz@catalyst.net.nz>
Date: Fri, 13 Jan 2017 15:12:53 +1300
Subject: [PATCH 2/2] Set safe file permissions as it may contain credentials
 for LDAP lookups

---
 manifests/server.pp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/manifests/server.pp b/manifests/server.pp
index a6b16f76..1256fb89 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -678,6 +678,8 @@
     file {
       "${etc_directory}/openvpn/${name}/auth/ldap.conf":
         ensure  => present,
+        owner   => root,
+        mode    => '0400',
         content => template('openvpn/ldap.erb'),
         require => Package['openvpn-auth-ldap'],
     }