diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher	1969-12-31 19:00:00.000000000 -0500
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher	2021-04-01 01:57:09.416000000 -0400
@@ -0,0 +1 @@
+AES-128-CBC
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC	1969-12-31 19:00:00.000000000 -0500
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC	2021-04-01 01:56:54.665000000 -0400
@@ -0,0 +1 @@
+SHA256
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption	1969-12-31 19:00:00.000000000 -0500
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption	2021-04-01 01:52:17.729000000 -0400
@@ -0,0 +1,33 @@
+{
+    #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
+    # need to be changed on both side
+    my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ?  ${'openvpn-routed'}{'HMAC'} : undef;
+    # cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...
+    # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
+    my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'}  : undef;
+
+    ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
+    my $tlsVmin = (  ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/  ) ) ? ${'openvpn-routed'}{'tlsVmin'}  : "1.2";
+    # TLS 1.3 encryption settings
+    my $tlsCipherSuites13 = (  ${'openvpn-routed'}{'tlsCipherSuites13'} ) ?  ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+    # # TLS 1.2 encryption settings
+    my $tlsCipher12 = (  ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
+
+
+
+     $OUT .= "#securing control channel\n";
+     $OUT .= "tls-version-min $tlsVmin\n";
+     $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
+     $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
+     #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
+     #$OUT .= "ecdh-curve secp384r1\n";
+
+     # data channel
+     $OUT .= "#securing data channel\n";
+     $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
+     #auth SHA512
+     $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
+
+
+
+}
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options	2017-04-10 05:18:32.000000000 -0400
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options	2021-04-01 01:52:17.962000000 -0400
@@ -3,7 +3,6 @@
 
 my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
 my $fragment = ${'openvpn-routed'}{Fragment} || '';
-my $cipher = ${'openvpn-routed'}{Cipher} || '';
 my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
 my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
 my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
@@ -37,10 +36,6 @@
 }
 $OUT .= "mssfix\n";
 
-if ($cipher ne ''){
-    $OUT .= "cipher $cipher\n";
-}
-
 if ($duplicate eq 'enabled'){
     $OUT .= "duplicate-cn\n";
 }
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes	2017-04-10 05:18:32.000000000 -0400
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes	2021-04-01 02:04:36.125000000 -0400
@@ -19,6 +19,7 @@
         my $mask = $network->prop('Mask');
         my $gw = $network->prop('Router') || '';
         my $vpn = $network->prop('VPN') || '';
+	next if (($network->prop('PushRoute') || 'enabled') eq 'disabled'); 
         next if (($network->prop('VPNRouted') || 'no') eq 'yes');
         $route .= "push \"route $addr $mask";
         $route .= " $gw" if ($vpn eq '' && $gw ne '');
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed
--- smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed	1969-12-31 19:00:00.000000000 -0500
+++ smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed	2021-04-01 01:56:24.102000000 -0400
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+[[ ! -f /etc/openvpn/routed/pub/cert.pem  && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem
+[[ ! -f /etc/openvpn/routed/pub/cacert.pem  && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem
+[[ ! -f /etc/openvpn/routed/pub/dh.pem  && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem
+[[ ! -f /etc/openvpn/routed/priv/key.pem  && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem
+[[ ! -f /etc/openvpn/routed/priv/takey.pem  && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem
+if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then
+  cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem
+  CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl`
+  /sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl="
+
+  myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort`
+  oriport="$myiport"
+  bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort`
+  s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re  's/.*Port\|([0-9]+).*/\1/'|sort|uniq`
+  while [[ $s2sports =~ $myport  || $myport == $bridgeport ]]
+  do
+    myport=$[$myport+1]
+  done
+  if [[ $myport != $oriport ]]; then
+    echo "set UDPPort to $myport as $oriport was already taken"
+    /sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport
+    /sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf 
+  fi
+fi
+chmod 0600 /etc/openvpn/routed/priv/*
+chmod 0644 /etc/openvpn/routed/pub/*
+chown root:admin /etc/openvpn/routed/priv/*
+chown root:admin /etc/openvpn/routed/pub/*
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service
--- smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service	2021-04-01 01:49:33.475000000 -0400
+++ smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service	2021-04-01 01:53:22.947000000 -0400
@@ -1,9 +1,26 @@
 [Unit]
-Description=OpenVPN Server to Server
+Description=OpenVPN Server routed for Roadwariors
 After=network.service
+
 [Service]
-Type=forking
-ExecStart=/usr/sbin/systemd/openvpn-routed
+Type=notify
+PrivateTmp=true
+WorkingDirectory=/etc/openvpn/routed
+
+ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
+ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
+ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC  --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed 
+
+PrivateTmp=true
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+KillMode=process
+RestartSec=5s
+Restart=on-failure
+
+
 [Install]
 WantedBy=sme-server.target
 
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed
--- smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed	2021-04-01 01:49:33.476000000 -0400
+++ smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed	1969-12-31 19:00:00.000000000 -0500
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-exec 2>&1
-
-exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
-