# Authentication
{

my $auth = $db->get_prop($key,'Authentication') || 'TLS';
my $checkcrt = $db->get_prop($key,'CheckCertificateUsage') || 'disabled';
my $tlsremote = $db->get_prop($key,'RemoteCommonName') || '';

if ($auth eq 'SharedKey'){
    $OUT .= "secret priv/$key"."_sharedkey.pem\n";
}
elsif ($auth eq 'TLS'){
    if ($type eq 'server'){
        $OUT .= "tls-server\n";
        $OUT .= "ca pub/$key" . "_cacert.pem\n";
        $OUT .= "cert pub/$key" . "_cert.pem\n";
        $OUT .= "key priv/$key" . "_key.pem\n";
        $OUT .= "dh pub/$key" . "_dh.pem\n";
        $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
           if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
        $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
           if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
        $OUT .= "ns-cert-type client\n" if ($checkcrt eq 'enabled');
        $OUT .= "verify-x509-name $tlsremote name\n" if ($tlsremote ne '');
    }
    else{
        $OUT .= "tls-client\n";
        $OUT .= "ca pub/$key" . "_cacert.pem\n";
        $OUT .= "cert pub/$key" . "_cert.pem\n";
        $OUT .= "key priv/$key" . "_key.pem\n";
        $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
           if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
                $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
           if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
        $OUT .= "ns-cert-type server\n" if ($checkcrt eq 'enabled');
        $OUT .= "verify-x509-name $tlsremote name\n" if ($tlsremote ne '');
    }
}

}

