From b3af4c6abbe1d943a6058c71e78c0210db0daa89 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 12 Jun 2009 13:57:14 -0700 Subject: [PATCH] Add a Bridged networks example to the OpenVPN article --- docs/OPENVPN.xml | 376 +++++++-------------------------------- docs/images/bridge4.dia | Bin 0 -> 1797 bytes docs/images/bridge4.dia~ | Bin 0 -> 1794 bytes docs/images/bridge4.png | Bin 0 -> 9094 bytes 4 files changed, 66 insertions(+), 310 deletions(-) create mode 100644 docs/images/bridge4.dia create mode 100644 docs/images/bridge4.dia~ create mode 100644 docs/images/bridge4.png diff --git a/docs/OPENVPN.xml b/docs/OPENVPN.xml index 1ba0ede02..c06bb3886 100644 --- a/docs/OPENVPN.xml +++ b/docs/OPENVPN.xml @@ -436,315 +436,71 @@ verb 3 article by Marc Zonzon -
- Securing a Home Wireless Network with OpenVPN (OpenVPN - Bridge) - - This section will describe how we once secured our home wireless - network using OpenVPN. Our network as it was then - Our current network uses a similar technique -- see the Xen My Way article. - is as shown in the following diagram. - - - - The Wireless network is in the lower right of the diagram and - consists of two laptops: Eastepnc6000 (Dual Boot Windows XP - SP1, SUSE - 10.0) and Tipper (SUSE 10.0). We used OpenVPN to bridge those two laptops - with the local LAN shown in the lower left hand corner. The laptops were - configured with addresses in the 192.168.3.0/24 network connected to the - firewall's eth0 interface which - places them in the firewall's Wifi zone. - OpenVPN bridging allowed them to be assigned an additional IP address from - the 192.168.1.0/24 network and to be securely bridged to the LAN on the - lower left. - - - Eastepnc6000 is shown in both the local LAN and in the Wifi zone - with IP address 192.168.1.6 -- clearly, the computer could only be in - one place or the other. Tipper could also be in either place and would - have the IP address 192.168.1.8 regardless. - - -
- Configuring the Bridge - - The firewall ran Debian Sarge so the bridge was defined in - /etc/network/interfaces. - - # LAN interface -auto br0 -iface br0 inet static - address 192.168.1.254 - netmask 255.255.255.0 - pre-up /usr/sbin/openvpn --mktun --dev tap0 - pre-up /sbin/ip link set tap0 up - pre-up /sbin/ip link set eth3 up - pre-up /usr/sbin/brctl addbr br0 - pre-up /usr/sbin/brctl addif br0 eth3 - pre-up /usr/sbin/brctl addif br0 tap0 - pre-down /usr/sbin/brctl delif br0 eth3 - pre-down /sbin/ip link set eth3 down - pre-down /usr/sbin/brctl delif br0 tap0 - pre-down /sbin/ip link set tap0 down - post-down /usr/sbin/brctl delbr br0 - post-down /usr/sbin/openvpn --rmtun --dev tap0 - - Note that the IP address assigned to the bridge is 192.168.1.254 - -- that was the default gateway address for hosts in the local - zone. -
- -
- Configuring OpenVPN - - We used X.509 certificates for authentication. - -
- Firewall (Server) configuration. - - /etc/openvpn/server-bridge.conf defined a bridge and reserved IP - addresses 192.168.1.64-192.168.1.71 for VPN clients. Note that the - bridge server only used local IP address 192.168.3.254. We ran two - instances of OpenVPN; this one and a second tunnel-mode instance for - remote access. - - dev tap0 - -local 192.168.3.254 - -server-bridge 192.168.1.254 255.255.255.0 192.168.1.64 192.168.1.71 - -client-to-client - -dh dh1024.pem - -ca /etc/certs/cacert.pem - -crl-verify /etc/certs/crl.pem - -cert /etc/certs/gateway.pem -key /etc/certs/gateway_key.pem - -port 1194 - -comp-lzo - -user nobody -group nogroup - -keepalive 15 45 -ping-timer-rem -persist-tun -persist-key - -client-config-dir /etc/openvpn/bridge-clients -ccd-exclusive - -verb 3 - - The files in /etc/openvpn/bridge-clients - were used to assign a fixed IP address to each laptop. For example, - tipper.shorewall.net: - - ifconfig-push 192.168.1.8 255.255.255.0 -
- -
- Tipper Configuration - - /etc/openvpn/wireless.conf: - - dev tap - -remote 192.168.3.254 -tls-remote gateway.shorewall.net - -client - -redirect-gateway - -ca /etc/certs/cacert.pem - -cert /etc/certs/tipper.pem -key /etc/certs/tipper_key.pem - -port 1194 - -comp-lzo - -ping 15 -ping-restart 45 -ping-timer-rem -persist-tun -persist-key - -mute-replay-warnings - -verb 3 -
- -
- Eastepnc6000 (Windows XP) Configuration - - C:\Program Files\Openvpn\config\homewireless.ovpn: - - dev tap -remote 192.168.3.254 -tls-remote gateway.shorewall.net - -tls-client -pull - -ca "/Program Files/OpenVPN/certs/cacert.pem" - -cert "/Program Files/OpenVPN/certs/eastepnc6000.pem" -key "/Program Files/OpenVPN/certs/eastepnc6000_key.pem" - -redirect-gateway - -port 1194 - -comp-lzo - -ping 15 -ping-restart 45 -ping-timer-rem -persist-tun -persist-key - -verb 3 -
- -
- Eastepnc6000 (SUSE 10.0) Configuration - - The configuration was the same as shown above only with - "/Program Files/OpenVPN" replaced with "/etc/openvpn" (I love - OpenVPN). -
- -
- Ursa (Windows Vista) Configuration - - In December 2007, I acquired a new laptop that runs Windows - Vista. After a frustrating effort, I managed to get it working. The - keys to getting it working were: - - - - You must run a version of OpenVPN that is "Vista Ready" -- I - used Matias Sundman's combined OpenVPN 2.1_rc4/OpenVPN GUI 1.0.3 - installer (see http://openvpn.se/). - - - - OpenVPN GUI must be run as the Administrator. In the - Explorer, right click on the OpenVPN GUI binary and select - Properties->Compatibility and select "Run this program as an - administrator". - - - - If you encounter problems where everything looks correct but - it doesn't work, reboot and try it again. - - -
-
- -
- Configuring Shorewall - - In this configuration, we didn't need any firewalling between the - laptops and the local LAN so we set BRIDGING=No in shorewall.conf. The - configuration of the bridge then became as described in the Simple Bridge documentation. If you need - to control the traffic allowed through the VPN bridge then you will want - to configure Shorewall as shown in the Bridge/Firewall - documentation. - -
- Firewall - -
- /etc/shorewall/interfaces - - Note that the bridge (br0) is defined as the interface to the - local zone and has the routeback - option. - - #ZONE INTERFACE BROADCAST OPTIONS -net eth2 206.124.146.255 dhcp,logmartians,blacklist,tcpflags,nosmurfs -loc br0 192.168.1.255 dhcp,routeback -dmz eth1 - logmartians -Wifi eth0 192.168.3.255 dhcp,maclist -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
- -
- /etc/shorewall/tunnels - - #TYPE ZONE GATEWAY GATEWAY -# ZONE -openvpnserver:1194 Wifi 192.168.3.0/24 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
-
- -
- Tipper - - Wireless networks pose a threat to all systems that are - connected to them and we therefore ran Firewalls on the two Laptops. - Eastepnc6000 ran Sygate Security Agent and - Tipper ran a Shorewall-based Netfilter firewall. - -
- /etc/shorewall/zones - - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -lan ipv4 #Wired LAN at our home -net ipv4 -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - -
- -
- /etc/shorewall/interfaces - - #ZONE INTERFACE BROADCAST OPTIONS -# -net eth0 detect routefilter,dhcp,tcpflags -lan tap0 192.168.1.255 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
- -
- /etc/shorewall/policy - - Since we didn't expect any traffic between the net zone and the lan zone, we used NONE policies for that - traffic. If any such traffic would have occurred, it would have been - handled according to the all->all policy. - - #SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL -fw net ACCEPT -fw lan ACCEPT -lan fw ACCEPT -net lan NONE -lan net NONE -net all DROP info -# The FOLLOWING POLICY MUST BE LAST -all all REJECT info -#LAST LINE -- DO NOT REMOVE -
-
-
+
+ Bridging Two Networks + + Occasionally, the need arises to have a single LAN span two + different geographical locations. OpenVPN allows that to be done + easily. + + Consider the following case: + + + + Part of the 192.168.1.0/24 network is in one location and part in + another. The two LANs can be bridged with OpenVPN as described in this + section. This example uses a fixed shared key for encryption. + + OpenVPN configuration on left-hand firewall: + + remote 130.252.100.109 +dev tap0 +secret /etc/openvpn/bridgekey + + OpenVPN configuration on right-hand firewall: + + remote 206.124.146.176 +dev tap0 +secret /etc/openvpn/bridgekey + + The bridges can be created by manually makeing the tap device tap0 + and bridgeing it with the local ethernet interface. Assuming that the + local interface on both sides is eth1, the following stanzas in + /etc/network/interfaces (Debian and derivatives) will create the bridged + interfaces. + + /etc/network/interfaces on the left-hand firewall: + + iface br0 inet static + pre-up /usr/sbin/openvpn --mktun --dev tap0 + pre-up /usr/sbin/brctl addbr br1 + address 192.168.1.254 + network 192.168.1.0 + broadcast 192.168.1.255 + netmask 255.255.255.0 + post-up /sbin/ip link set tap0 up + post-up /usr/sbin/brctl addif br0 tap0 + post-up /sbin/ip link set eth1 up + post-up /usr/sbin/brctl addif br0 eth1 + post-down /usr/sbin/brctl delbr br0 + post-down /usr/sbin/tunctl -d tap0 + post-down /sbin/ip link set eth1 down + + /etc/network/interfaces on the right-hand firewall: + + iface br0 inet static + pre-up /usr/sbin/openvpn --mktun --dev tap0 + pre-up /usr/sbin/brctl addbr br1 + address 192.168.1.253 + network 192.168.1.0 + broadcast 192.168.1.255 + netmask 255.255.255.0 + post-up /sbin/ip link set tap0 up + post-up /usr/sbin/brctl addif br0 tap0 + post-up /sbin/ip link set eth1 up + post-up /usr/sbin/brctl addif br0 eth1 + post-down /usr/sbin/brctl delbr br0 + post-down /usr/sbin/tunctl -d tap0 + post-down /sbin/ip link set eth1 down
diff --git a/docs/images/bridge4.dia b/docs/images/bridge4.dia new file mode 100644 index 0000000000000000000000000000000000000000..8d8269d42a443f78727d71496dee3749dfc22609 GIT binary patch literal 1797 zcmV+g2m1IQiwFP!000021MOQ&Z`(!?zUNm6%GF-&`w_*2erS8u1j_Xd7uv9}n&H^Rhyx*X2abopj9y1&0i!9(JuQH%nAg%UgZ z*9!t~1VW?X)vLkase-AOdhS{A)JxOYAFon72)%{99FD!o?JSN~;dGcw6>^g(h~mMW z7hDcs-(;`hs8BQ7(6dGN(wo_FY`xoN)fisJv{AjZaarwR86`f5qz}uANP`~t`-w~; zm4Hwi53h~#UA}~INbPo z;ezLdi=P+HPp+3yoW`D?Rw2hx6j(3JQPX&3+v6k?FMtr+W)^9${l-tzXvg?(ydc@f zfc){dj5{=YXR$xsp1d0p4O;H~X*$3D+LOC-?GHU^zw;A+9N4VW$y z9$H4hWJ(h*2_^=!mfnM9 z%I-1@yoNVlqyv~^gjHp#%B3X6?I3RaAlL(9vk*QEBAG|`*EQAl?lR(FUnS{7V9NkD zTrG-;sSsK1l6H{)0)Kfuk7ECyC``Rzt8t|o<6sz|u+*O%0VIEz6J`enC0!Yma)im5 zK~f3TCyP>sj1dkz@^h&2E{yg#L zi9eh9^G{%(sTWUyLO&Mi9{S0$OI49PnE8*-(Cf#1T^0!^n4M*~~>X-xqI;aUgio)2!kg&#b? zxV$hK4zi@W9BNoI^Y8v@gFEXY@%()hOrPe|;p3JeS<_QnkBdM8pR(~gWaE~E z+MSK0IhBu+jqg`UO@BppO~iA8ULQ>G@wxTeNw1zEXG6v_`l6meP= z;adm5p&XK0I<1mZwM|qOW)<;s+|4(vaCMDK)%g$zF~)_P3(;rak|HXU;Q+(k`f&lU zT40l%af`NnvAuJv-pE=xoE=VKgpHByMg^Ok$+A3{y4x>DTNudhGOb5$*PTNUn2$hB zA(6nUEzj;3g#-!7C1fa<;(}qMfd^bvU@UdtG1z2f4L!lYa#1c?JLE@UdrFaETvokY zdtghM<4zI5l!Qf5;Qi_P}hRwH7FTkpA|glrWxFh)W0KzbIU zH=VN#T&A;m==H4Mc|<#&$6PCU0iPuU<~2xB$ywhyR%c_q7%?ip8bI_*qxpVH_}z_u z()rFF5Sr#$H1u3-Xl(#S!(N(Dk@dDP*7-%gw$<}aW zJ{nJ*{%7s_BPiBI>7s+5?^Qo|LMH5#{Ias3^{qd=ZVu=WBAqj_fC4Wk0!llb| z825f&r4-~85L@H*2erS8u1j_Xd7uv9}n&H^Rhyx*X2abopj9y1TnW!F}STQH%nAg%UgZ z*9!t~1VW?X)vLkase-AOdhS{A)JxOYAFon72)%{99FD!o*I68`!s#%VD&!_n5XFOA zFSs1OzR6z0QK4qEp=XQkr8l$V*m_@^RbzM=(?<2u#$~mOWt8|JlHM;XA`N=n?a zR02Zb?CSOJHcf5(Iv-Z?aILRyu#G_J!i#5qSj7VW1i3RP63n=lBw8>`6?^c@;c(;U zg$te+E`DA(Ke=8;aToyZ}OMn^~m2_8UJhF)EzC1e_ zgRj5dF&c7hjZ4H-TVciFOT=vDPi?Xz%r<2jG|daK(Jrr-<@R+<{;0HIXApsRZ{tG! z`}I;iC?>dIoF`t0#(&#MTA262PbSgeeDKka?H!Z|!*%Tem4`pQ9R7hf9aJ_6)B*QZ zJhY4+!w4fS&Im@NY<872ngGV*vi=xs@WNSOA2C=4g0*263@OUFJ|hwtK}9=U8`#D5 zB#Ogojc`2UGLVc&ss^qXD$O({*htNY6lz@!wZNKNe>P8>!6edLGNlQZ1QUZzZnNcNuZ8uafjWuw?)n zt`^0_REVs0Nju1Yfxo<-N3s7;6sBIV)woiPaWD)}Sn5xX0Fpn<39|!(lCBI&Il|=3 zAgP4vlSL^*#s~)_#RUZ_&|EkY6;#tcN%RQzorv^Aq$eW%KM?5$2#x9B%N)w#8ZM<> zxzyEakeRM#Yg-xa#icn8$#A$47eqmADu|;~C2+4b=@Crahfblm-ryWcdZp77f1ddB z#GlRl`6sZ?)QhJ;p`Y!y^a*#8f;(Af?qpCBN_qzGf)mpxdlIA-H)n*xR^IRnB9JzU zpAn7-lP!@`=awCftCCDphGd=o4Y|_6z;9t{fu_@jqk%2`w5EW9aIFJ$&j&Z&!Vm6Y zTwa(A2U${G4mGTq`FDS{!L4X>LrcZO~@Nra#x-K;l?FO;+~}4 z2FMHiS-7zEGr6WcvL{My_wcZsxXp&t%)o5FRGUO$2pJ4?lT;Gy;V*+Z5R?l{h|4s} zYPrGsuV6K=_C-rt_u;`$Hoc4DuRw!ee)%-`-4DOkP$BP1g$zjz+u|(#D5pJA;S;2+ zxtUdWI{R!C=IxN3XRmEI%`9qVXG7VU4@@x8vRvCysdcT(`Y+3lhR`ada4Ds#1ys$K z$@kAk(YZ8n+bf){2R&CN4?q-Y0sFeFXXYvuh7_T+=X7i`v!bRC$ed*4drOc)r7Mtz0twzKUx88F_3E3)YV2py~f%Ggy zZ#rigxJ+mB(Cb;h^N4mlkGWRz0zOLy%xjRMlC!>Ztj@-IF=AAHHGt@sM)UoY@VguR zr1PCUAhc{9)~##UJ&O%ZG-CjR1);+AwlFmk=9}uaz|Yy`Cx#*-fsLSO;v>p`&TfC- zz5e=OJT>~Cwb6ehX6k+y4%PyzrkBV} zoo|+@qIW?E>XVsZ>qRmc*n28$T+PH4Qx4W>Mt^*2qF5pVJ4nLeUCE!4nQ-au9LBxh zn5YlW6IZ=NuIhY~i#}WtB|sjc=i^eD-$m727NdofMP`YW(KV*MZsiSBze9~j zLdStnz^COfRa!p!KJZGz-Nsh%N6MIQ3oC0%?^aKeNaC1Cs;upD$5Y0)5J;METsIeN zJf&2$#5{B!W`+atr#BUdlbXYshJrnOrA6RCAn`CBuxedAd5QslK5FCJzvNrfb_J9B6J92|`5Pze&Q2EvTmt3!k z6N4JO-dYB|c%Gi73Kp@s8WX;%1Myd(KHLsnH_hlb)N=l36)6Vb&;R#b!$((KiAbaj zQ7iTLvF5=f5Ibfp4?83w2L@62-5GKuov}O`jgkeiQH=VZm!+UIm$J^I@INg3dXG@~ z-YbVlOU8szZMNO$VsId8N$VKse_7Xm&auhGo*JUSYuUUJuy4xq`UnE4Pru&d|9Q~= zUuXC4B0wn5i4t@FU#tBu5fM$fI$x3JRC%}hyDYPN$+gb3{Vmx(`rvn&wTNxspXnxV z6biM!+#5p9Qjfmy>Mw|(=RaK%^c$;ooH#x{&eljg+@A3pD}RcJRdBf%FOp* zczyVRV3VGsytw#L8;Rh%hzOeK6j^TqLj&KDGuNw&qk?cQPvd5vI z=}IA_?I0M|$u#Sq_)Uf$iP-cAk!Ds`R~wd?!v;$%USf0h_FNB+zr>lNNGO;k zFoopwPj9{zb{rR_vIoIXRt{eIk*OM$PdGLL57eEPbD=Pz@aB@N^c8I>-OG>^chv! z>9{-{wzajG_TFx)tgKvIT>SIrk8%Y4P5F)zo8E+rZNIBq_Z*DS=u3Z`8#VOQxZr0a5Ok+9({zRNekv z#<^O)UOLS{_j)6@rQ&GXyTmI`6DdZzFc-o`9}RBYahYgSCI)%5J25?Swd}h-ln3%F zJhXf1=Z_z2lXVq2jwh>`QR{`~C=?9lRO8*7Acp4EZ7Bq`&{wg0&v6{PJ!5e}SJ3Qx zHZnBC__oZpKc%frar=;8UfyqGqzDnaWO(7LL-yyhZOUh`c@fZfzOuABo+nQAld%F

sg$WbcU6L=f!z5U#V$*9z%QknvE#Z;q-6JRg6L~ zkk#9vX^$Ddft7xHck@@iegO~#P-hf3?;;&-fo`Ncea|M3o_aMJrUrz>-aaq+=aAsW zZ0nn6-C<#2-bY(vXo;}!E)(abr;I8s=nG^P5D{tjKga6@B?M$lf5Fz)*0?p3pp|?i zHfMWlIjIH)2KnDjsvUGJu)4asS}8JXO{a71A#nm``ApvsZwT_ZTTYe}fyPL0)wXLQ z67M;xKYYk6YWE>r6%W4w5x^lTeP$&aWOIBAOT10V1ewBPpk3#=a|gBJs?}gOekL*86bC@1SwNk0v@cmiA!bZ>|T(#WxgkrMejT%Uz0(tb_ktKIoeZO!#b! zin@w76>0q5m|LWugqM#G(7aD5Hm)M(UnhnZ$R4&xAw@GWCi+?QUZo8}OO z)C)g%9xXJExmM$kUz(}2va|EqJT}LlGJcDN>jE+Am)>ry=$A8bes}&XlS8SGpzi3=9Q^6l`)1IfbA+kQ$61Qc~oAhJGZKv2Ms0Q9_niR1lIfrm<2m z3bEIguM0Xi3Fd!v0$Z}N$?0t5=-yb13QR6I5YJIY|)Z~4ndH?=> zHMOpup7WNgvlbwE-XojfurKI9#^#zA`Q5D+=oWgXk$BGxeX_*=s8UT$ZFQt*V#;G? zvkp27L>-8QtQS`8;lqdEk;%IKUhx^9o!QpepZP6~2hB2jU7RN;Cq*VT?hRAmF1_8| zXDjkodFJ_fc{ioq9crAW{*H;6a`FJxELgYrH-q_WL{q)bi7St{!X}#&Q$bO)q%5Zub={=tV`B^v9F+S)=ukU=ZU4~}G$V|`}1)DcG0 z`f<3xu;f|LwzeV2im~gDg3%^gO`_gqSF3Xu~`GirizLRP$J(7itB$Cx+{H@A+<~sDn=~RP9NZm_Pe@#2*OafVAI|m@|%F4=Fcn}vnFMzEa zx5TRZXo}0Zl{PD3tb=@AJXf-01 zY}!PAtBZUV{rxTT7PKsa0~QbPj%gQF&>|9^N0=o%WQ>qjv$+a2aI6CySYD6wcJ1OJ$Nuk^* zT;yK~fw*v-zQMFN_|stlh5nB}Q186q`RwvzdkAWIpJ;MC!o|Mw0r9d{Jsh(E!$ILT zDl0_=suM9|T!Ox}tZP5TKc#yd*AzQ@!lu)|i)j57_qC`AW09r#I|YqDk9%%6*^IZG z{sPaI5dV~VmOc97QAs(j8A)lzMyS%vAc|=Y>bfIFoP{S5N^ZM)65}-gH-0>f>uZqi z8?Y?$3?=m)cHXaqDBK>&yF4Gj4VY3s{vbXkLgDgBZZqL;#8RF*eo$0bs9pP&3>nf{ zb`4W=dddaIv0?saqx3}tER8Sv|B`X#(Kk}k6fDk^Uuc>wW1&{~#7Q+ikenh~%#+?-&rqY6M-RLNeQ3v3$? z?lYu{U6mKFuYC^AyOi(8O}99-dvV^AAO~PfdW$)Hh!|;QVRC4DL z!V|!l7Awb}rC#MH(>ZPhD$8zeE4oZDM1xh)(a}{oO-TU^17JWQi~Vr2-HM~9o+gbD z*Id=viKAA02c>pUFCCMwe!V*nB!!$!uCcs)59n*MxbrlaGUE7*VX&Cn8jngJBLJup zlaPQOwEy)6#UF4;W45Vu(EvWlSY?incNc)tf-^ij+McPfjq2Yt)YD^@bp4B)dnHnQ z8k*}yB}{4!`Z-uh)inMFtmhu}sQ}=m#g!Fr^f}Ggtk{1L@RT-B@ zw8vA3ZG1%^Exz}u{3g{;o<3b#TJk+viUV?I-t2P{aD&hsee$&I+-=Cx_X98JDWG2! zc}-S5H$3A#ox+ds8lMTCt@Z=&Od?R51~wN+BETqWhneq;;MPdM0y+Qs#j~mK@No8Up$WBGcZB4tb-f(TWaN`m>{<%<4gR*0#LK(#?-Gd@M%*ap zS&gsIWbHgWJe1K%NzCmtIho`eZ_Yhh&XPk-L3>>I9wi8e!vzIv>N1keN^@-$8Ynvs z$=bEU)RA|1dCA&e|0(;9{EMHz*NS1Cmu~l}q;hD)YWZrU$YiC4LqCfD(c_j#ex}fA zB?|KG2igD@7d=gNbva?zG!yEx(@MDheR9&Y{|Z*_zBzt_klg2ZE(C_s(HQ`g3I+-g ziRP=zGaUWFdN(T1i-S?yz9eH5>aN4@Qub|5CvUx5>H*D1xShS!i zlB%jIzsvnpMkh~1hWa!6QG zC~N~_l|7oQa9bPH&CwLIAN)&LScgxZ#bzSU?*lK;20lSSdGz`5N~&Ka2QO(p9Dm-9I^72&`mmt|i=^w53O0iW)2|mI!GJkc`(nYtY0Qcf z(10bQ#~c_QrmG!ITwV8oTCRHz{xKtVTgbQw4q+l*NX<+Vwgw0OLSKKFOnkER*>HYf zU?5O0V;?CWr;Zgwv8n41u5|>+_UwnB_f9uT*Z_|KmI4beKKSPZFlJDgk%$;3bj1n%hAP28Kp2aSz2(6GIX><>{>r^a7?5FXlT&&Am6P zM$KuWy9FBfq@_)eHa+n#79zz39#wWNxqgg`8yy+R&dIr2H*BGf#wVedxxoGc9VhY` zpSjO&CqPQU=3_-Vagev*nxD6NWnW{w2BZfJrHzlCf))qZlqxzroLEfdc?EPMGUz!& zitphV7?!wi-=0RFZB9EEb}#K2BNbX$P>P&FXBW5s`U|`Ei(62z1f++B&u;K3l$1#{ z*K>avX0^MP`|>=VWih`Nm>F){)3V&$s#8WBFc9T+hi7FO7fM4JDTf{$wVM%LU>X3^ z>sX#Hm?ZBtovs&vk^b`hgzR*Jlws?I3uRy+e>(H8XQGwa+1G7m{btQX5vvRqqvSYV zXoi$=YVpyB-qNo{jVQfBq$zW3y9RVD5F|D* z;9jU<3NGBPqi=`UKoI z$A|y3TQ%UauzLR~1H=Ia!Ryd~YueE6+52X^9B6hyHC1klt`*lqB?{itqmun67b!P3 zF3SM51_uXojNnlrw4n^s_gD62eyhLEb~$u%;Fq#1vdAclglcSiVF)j*2ks;|nc^`A z$uG@H;NkO{KBt*Fre+qzM)G3ncK@Eo_|usmJ8c@Z_dqfv zF~0s=7?e0$LNt?rDxGR)x=j!js6<8Uvw(TWWEwsL1)zTai}3Wbcn&TJ2B7F)({Hle zmaFxT#n=s<^)Mp&%10mlO`R0M8eCu7AfE7nnki=8kUdHA{Y>5plU;_%^M8*{ktN{? zeop2s8I;TgapMX3ydRV4Et;uE)=Z|V)~j=>%n1WQH2Qd+0>&;uS^$XG_{JF}L%mjiOnJDjtdXOL@i|n%NLog!=xgEO zJB^3kDHD-GFLp(%8MacC2U@tdA^$8AG3h&YdTEDNfn*`m&eD7UT9y9x%21weD*AK{ z_;0tlxoe(}ZoQY@%FWB8ioS+Ew*lp6b5Zh_M*K-hNrfpVK(TH5l05q)SF*l*`I4QT z0%Y0mq}yUBT&^ZHIXO8tRus^cwDJVJt==oN)~Ji7&r#1BQD~7#sS8h+tN7Mg*Ip34 zscBU2w&r^@mBYFXj0#Zhz@ezH?XNa^3g&PIQen|XKf4_ycHKmaqUW}-f_CIu6qg9;0G`Y2<@3E z8c+aWE0`;QV1uGZ!=7NmD0-E0^PWTe*q0kN%G={rylF6ugw7y^_e{AJ-DXN`kE_+1!8_%{HfU^or{!V~c%8Ot| zGPLkLcuRJx`FyV%xKaY((T-3m;JuJEnImZm2<0=aEd|gDD+i1PN&$S1bhtkJyeD25Sob?AP!3x6 zaG?Toqe*PsiHhvpxI|L0y-PAMnSa`-Gm1UaQ<(V#E6|y)`?fGvf*-@JQZIn6o!aud zI-3Dt+I-ZB2O9*A(B9r2a6VH(O@Yr?fO`)<=K*=a2Zz_KW$&22vdn>2tcxX`4g?5M z9auRAHssC??*Cf7dY>#b#ah=ksu7=pU6+*Ne?RnZ3tE36njCf@Bh+K(D$MEgY<1@S z?Nn)7-zPE-Q>-^#y(cWE>htsONUxkpMHU@JO@pz7hCw8O7}lOpMVlb{L_x3I^X;-V zqcIl9CL+D~ZLL56Bq08amTgq;ncl7R+x2B)2T3P)fu#dL32GaR42n&o32f66-5ZX; zgDUWrjY-bgGMTohKe%uTuyl#QEXdkaL$qr<)gXtM_WtUBe>#zHPx>8v?bUgMkSc=Nm+8clV zZ9tAJH6z< zv{?(RyNhrDsSJ4FaqpFA?Y-OeRrDCqT4FeYja2qL z^m7|TfiMfNh>{j;8vbc8m2_dc_Xs$$nCyzZ;2yZRv%z!5FA}f zF*le>zv5>>X(RKitz?0%1Yw`I(|bkVglL@>R#gx6>RBbVd#|GZ^0Y7WvF}XL6_H&@ z!2x3xY#rzkhLGEtpaj%11cUdQhiL~9Wr)u?1{Ox zDq5?kjv-Q_kcV+~ya!&K6)7%;9**F}3*L^VwxTq~ft&*}0;p>SO*H{!pPI(58dpGp$n9l%X?*g_~d4V^!rkfv+#ewDV$s2w-)KEPw#r2fPL2% z9Gh134@JG+ms>fJ-BleUx*MvCcCg_T#X|-5fup^2&M7lZn{(QvLn%5yv4wd89--yf zS;N9jK_*-{;w8W=S!eJdZcnG4L1?n9@*5b}YE%O&u9CXHSje>N%~j*nSpQOXE{VWq zS>k#)n^<_Pe=aS?cqU93>ILJH0I?Bx_3#E-@;L;CiJgtT2;}@g%?v(AHBoDZ#&R}$ z#!yqj-7r#6M5{as7k4R?CSPiI;&VKTe<3va`ngHL>4frXM9}xkewl+W=W9evVpAF* zA>h{6k%Z%2 z-hhw=r0sB`aABR&!b5el1Ak(-_v_X6aQsU-d3*q{vJ6T7GMVH-+=gHzpv15&ywz|~ zP$r_us_6sQ5dmM!STUfiN140AxtBmc V*}LTjY7+vvudInIR(u@zzW_cdKnDN- literal 0 HcmV?d00001