{ pkgs, lib, ... }: {
  services.openvpn.servers.threema = let
    cafile = pkgs.writeTextFile {
      name = "threema-vpn-ca.crt";
      text = ''
        -----BEGIN CERTIFICATE-----
        MIIDMjCCAhqgAwIBAgIJANmI9BYPseTxMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
        BAMMCk9wZW5WUE4gQ0EwHhcNMTkwNTE1MTQzOTM0WhcNMjkwNTEyMTQzOTM0WjAV
        MRMwEQYDVQQDDApPcGVuVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
        CgKCAQEA7NaiObgz2L5wmGIgOWUe1n6Q1g6Y5CYsrMQI8yhIDqKSx0fTL9eT2hvn
        zThnltxKJRVTn0qGPf/7QF6WzjIXfKSJH5Cb+OKgYmqfRI2TW+ncqyJCaa3Fl9lI
        VgU4knro6Cp9dhNhrNmRoRFvZ/17noB4+WPds7EgRObDi2ERuwAbONgz56J2Rea6
        RHVL6HMFY7v8Zp8B/MnzSba/OSJC7RXCuCs6qNOgJOoHnp5PnsB3V40mszy4h/0Q
        jVbBdZ3K4rEjNiawhCOetXhgHSaVGH4MP5oWrAN4UiI+IIfz6Ywz5mc7F6yBZa/e
        aCG+r2bMUIepVPE25AUfuZ6O8+0+iwIDAQABo4GEMIGBMB0GA1UdDgQWBBQDHenu
        05GGgcztJ1FCUWQlbYxGLjBFBgNVHSMEPjA8gBQDHenu05GGgcztJ1FCUWQlbYxG
        LqEZpBcwFTETMBEGA1UEAwwKT3BlblZQTiBDQYIJANmI9BYPseTxMAwGA1UdEwQF
        MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQDTQtMeER20/3r/
        Zn+IRpIEJh/ITxEE6kKCKo59wwVEFA0Ba+7d+BslFTCPhADM2p0AzPt5OSEo0A2N
        nWGL3hhBPcnrBTFUma58gGz++v5Oy8GpfaCoXjCqfANjAbApY0JCCSWb1BJWkhXt
        vDMlVXv6UzfF4HCeEQCof4QcW8ca4csrOceW76S7Cc3Or4iyTXKQrZ5PKy081CfV
        sTLgGMQX4kZT9MBg13wDj0WkdJaWxQ2C73/me/YypcctN7t1wy7pUx33rEE1xh/o
        9fsKcFs0qqYKRUY8AnghhuimBrkHoqUcdrG/6WO7+hbipxIDStm4Qbnptde3fhJT
        rGUhGexA
        -----END CERTIFICATE-----
      '';
    };
  in {
    autoStart = false;
    config = ''
      remote vpn.threema.ch 38417 tcp-client

      nobind 
      dev tun
      persist-tun 
      persist-key 
      pull 
      auth-user-pass 
      tls-client
      ca ${cafile}
      remote-cert-tls server

      route 10.83.0.0 255.255.0.0 default default
      route 10.90.0.0 255.255.0.0 default default
      #route 5.148.175.192 255.255.255.224 default default
      #route 5.148.189.192 255.255.255.224 default default
      route 192.168.11.0 255.255.255.0 default default
      route 192.168.13.0 255.255.255.0 default default
      route 136.243.104.147 255.255.255.255 default default
      route 193.70.13.37 255.255.255.255 default default
      route 95.211.228.137 255.255.255.255 default default
      route 5.148.189.112 255.255.255.240 default default
      route 185.88.236.64 255.255.255.192 default default
      route 212.103.68.0 255.255.255.192 default default
      route 185.88.236.98 255.255.255.255 net_gateway default
      route 5.148.189.116 255.255.255.255 net_gateway default

      dhcp-option DNS 185.88.236.100
      dhcp-option DNS 212.103.68.20

      reneg-bytes 0
      auth-nocache
      tls-cipher DEFAULT
      cipher AES-128-CBC
      data-ciphers AES-128-CBC
      data-ciphers-fallback AES-128-CBC
      reneg-sec 0
      remap-usr1 SIGTERM
    '';
    updateResolvConf = true;
  };

  systemd.services.openvpn-threema.serviceConfig.Restart = lib.mkForce "no";
}