Index: vpn/vpn
==================================================================
--- vpn/vpn
+++ vpn/vpn
@@ -26,13 +26,22 @@
 # assignment.
 #
 # note  that you  may want  to  add a  visudo line  allowing
 # %wheel  or  perhaps  even  all users  to  execute  openvpn
 # without a  password; otherwise, only sudoers  will be able
-# to  use vpn  and the  root password  will be  required for
-# every state change.
-__=$LINENO
+# to  use vpn  and the root password will be  required every
+# time  a user  connects. root  is not  needed to  tear down
+# connections, as by  default the openvpn process  is set to
+# pivot to the  account that invoked the script  after it is
+# done with tasks that require privileged access.
+#
+# (it should  go without  saying, but ensure  you understand
+# the  security implications  before  editing  sudoers on  a
+# multiuser machine or  one that is directly  exposed to the
+# internet.)
+
+_text_=$LINENO
 
 param(){ eval $1=\${$1:-$2}; }
 
 param vpn_basedir    ~/opt/vpn
 	# the directory in which vpn's logfiles are stored, 
@@ -48,15 +57,15 @@
 param vpn_srv_keydir /srv/vpn/ca
 	# the directory on the server where vpn client keys
 	# are stored
 
 param vpn_cn         $(uname -n)
-	# the name of the device / user / resource connecting
-	# `vpn key` will use this value to determine which
-	# client keys to download. i recommend a one-key-per-
-	# device setup with the certificate CN used to assign
-	# a name in the tunnel's DNS server, but one-key-per-
+	# the name of the device  / user / resource connecting.
+	# `vpn  key` will  use  this value  to determine  which
+	# client keys  to download. i recommend  a one-key-per-
+	# device setup with the certificate CN used to assign a
+	# name  in the  tunnel's DNS  server, but  one-key-per-
 	# user or one-key-period setups are also possible.
 
 param TMPDIR		 /tmp
 	# a directory for temporary files, preferably one that
 	# does not persist across boots (e.g. a tmpfs)
@@ -67,10 +76,14 @@
 
 param vpn_pidbox     $TMPDIR/pid.$USER
 	# a directory for storing pids in. this should be chmod
 	# 700 and owned by the user invoking vpn, ideally
 
+param vpn_bin        openvpn
+	# the binary to use. if openvpn is not in your path,
+	# enter its absolute path here
+
 param vpn_script     $0
 	# a path to the executable
 
 param vpn_scrname    $(basename $vpn_script)
 	# the name of the executable
@@ -193,11 +206,11 @@
 			} || {
 				echo -e " but named process is \e[31mnot a vpn instance!\e[m"
 				stale; exit 1
 			}
 		} ;;
-	( help ) head -n $(expr $__ - 1) $vpn_script |
-		tail -n $(expr $__ - 2); exit 255;;
+	( help ) head -n $(expr $_text_ - 2) $vpn_script |
+		tail -n $(expr $_text_ - 2); exit 255;;
 
 	( * ) err "action must be one of: join | part | info | clean" ;;
 esac