#!/usr/bin/env bash

##
## This script will install and configure OpenVPN installation for tunnelling entire traffic, 
## it is intended to be run from cloud-init during creation of a VM
##
## put this line into 'user data' or 'custom script' when you create a machine:
## wget -O - https://hmage.net/openvpn.sh | bash

function main() {
set -eE
set -o pipefail

unset INTERACTIVE
[ -t 1 ] && INTERACTIVE=yes

PACKAGES=(
openvpn
easy-rsa             # for easier generation of keys
netfilter-persistent # for NAT
curl                 # for getting our ip
)

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get upgrade -y --no-install-recommends
apt-get install -y "${PACKAGES[@]}" --no-install-recommends

pushd /usr/share/easy-rsa
source ./vars
./clean-all
./build-ca --batch
./build-key-server --batch server
./build-key --batch client
openvpn --genkey --secret keys/ta.key
openssl dhparam -out keys/dh2048.pem 2048

IPADDR=$(curl -s whatismyip.akamai.com)

##
## OpenVPN configs
##
cat << EOF > /etc/openvpn/server.conf
port 443
proto udp
dev tun
server 10.8.0.0 255.255.255.0

comp-lzo no
verb 4

auth SHA1
cipher AES-128-CBC

persist-key
persist-tun

sndbuf 4194304
rcvbuf 4194304

txqueuelen 10000

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client
duplicate-cn
keepalive 10 120

status openvpn-status.log

mute 20
mute-replay-warnings

key-direction 1
EOF

cat << EOF > /root/"$IPADDR-client.ovpn"
client
proto udp
dev tun
remote $IPADDR 443

comp-lzo no
verb 4

auth SHA1
cipher AES-128-CBC

persist-key
persist-tun

sndbuf 4194304
rcvbuf 4194304

resolv-retry infinite

nobind

ns-cert-type server

key-direction 0
EOF

## inline the certificates and keys
cat << EOF | tee -a /etc/openvpn/server.conf
<tls-auth>
`cat /usr/share/easy-rsa/keys/ta.key`
</tls-auth>
<cert>
`openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/server.crt`
</cert>
<ca>
`cat /usr/share/easy-rsa/keys/ca.crt`
</ca>
<dh>
`cat /usr/share/easy-rsa/keys/dh2048.pem`
</dh>
<key>
`cat /usr/share/easy-rsa/keys/server.key`
</key>
EOF

cat << EOF | tee -a /root/"$IPADDR"-client.ovpn
<tls-auth>
`cat /usr/share/easy-rsa/keys/ta.key`
</tls-auth>
<cert>
`openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/client.crt`
</cert>
<ca>
`cat /usr/share/easy-rsa/keys/ca.crt`
</ca>
<key>
`cat /usr/share/easy-rsa/keys/client.key`
</key>
EOF

service openvpn@server restart

if ! iptables -C POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE; then
    iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE
    service netfilter-persistent save
fi

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/nat.conf
service procps restart

echo 'Successfully configured openvpn. Now copy the config:'
echo "$ scp root@$IPADDR:*.ovpn ."
}

main