#!/usr/bin/env bash
##
## This script will install and configure OpenVPN installation for tunnelling entire traffic,
## it is intended to be run from cloud-init during creation of a VM
##
## put this line into 'user data' or 'custom script' when you create a machine:
## wget -O - https://hmage.net/openvpn.sh | bash
function main() {
set -eE
set -o pipefail
unset INTERACTIVE
[ -t 1 ] && INTERACTIVE=yes
PACKAGES=(
openvpn
easy-rsa # for easier generation of keys
netfilter-persistent # for NAT
curl # for getting our ip
)
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get upgrade -y --no-install-recommends
apt-get install -y "${PACKAGES[@]}" --no-install-recommends
pushd /usr/share/easy-rsa
source ./vars
./clean-all
./build-ca --batch
./build-key-server --batch server
./build-key --batch client
openvpn --genkey --secret keys/ta.key
openssl dhparam -out keys/dh2048.pem 2048
IPADDR=$(curl -s whatismyip.akamai.com)
##
## OpenVPN configs
##
cat << EOF > /etc/openvpn/server.conf
port 443
proto udp
dev tun
server 10.8.0.0 255.255.255.0
comp-lzo no
verb 4
auth SHA1
cipher AES-128-CBC
persist-key
persist-tun
sndbuf 4194304
rcvbuf 4194304
txqueuelen 10000
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
status openvpn-status.log
mute 20
mute-replay-warnings
key-direction 1
EOF
cat << EOF > /root/"$IPADDR-client.ovpn"
client
proto udp
dev tun
remote $IPADDR 443
comp-lzo no
verb 4
auth SHA1
cipher AES-128-CBC
persist-key
persist-tun
sndbuf 4194304
rcvbuf 4194304
resolv-retry infinite
nobind
ns-cert-type server
key-direction 0
EOF
## inline the certificates and keys
cat << EOF | tee -a /etc/openvpn/server.conf
`cat /usr/share/easy-rsa/keys/ta.key`
`openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/server.crt`
`cat /usr/share/easy-rsa/keys/ca.crt`
`cat /usr/share/easy-rsa/keys/dh2048.pem`
`cat /usr/share/easy-rsa/keys/server.key`
EOF
cat << EOF | tee -a /root/"$IPADDR"-client.ovpn
`cat /usr/share/easy-rsa/keys/ta.key`
`openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/client.crt`
`cat /usr/share/easy-rsa/keys/ca.crt`
`cat /usr/share/easy-rsa/keys/client.key`
EOF
service openvpn@server restart
if ! iptables -C POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE; then
iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE
service netfilter-persistent save
fi
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/nat.conf
service procps restart
echo 'Successfully configured openvpn. Now copy the config:'
echo "$ scp root@$IPADDR:*.ovpn ."
}
main