This script will install and configure OpenVPN installation for tunnelling entire traffic, it is intended to be run from cloud-init during creation of a VM.
Put this line into user data:
wget -O - https://hmage.net/openvpn.sh | bash
After it runs, scp the client config from the machine:
scp root@IPADDRESS:*.ovpn .
Latest version is located at https://hmage.net/openvpn.sh, the copy below might be outdated.
Tested on Debian 8 (jessie) on linode and vultr.
#!/usr/bin/env bash ## ## This script will install and configure OpenVPN installation for tunnelling entire traffic, ## it is intended to be run from cloud-init during creation of a VM ## ## put this line into 'user data' or 'custom script' when you create a machine: ## wget -O - https://hmage.net/openvpn.sh | bash function main() { set -eE set -o pipefail unset INTERACTIVE [ -t 1 ] && INTERACTIVE=yes PACKAGES=( openvpn easy-rsa # for easier generation of keys netfilter-persistent # for NAT curl # for getting our ip ) export DEBIAN_FRONTEND=noninteractive apt-get update apt-get upgrade -y --no-install-recommends apt-get install -y "${PACKAGES[@]}" --no-install-recommends pushd /usr/share/easy-rsa source ./vars ./clean-all ./build-ca --batch ./build-key-server --batch server ./build-key --batch client openvpn --genkey --secret keys/ta.key openssl dhparam -out keys/dh2048.pem 2048 IPADDR=$(curl -s whatismyip.akamai.com) ## ## OpenVPN configs ## cat << EOF > /etc/openvpn/server.conf port 443 proto udp dev tun server 10.8.0.0 255.255.255.0 comp-lzo no verb 4 auth SHA1 cipher AES-128-CBC persist-key persist-tun sndbuf 4194304 rcvbuf 4194304 txqueuelen 10000 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client duplicate-cn keepalive 10 120 status openvpn-status.log mute 20 mute-replay-warnings key-direction 1 EOF cat << EOF > /root/"$IPADDR-client.ovpn" client proto udp dev tun remote $IPADDR 443 comp-lzo no verb 4 auth SHA1 cipher AES-128-CBC persist-key persist-tun sndbuf 4194304 rcvbuf 4194304 resolv-retry infinite nobind ns-cert-type server key-direction 0 EOF ## inline the certificates and keys cat << EOF | tee -a /etc/openvpn/server.conf <tls-auth> `cat /usr/share/easy-rsa/keys/ta.key` </tls-auth> <cert> `openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/server.crt` </cert> <ca> `cat /usr/share/easy-rsa/keys/ca.crt` </ca> <dh> `cat /usr/share/easy-rsa/keys/dh2048.pem` </dh> <key> `cat /usr/share/easy-rsa/keys/server.key` </key> EOF cat << EOF | tee -a /root/"$IPADDR"-client.ovpn <tls-auth> `cat /usr/share/easy-rsa/keys/ta.key` </tls-auth> <cert> `openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/client.crt` </cert> <ca> `cat /usr/share/easy-rsa/keys/ca.crt` </ca> <key> `cat /usr/share/easy-rsa/keys/client.key` </key> EOF service openvpn@server restart if ! iptables -C POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE; then iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE service netfilter-persistent save fi echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/nat.conf service procps restart echo 'Successfully configured openvpn. Now copy the config:' echo "$ scp root@$IPADDR:*.ovpn ." } main