OpenVPN autodeploy

This script will install and configure OpenVPN installation for tunnelling entire traffic, it is intended to be run from cloud-init during creation of a VM.

Put this line into user data:

wget -O - https://hmage.net/openvpn.sh | bash

After it runs, scp the client config from the machine:

scp root@IPADDRESS:*.ovpn .

Latest version is located at https://hmage.net/openvpn.sh, the copy below might be outdated.

Tested on Debian 8 (jessie) on linode and vultr.

openvpn.sh
#!/usr/bin/env bash
 
##
## This script will install and configure OpenVPN installation for tunnelling entire traffic, 
## it is intended to be run from cloud-init during creation of a VM
##
## put this line into 'user data' or 'custom script' when you create a machine:
## wget -O - https://hmage.net/openvpn.sh | bash
 
function main() {
set -eE
set -o pipefail
 
unset INTERACTIVE
[ -t 1 ] && INTERACTIVE=yes
 
PACKAGES=(
openvpn
easy-rsa             # for easier generation of keys
netfilter-persistent # for NAT
curl                 # for getting our ip
)
 
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get upgrade -y --no-install-recommends
apt-get install -y "${PACKAGES[@]}" --no-install-recommends
 
pushd /usr/share/easy-rsa
source ./vars
./clean-all
./build-ca --batch
./build-key-server --batch server
./build-key --batch client
openvpn --genkey --secret keys/ta.key
openssl dhparam -out keys/dh2048.pem 2048
 
IPADDR=$(curl -s whatismyip.akamai.com)
 
##
## OpenVPN configs
##
cat << EOF > /etc/openvpn/server.conf
port 443
proto udp
dev tun
server 10.8.0.0 255.255.255.0
 
comp-lzo no
verb 4
 
auth SHA1
cipher AES-128-CBC
 
persist-key
persist-tun
 
sndbuf 4194304
rcvbuf 4194304
 
txqueuelen 10000
 
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
 
client-to-client
duplicate-cn
keepalive 10 120
 
status openvpn-status.log
 
mute 20
mute-replay-warnings
 
key-direction 1
EOF
 
cat << EOF > /root/"$IPADDR-client.ovpn"
client
proto udp
dev tun
remote $IPADDR 443
 
comp-lzo no
verb 4
 
auth SHA1
cipher AES-128-CBC
 
persist-key
persist-tun
 
sndbuf 4194304
rcvbuf 4194304
 
resolv-retry infinite
 
nobind
 
ns-cert-type server
 
key-direction 0
EOF
 
## inline the certificates and keys
cat << EOF | tee -a /etc/openvpn/server.conf
<tls-auth>
`cat /usr/share/easy-rsa/keys/ta.key`
</tls-auth>
<cert>
`openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/server.crt`
</cert>
<ca>
`cat /usr/share/easy-rsa/keys/ca.crt`
</ca>
<dh>
`cat /usr/share/easy-rsa/keys/dh2048.pem`
</dh>
<key>
`cat /usr/share/easy-rsa/keys/server.key`
</key>
EOF
 
cat << EOF | tee -a /root/"$IPADDR"-client.ovpn
<tls-auth>
`cat /usr/share/easy-rsa/keys/ta.key`
</tls-auth>
<cert>
`openssl x509 -outform PEM -in /usr/share/easy-rsa/keys/client.crt`
</cert>
<ca>
`cat /usr/share/easy-rsa/keys/ca.crt`
</ca>
<key>
`cat /usr/share/easy-rsa/keys/client.key`
</key>
EOF
 
service openvpn@server restart
 
if ! iptables -C POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE; then
    iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -o eth0 -j MASQUERADE
    service netfilter-persistent save
fi
 
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/nat.conf
service procps restart
 
echo 'Successfully configured openvpn. Now copy the config:'
echo "$ scp root@$IPADDR:*.ovpn ."
}
 
main