Opinionated but painless OpenVPN server setup
WTFPL License
This is a Bash script which sets up a complete OpenVPN server meant to be used as a proxy.
It is very opinionated in order to keep things dead simple for the end-user, hence the "easy" part of the name. The decisions it makes are listed in the "Results" section.
Clone the repository on the server:
$ git clone git://perot.me/easy-openvpn
Run the script as root:
$ sudo easy-openvpn/easy-openvpn.sh
And then follow the on-screen instructions. You can re-run the script anytime if you need to manage the list of allowed clients. Once you're done, use the easy-openvpn.service
systemd service to start/stop the VPN server.
Privacy notice: The script will contact icanhazip.com
on first use.
tun
interface10.10.10.0/24
10.10.10.(3-254)
range10.10.10.1
easy-openvpn.service
to start/stop/monitor itThis is the only stuff you have to figure out on your own, although there are sensible and/or autodetected default values for everything:
10.10.10.x
IP that you want to assign to each clientWhen run, the script will set up whatever happens not to be set up (you can interrupt it anytime). When everything is setup, you will be presented with the following menu:
:: easy-openvpn menu
1. Add client
2. List clients (n)
3. Show client config
4. Remove client
5. Uninstall easy-openvpn
6. Exit menu
>> Choice (1-6):
A client entry represents a human-readable name, an IP, a key, and a certificate. The menu allows you to add new clients, delete existing ones, or re-print the .ovpn
configuration files of existing clients.
All cryptographic information (CA certificate, client certificate, client private key, shared TLS authentication key, cipher settings, etc) is stored inside the .ovpn
config file itself, such that the client needs nothing other than the one configuration file in order to connect to the VPN server.
easy-openvpn is licensed under the WTFPL.