├── LICENCE
├── README.md
├── bootstrap.sh
└── cloud-init.conf


/LICENCE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2015 DigitalOcean
 2 | 
 3 | MIT License
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining
 6 | a copy of this software and associated documentation files (the
 7 | "Software"), to deal in the Software without restriction, including
 8 | without limitation the rights to use, copy, modify, merge, publish,
 9 | distribute, sublicense, and/or sell copies of the Software, and to
10 | permit persons to whom the Software is furnished to do so, subject to
11 | the following conditions:
12 | 
13 | The above copyright notice and this permission notice shall be
14 | included in all copies or substantial portions of the Software.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Ubuntu 16.04 VPN Server
 2 | Quickly bootstrap a disposable VPN with DNS masking. 
 3 | 
 4 | ### Features
 5 | 
 6 | * Secure VPN
 7 | * DNS Masking
 8 | * Basic Ad Blocking
 9 | 
10 | ### Stack
11 | 
12 | * OpenVPN
13 | * dnsmasq
14 | * ufw
15 | 
16 | This cloud-config will configure a fully functional and secure OpenVPN server with full DNS masking capabilities. It works out the box and requires no additional config. Once the machine has booted a ready to use `.ovpn` is available in the root users home directory.
17 | 
18 | The OpenVPN config generated may be used by multiple machines/connections at the same time.
19 | 
20 | Tested on Ubuntu 16.04 on Digital Ocean, will work anywhere where cloud-config can be loaded up when spinning up instances (AWS, Digital Ocean, Linode, etc.). See [How To Use Cloud-Config For Your Initial Server Setup | DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-use-cloud-config-for-your-initial-server-setup).
21 | 
22 | Recomended to not assign an IPv6 address when spinning up your cloud instance and disabling IPv6 traffic at the client VPN also.
23 | 
24 | With thanks to [do_user_scripts](https://github.com/digitalocean/do_user_scripts).
25 | 


--------------------------------------------------------------------------------
/bootstrap.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash 
 2 | 
 3 | IPADDR=$(curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address)
 4 | 
 5 | function configureOpenVPN {
 6 |     echo "Configuring OpenVPN"
 7 |     gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
 8 |     sed -i -e 's/dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf
 9 |     sed -i -e 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf
10 |     sed '/;push "dhcp-option DNS 208.67.222.222"/d' /etc/openvpn/server.conf
11 |     sed '/;push "dhcp-option DNS 208.67.220.220"/d' /etc/openvpn/server.conf
12 |     echo "dhcp-option DNS 10.8.0.1" >> /etc/openvpn/server.conf
13 |     sed -i -e 's/;duplicate-cn"/"duplicate-cn"/' /etc/openvpn/server.conf
14 |     sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/server.conf
15 |     sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/server.conf
16 |     cp -r /usr/share/easy-rsa/ /etc/openvpn
17 |     mkdir /etc/openvpn/easy-rsa/keys
18 |     sed -i -e 's/KEY_NAME="EasyRSA"/KEY_NAME="server"/' /etc/openvpn/easy-rsa/vars
19 |     openssl dhparam -out /etc/openvpn/dh2048.pem 2048
20 |     cd /etc/openvpn/easy-rsa && ln -s openssl-1.0.0.cnf openssl.cnf
21 |     cd /etc/openvpn/easy-rsa && . ./vars
22 |     cd /etc/openvpn/easy-rsa && ./clean-all
23 |     cd /etc/openvpn/easy-rsa && ./build-ca --batch
24 |     cd /etc/openvpn/easy-rsa && ./build-key-server --batch server
25 |     cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn
26 |     cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn
27 |     cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
28 |     service openvpn restart
29 | }
30 | 
31 | function configureDNSMasq {
32 |     echo "Configuring DNSMasq"
33 |     sed -i -e 's/"#listen-address="/"listen-address=127.0.0.1, 10.8.0.1"/' /etc/dnsmasq.conf
34 |     sed -i -e 's/"#bind-interfaces"/"bind-interfaces"/' /etc/dnsmasq.conf
35 |     service dnsmasq restart
36 | }
37 | 
38 | function configureFirewall {
39 |     echo "Configuring Firewall"
40 |     curl http://winhelp2002.mvps.org/hosts.txt >> /etc/hosts
41 |     echo 1 > /proc/sys/net/ipv4/ip_forward
42 |     sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
43 |     ufw allow ssh
44 |     ufw allow 1194/udp
45 |     sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
46 |     sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to eth0\n\n-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules
47 |     ufw --force enable
48 | }
49 | 
50 | function generateVPNProfile {
51 |     echo "Generating VPN profile"
52 |     cd /etc/openvpn/easy-rsa && ./build-key --batch client1
53 |     cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
54 |     sed -i -e "s/my-server-1/$IPADDR/" /etc/openvpn/easy-rsa/keys/client.ovpn
55 |     sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/easy-rsa/keys/client.ovpn
56 |     sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/easy-rsa/keys/client.ovpn
57 |     sed -i -e 's/ca ca.crt//' /etc/openvpn/easy-rsa/keys/client.ovpn
58 |     sed -i -e 's/cert client.crt//' /etc/openvpn/easy-rsa/keys/client.ovpn
59 |     sed -i -e 's/key client.key//' /etc/openvpn/easy-rsa/keys/client.ovpn
60 |     echo "<ca>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
61 |     cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
62 |     echo "</ca>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
63 |     echo "<cert>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
64 |     openssl x509 -outform PEM -in /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
65 |     echo "</cert>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
66 |     echo "<key>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
67 |     cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client.ovpn
68 |     echo "</key>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
69 |     
70 |     cp /etc/openvpn/easy-rsa/keys/client.ovpn /root/
71 |     cp /etc/openvpn/easy-rsa/keys/client1.crt /root/
72 |     cp /etc/openvpn/easy-rsa/keys/client1.key /root/
73 |     cp /etc/openvpn/easy-rsa/keys/ca.crt /root/
74 | }
75 | 
76 | configureOpenVPN
77 | configureDNSMasq
78 | configureFirewall
79 | generateVPNProfile
80 | reboot
81 | 


--------------------------------------------------------------------------------
/cloud-init.conf:
--------------------------------------------------------------------------------
 1 | #cloud-config
 2 | apt_update: true
 3 | packages:
 4 |   - openvpn
 5 |   - easy-rsa
 6 |   - curl
 7 |   - dnsmasq
 8 | runcmd:
 9 |   - '\curl -sSL https://raw.githubusercontent.com/imjacobclark/ubuntu-vpn-server/master/bootstrap.sh | bash'
10 | 


--------------------------------------------------------------------------------