Secure OpenVPN on VPS in a few minutes

Introduction

In connection with the latest events and the possible blocking of public VPN services, the idea to make life easier for people and to make a script to quickly install OpenVPN with all the settings and easy issuance of certificates has matured.

The script allows one team to create a working server and create configuration files for clients in unified format (that is, with the certificates included in the configuration file). By the way, these files are suitable for mobile devices.

The script was created for machines with CentOS 7.x or Ubuntu Server 17.x, use on Ubuntu 16.x. possible, but there OpenVPN 2.3.x in repositories. If necessary, you can add other distributions, but usually when buying a VPS, you can choose a system and this is not so important.

The script is written in bash for a couple of hours, errors are possible and surely something could be implemented easier and better.
')
Run the script on a fresh machine, it overwrites the iptables rules and the OpenVPN configuration. And yes, in the iptables rules the ssh 22 port is allowed, if you changed it to another one, do not forget to change the port in the script.

Special features

1. By default, cipher AES-256-GCM is recommended (which is fairly safe at the moment);
2. The default is auth SHA256 (instead of default SHA1);
3. By default, tls-crypt is used for OpenVPN 2.4.x (which complicates the detection of OpenVPN traffic);
4. By default, it uses Google DNS and local DNS blocking (setenv opt block-outside-dns) to prevent DNS Leak;
5. All necessary rules are created in iptables and ip6tables;
6. There is support for IPv6.

How to use

Using the script is very simple, download the openvpnsetup.sh file to your VPS, give it permission to run chmod + x openvpnsetup.sh and run ./openvpnsetup.sh. As a result, you get a configured server, ready to work on the port of your choice.

In the / etc / openvpn folder, a newclient.sh script is created, which is needed to create client-side configuration files, and using it is just as easy - ./newclient.sh clientname. The result will be the /etc/openvpn/bundles/clientname.ovpn file, which you can immediately use on the client, just put it in the config folder (if used on Windows) on your machine.

If you want to re-create the server, simply delete everything from the / etc / openvpn folder and run the script again (naturally, client certificates will need to be reissued).

Tips for choosing a VPS for OpenVPN

1. First of all, we look at the price, you can find offers for $ 3-4 per month, which is cheaper than many VPN services;
2. Choose a VPS closer to you geographically, if you want to have an acceptable speed via VPN. The less ping from you to the VPS, the better the speed;
3. Choose the minimum configuration. OpenVPN does not use more than one kernel and can run on 256MB of memory. The minimum disk space in 3-5GB is also quite enough;
4. Some VPS are limited in traffic, but usually it is 1TB per month, if you plan to use more, consider other tariff plans;
5. Before placing an order for VPS, specify whether torrent downloads are allowed (provided that you need them, of course);
6. It is also possible to clarify whether TUN / TAP devices are included in the system. The script has a check for this, but it is better to clarify before the purchase, perhaps they can not be enabled through the support of the VPS provider;
7. The presence of an IPv6 address, the script allows you to configure the server with IPv6 support and you may want to be able to visit IPv6 resources via VPN.

The script is available on github .

Bonus: anonymity check result on 2ip.ru:



Check for？？:



Check on DNS Leak: