comprehension exercise: Ubuntu 16.04 VPN Server

In which I try to figure out what is going on at this github repository so that I can set up my own VPN server.

Wise man once told me every system has an entry point. In this case it seems like the entry point is going to be bootstrap.sh or cloud-init.conf. Configuration files are probably simpler so let’s start there

Seems pretty simple. Looks like a bunch of packages are installed and then we download and run a shell script called bootstrap.sh. One issue is that the versions are not specified so there is potential for some drift depending on when the user runs the installation process. Let’s look at the outline of bootstrap.sh

I commend the author on this structure. It is really well done because the steps are obvious and as self-explanatory as possible. Let’s see now what each function does in the sequence they’re defined and called in

I again commend the author on what they have done here. They unpack the sample configuration and then modify it to get it into the required form. Along the way the necessary commands are called for easy-rsa to generate keys and certificates for OpenVPN to function. One thing I would do here is replace all the calls to sed with either a template that just needs to have the values filled in or just replace it with a static file checked into the same repository because it doesn’t look like the user is given any options to configure anything. The default directories are kept and everything else has static references.

Similar to the other function DNSMasq configuration file is modified with sed and then the service is restarted. Not much else is happening so the file can again be checked into the repository.

I think the assumption is that this script is running as root. I don’t see any sudo calls but some system variables and files are being modified which would required root privileges. Same pattern as before is being used. I don’t know what the hosts file is that is being downloaded. I will have to take a look at it before running this on a box I own. I assume as explained in the repository readme file it will send certain IP addresses associated with ad networks into a black hole.

Looks like here we are generating the client keys so that clients can set up the VPN tunnel. Similar pattern to the previous command with sed being used to modify some default configuration files interspersed with calls to openssl to generate keys and certificates.

I’d always feared setting up an OpenVPN server because I had assumed there is a lot of arcana around certificates, configuration files, and keys. Going through this repository I now see most of it is not so bad at all. I’m glad the author went through the trouble of codifying the process of setting things up because I’m less scared now of doing it on my own by following these guidelines. Top marks all around.