ovpn script — install, autocomplete, deploy, usage

Download the script: ovpn

1) Put the script in place

Copy the ovpn script to your server (for example to your home directory).

Move it into a directory in $PATH, e.g.:

sudo cp ovpn /usr/local/bin/ovpn
sudo chmod 755 /usr/local/bin/ovpn

Test that it runs:

ovpn help
# or, if not root:
sudo ovpn help

2) Enable bash autocomplete (for all users)

Make sure bash-completion is installed:

sudo apt-get update
sudo apt-get install -y bash-completion

Create the completion file:

sudo tee /etc/bash_completion.d/ovpn >/dev/null << 'EOF'
_ovpn()
{
    local cur cmds
    COMPREPLY=()
    cur="${COMP_WORDS[COMP_CWORD]}"

    cmds="deploy gen_serv gen_client remove_serv remove_client \
start stop restart update reserve_ip status mgmt help"

    COMPREPLY=( $(compgen -W "${cmds}" -- "${cur}") )
    return 0
}
complete -F _ovpn ovpn
EOF

Reload completion in the current shell (or just re-login):

source /etc/bash_completion

From now on, autocomplete works for all users who use bash + bash-completion:

ovpn <TAB><TAB>

3) First-time deployment (install & configure)

Run this as root (or with sudo):

sudo ovpn deploy

The script will:

Install dependencies (if missing)

Docker (CE)
gum
socat
iptables-persistent

Ask you

Server IP / hostname (external address)
Device type: tun or tap
DNS server (default: 8.8.8.8)
VPN subnet (default: 192.168.255.0/24)
Port (default: 33444)
Local interface used for internet/NAT (e.g. ens33, eth0, etc.)

Generate

OpenVPN server config: /data/vpn1/openvpn.conf
PKI + CA + server certificate
First client config in ./clients/<client>.ovpn

Create iptables chains

OPENVPN_FILTER_tun0 / OPENVPN_NAT_tun0 (or tap0)

Start the container

Container name: ovpn1
Image: kylemanna/openvpn
Mode: --net=host, --privileged, restart unless-stopped
Persistent data: /data/vpn1 (on host)

4) Everyday usage

Start / Stop / Restart server

sudo ovpn start
sudo ovpn stop
sudo ovpn restart

Generate additional client configs

sudo ovpn gen_client

It will:

Ask for client name
Check for duplicate .ovpn / cert
Build a new client certificate
Generate clients/<name>.ovpn and patch remote IP PORT
Strip any compression (comp-lzo/compress) and add safe pull-filters

View connected clients

sudo ovpn status

(Uses management socket /data/vpn1/server.sock.)

Reserve static IP for a client

sudo ovpn reserve_ip

The script will:

Ask for client name (CN)
Ask for static IP (inside VPN subnet)
Create/update /data/vpn1/ccd/<client> with ifconfig-push

5) Updating the OpenVPN Docker image

sudo ovpn update

What it does:

docker pull kylemanna/openvpn
Stop and remove existing ovpn1 (if exists)
Start a new ovpn1 container with the same volume /data/vpn1

PKI and config are preserved (they’re on the host in /data/vpn1).

6) Full cleanup (remove server + image + rules)

If you want to completely remove everything:

sudo ovpn remove_serv

It will:

Stop and remove container ovpn1 (if exists)
Detect VPN interface from /data/vpn1/openvpn.conf (dev tun0/tap0)
Delete /data/vpn1 directory
Remove Docker image kylemanna/openvpn (if present)
Ask you to choose local interface (for cleaning iptables chains)
Call cleanup_openvpn_chains to delete OPENVPN_* chains
Save iptables rules via netfilter-persistent (if installed)
Optionally remove dependencies (Docker, gum, socat, iptables-persistent)

7) Notes on security / behavior

No comp-lzo/compress

Server: removes any comp-lzo, compress and push compression lines.
Client: removes comp/compress and adds:
- pull-filter ignore "compress"
- pull-filter ignore "comp-lzo"

iptables

Separate chains per VPN device (OPENVPN_FILTER_tun0, OPENVPN_NAT_tun0).
Only forward tun0 ↔ local_iface and drop other traffic from tun0.
NAT only from local_iface, not globally.

iptables-persistent

Autosave v4/v6 preseeded via debconf, installs non-interactively.