# Creating Disposable OpenVPN Servers Using the Vultr Cloud API

27 Apr 2018

For a while now, I’ve used Nyr’s openvpn-install script to set up OpenVPN servers for my personal use. It’s quite a handy script, and as it proclaims on the GitHub page, it’ll let you setup an OpenVPN server in around a minute with no expertise required. This, combined with some ultra-cheap VPS servers, perhaps from VirMach can get you a decently good performance VPN with a single IP address for about a dollar a month. The are a few issues with this approach are that you are limited to one IP address, which allows providers to easily identify you if you use the service for long enough (VirMach actually charges more than the monthly cost of their cheapest offering to change the IP address - it’s easier to cancel), the bandwidth is very limited for heavy usage, and you’re paying for service even when it’s not needed. The last point may not sound like a big deal, but from a pure cost perspective, it’s cheaper to pay hourly only when you need it.

As I still have a considerable amount of credit with Vultr, I decided it would be an interesting project to create a solution that utilizes their cloud APIs to automatically create an OpenVPN server. Now, anyone familiar with Vultr might notice that they have an application template for OpenVPN, which when you order a server gives you an admin username and password on a pre-configured OpenVPN web interface. The issue with this is that you can easily spend 30 minutes to an hour setting up your server this way. It’s not ideal for something you use for a few hours on a coffee shop wireless connection and then destroy. My solution requires absolutely no configuration, at all, and is set up in under 6 minutes, on average, including fully patching the new virtual machine and configuring it to use Cloudflare’s privacy-oriented DNS service.

Because reinventing the wheel isn’t particularly useful, rather than reimplementing the API calls myself, I levereged James Clonk’s Vultr CLI and API client library, which is written in Go. The CLI functionality is heavily used to make API calls into the Vultr cloud. I took the contents of Nyr’s script, and began editing it. I made multiple changes. First, it is now 100% non-interactive. The reason this is so important is that when you run a startup script via an API or cloud-init or any other system, it’s immediately executed in a non-interactive terminal on the server upon creation. There are multiple tweaks I’ve made, such as disabling yum’s fastest mirror check, which takes precious seconds to complete - I want this to be as fast as possible after all. It also generates a random root password and uses the startup script to set this. This makes the root password for the server different from the one that Vultr generates in the portal for security reasons. This password is later used to pull the ovpn certificate file off of the server.

The repository for the tool° actually contains a fully configured and compatible Go installation local to the project. This reduces the requirement on the users to configure anything, and it prevents the script from adding packages or cluttering their system. It’s very self-contained. In order to use it, all you need to do is checkout the repository, export your Vultr API key from the user portal to a variable via export VULTR_API_KEY=[YOUR_API_KEY_HERE] and run the run.sh script. In seconds, a startup script will be generated adn added to your account with a datestamp in the name, and a CentOS 7 server will be ordered using it. The server costs only $0.007/hr, so 10 hours of usage is only 7 cents of Vultr credit. If you’re not using the VPN 24/7, this is far more practical than a cheap $1 server. Another advantage is that you can cancel the server at any time and rather than paying the full $5/month, you’re paying a prorated amount. When your server is cancelled, the 1TB of alloted bandwidth is reset. The bandwidth limit is associated with the subscription. In other words, you can cancel a server when you’re low on bandwidth and within minutes, for no additional cost, have another one with a fresh limit. Once the server is done booting up and running the startup script, a file called openvpn_cert.ovpn will be created in /root on the server. The tool automatically connects to the server after a set interval of time and copies this certificate to the working directory on your computer. You can then use the certificate file to connect to your new server as you would with any other OpenVPN connection. Happy tunneling!

Dylan Taylor
Software Engineer