This uses https://github.com/kylemanna/docker-openvpn for most of the heavy lifting. I've also wrapped it with some persistence management for production usage at https://github.com/outstand/docker-openvpn. I'm using a data container in production as rancherOS doesn't support named volumes in cloud config yet.
I skipped using elliptic curves until both easyrsa and openvpn support choosing the curve (NIST curves are considered harmful).
When you're done, you'll have your PKI in the named volume on your workstation and only the files that the server needs on S3. Back up the contents of the volume somewhere secure. You can't issue new certs or revoke old ones without it.
- `docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -d -N -C AES-256-CBC -T TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 -a SHA512 -n <VPC_DNS_IP> -p 'route <VPC_CIDR> 255.255.0.0' -p 'route <ANOTHER_VPC_CIDR> 255.255.0.0' -u udp://<VPN_SERVER_FQDN> -e 'topology subnet' -p 'dhcp-optio