diff --git a/openvpn/dns.sh b/openvpn/dns.sh
new file mode 100755
index 0000000..882a878
--- /dev/null
+++ b/openvpn/dns.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ ! -e $OPENVPNCONFIG ]] || [[ ! -r $OPENVPNCONFIG ]] || [[ ! -w $OPENVPNCONFIG ]]; then
+ echo "$PPPCONFIG is not exist or not accessible (are you root?)"
+ exit 1
+fi
+
+DEFAULTDNS1="8.8.8.8"
+DEFAULTDNS2="8.8.4.4"
+
+read -p "Preffered DNS resolver #1: " -e -i $DEFAULTDNS1 DNS1
+: ${DNS1:=$DEFAULTDNS1}
+
+read -p "Preffered DNS resolver #2: " -e -i $DEFAULTDNS2 DNS2
+: ${DNS2:=$DEFAULTDNS2}
+
+sed -i -e "/dhcp-option DNS/d" $OPENVPNCONFIG
+
+echo "push \"dhcp-option DNS $DNS1\"" >> $OPENVPNCONFIG
+echo "push \"dhcp-option DNS $DNS2\"" >> $OPENVPNCONFIG
+
+echo "$OPENVPNCONFIG updated!"
diff --git a/openvpn/env.sh b/openvpn/env.sh
new file mode 100755
index 0000000..938b578
--- /dev/null
+++ b/openvpn/env.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+SYSCTLCONFIG=/etc/sysctl.conf
+OPENVPNDIR=/etc/openvpn
+OPENVPNCONFIG=$OPENVPNDIR/openvpn-server.conf
+CADIR=$OPENVPNDIR/easy-rsa
+IPTABLES=/etc/iptables.rules
+RCLOCAL=/etc/rc.local
+NOBODYGROUP=nogroup
+
+LOCALPREFIX="172.20"
+LOCALIP="$LOCALPREFIX.0.0"
+LOCALMASK="/24"
+
+LOCALIPMASK="$LOCALIP$LOCALMASK"
+
+IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+if [[ "$IP" = "" ]]; then
+ IP=$(wget -4qO- "http://whatismyip.akamai.com/")
+fi
diff --git a/openvpn/install.sh b/openvpn/install.sh
new file mode 100755
index 0000000..adcb15a
--- /dev/null
+++ b/openvpn/install.sh
@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+
+STARTDIR=$(pwd)
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ "$EUID" -ne 0 ]]; then
+ echo "Sorry, you need to run this as root"
+ exit 1
+fi
+
+echo
+echo "Installing OpenVPN..."
+apt-get install openvpn easy-rsa
+
+echo
+echo "Configuring routing..."
+$DIR/sysctl.sh
+
+echo
+echo "Installing configuration files..."
+yes | cp -rf $DIR/openvpn-server.conf.dist $OPENVPNCONFIG
+
+sed -i -e "s@CADIR@$CADIR@g" $OPENVPNCONFIG
+sed -i -e "s@LOCALPREFIX@$LOCALPREFIX@g" $OPENVPNCONFIG
+sed -i -e "s@NOBODYGROUP@$NOBODYGROUP@g" $OPENVPNCONFIG
+
+echo
+echo "Configuring iptables firewall..."
+$DIR/iptables-setup.sh
+
+echo
+echo "Do you want to create routing or bridging OpenVPN mode? "
+echo "More information at: https://community.openvpn.net/openvpn/wiki/309-what-is-the-difference-between-bridging-and-routing"
+echo " 1) routing"
+echo " 2) bridging"
+echo
+read -p "Your choice [1 or 2]: " -e -i 1 MODE
+case $MODE in
+ 1)
+ DEVICE="tun"
+ sed -i -e "s/DEVICE/tun/g" $OPENVPNCONFIG
+ sed -i -e "/server-bridge/d" $OPENVPNCONFIG
+ ;;
+ 2)
+ DEVICE="tap"
+ sed -i -e "s/DEVICE/tap/g" $OPENVPNCONFIG
+ sed -i -e "/server /d" $OPENVPNCONFIG
+ ;;
+ *)
+ echo "Hm... Strange answer..."
+ exit
+ ;;
+esac
+
+echo
+echo "Configuring DNS parameters..."
+$DIR/dns.sh
+
+echo
+echo "Creating server keys..."
+make-cadir $CADIR
+cd $CADIR
+source ./vars
+./clean-all
+./build-ca
+./build-key-server --batch openvpn-server
+./build-dh
+openvpn --genkey --secret ta.key
+
+ADDUSER="no"
+ANSUSER="yes"
+
+echo
+echo "Configuring VPN users..."
+while [ "$ANSUSER" != "$ADDUSER" ];
+do
+ while [[ -z "$LOGIN" ]];
+ do
+ read -p "Enter name: " LOGIN
+ done
+
+ ./build-key --batch $LOGIN
+
+ if [ $? -eq 0 ]; then
+
+ # copy files and OVPN config
+ mkdir "$STARTDIR/$LOGIN"
+ cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$STARTDIR/$LOGIN/"
+
+ DIST="$STARTDIR/$LOGIN/openvpn-server.ovpn"
+ cp $DIR/openvpn-server.ovpn.dist $DIST
+ sed -i -e "s@LOGIN@$LOGIN@g" $DIST
+ sed -i -e "s@IP@$IP@g" $DIST
+ sed -i -e "s@DEVICE@$DEVICE@g" $DIST
+
+ SRC="$STARTDIR/$LOGIN"
+ DIST="$STARTDIR/$LOGIN/openvpn-server-embedded.ovpn"
+ cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
+ sed -i -e "s@IP@$IP@g" $DIST
+ sed -i -e "s@DEVICE@$DEVICE@g" $DIST
+
+ echo "" >> $DIST
+ cat $SRC/ca.crt >> $DIST
+ echo "" >> $DIST
+
+ echo "" >> $DIST
+ cat $SRC/$LOGIN.crt >> $DIST
+ echo "" >> $DIST
+
+ echo "" >> $DIST
+ cat $SRC/$LOGIN.key >> $DIST
+ echo "" >> $DIST
+
+ echo "" >> $DIST
+ cat $SRC/ta.key >> $DIST
+ echo "" >> $DIST
+
+ echo
+ echo "Created directory $STARTDIR/$LOGIN with necessary files."
+ chown -R ${USER:=$(/usr/bin/id -run)}:$USER $STARTDIR/$LOGIN/
+
+ fi
+
+ read -p "Would you want add another user? [no] " ANSUSER
+ : ${ANSUSER:=$ADDUSER}
+done
+
+echo
+echo "Starting OpenVPN..."
+systemctl enable openvpn
+service openvpn restart
+
+echo
+echo "Installation script completed!"
+
diff --git a/openvpn/iptables-setup.sh b/openvpn/iptables-setup.sh
new file mode 100755
index 0000000..f3e6dd0
--- /dev/null
+++ b/openvpn/iptables-setup.sh
@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $IPTABLES ]]; then
+ touch $IPTABLES
+fi
+
+if [[ ! -e $IPTABLES ]] || [[ ! -r $IPTABLES ]] || [[ ! -w $IPTABLES ]]; then
+ echo "$IPTABLES is not exist or not accessible (are you root?)"
+ exit 1
+fi
+
+# backup and remove rules with $LOCALIP
+iptables-save > $IPTABLES.backup
+
+IFS=$'\n'
+
+iptablesclear=$(iptables -S -t nat | sed -n -e '/$LOCALPREFIX/p' | sed -e 's/-A/-D/g')
+for line in $iptablesclear
+do
+ cmd="iptables -t nat $line"
+ eval $cmd
+done
+
+# detect default gateway interface
+echo "Found next network interfaces:"
+ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'
+echo
+GATE=$(route | grep '^default' | grep -o '[^ ]*$')
+read -p "Enter your external network interface: " -i $GATE -e GATE
+
+STATIC="yes"
+read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
+: ${ANSIP:=$STATIC}
+
+if [ "$STATIC" == "$ANSIP" ]; then
+ # SNAT
+ sed -i -e "s@PUBLICIP@$IP@g" $OPENVPNCONFIG
+ iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP
+else
+ # MASQUERADE
+ sed -i -e "/PUBLICIP/d" $OPENVPNCONFIG
+ iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE
+fi
+
+DROP="yes"
+read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
+: ${ANSDROP:=$DROP}
+
+if [ "$DROP" == "$ANSDROP" ]; then
+ # disable forwarding
+ sed -i -e "/client-to-client/d" $OPENVPNCONFIG
+ iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+ iptables -A FORWARD -i tun+ -o tun+ -j DROP
+ iptables -A FORWARD -i tap+ -o tap+ -j DROP
+else
+ echo "Deleting DROP rules if exists..."
+ iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+ iptables -D FORWARD -i tap+ -o tap+ -j DROP
+ iptables -D FORWARD -i tun+ -o tun+ -j DROP
+fi
+
+# MSS Clamping
+iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+# TUN/TAP
+iptables -A INPUT -i tun+ -j ACCEPT
+iptables -A INPUT -i tap+ -j ACCEPT
+iptables -A OUTPUT -o tun+ -j ACCEPT
+iptables -A OUTPUT -o tap+ -j ACCEPT
+
+# OpenVPN
+iptables -A INPUT -p udp --dport 1194 -j ACCEPT
+
+iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
+
+RESTORPRESENTS=$(grep iptables-restore $RCLOCAL)
+if [ $? -ne 0 ]; then
+ sed -i -e "/exit 0/d" $RCLOCAL
+ echo "iptables-restore < $IPTABLES" >> $RCLOCAL
+ echo "exit 0" >> $RCLOCAL
+fi
+
+iptables -F
+iptables-restore < $IPTABLES
+
diff --git a/openvpn/openvpn-server-embedded.ovpn.dist b/openvpn/openvpn-server-embedded.ovpn.dist
new file mode 100644
index 0000000..ed995b3
--- /dev/null
+++ b/openvpn/openvpn-server-embedded.ovpn.dist
@@ -0,0 +1,12 @@
+client
+dev DEVICE
+persist-key
+persist-tun
+tls-client
+cipher DES-EDE3-CBC
+remote IP
+port 1194
+proto udp
+resolv-retry infinite
+redirect-gateway
+key-direction 1
diff --git a/openvpn/openvpn-server.conf.dist b/openvpn/openvpn-server.conf.dist
new file mode 100644
index 0000000..c9f401c
--- /dev/null
+++ b/openvpn/openvpn-server.conf.dist
@@ -0,0 +1,25 @@
+mode server
+port 1194
+proto udp
+dev DEVICE
+ca CADIR/keys/ca.crt
+cert CADIR/keys/openvpn-server.crt
+key CADIR/keys/openvpn-server.key
+dh CADIR/keys/dh2048.pem
+tls-server
+tls-auth CADIR/ta.key 0
+server LOCALPREFIX.0.0 255.255.255.0
+server-bridge LOCALPREFIX.0.1 255.255.255.0 LOCALPREFIX.0.10 LOCALPREFIX.0.100
+local PUBLICIP
+client-to-client
+cipher DES-EDE3-CBC
+user nobody
+group NOBODYGROUP
+max-clients 100
+keepalive 10 120
+persist-key
+persist-tun
+push "route-gateway dhcp"
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
diff --git a/openvpn/openvpn-server.ovpn.dist b/openvpn/openvpn-server.ovpn.dist
new file mode 100644
index 0000000..6f63ccd
--- /dev/null
+++ b/openvpn/openvpn-server.ovpn.dist
@@ -0,0 +1,16 @@
+client
+dev DEVICE
+persist-key
+persist-tun
+cipher DES-EDE3-CBC
+remote IP
+port 1194
+proto udp
+resolv-retry infinite
+redirect-gateway
+tls-client
+tls-auth ta.key 1
+ca ca.crt
+cert LOGIN.crt
+key LOGIN.key
+
diff --git a/openvpn/sysctl.sh b/openvpn/sysctl.sh
new file mode 100755
index 0000000..440118a
--- /dev/null
+++ b/openvpn/sysctl.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ ! -e $SYSCTLCONFIG ]] || [[ ! -r $SYSCTLCONFIG ]] || [[ ! -w $SYSCTLCONFIG ]]; then
+ echo "$SYSCTLCONFIG is not exist or not accessible (are you root?)"
+ exit 1
+fi
+
+sed -i -e "/net.ipv4.ip_forward/d" $SYSCTLCONFIG
+echo "net.ipv4.ip_forward=1" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.accept_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.accept_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.rp_filter/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.rp_filter=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.accept_source_route/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.accept_source_route=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.icmp_ignore_bogus_error_responses/d" $SYSCTLCONFIG
+echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> $SYSCTLCONFIG
+
+sysctl -p
+service procps restart