Found this tutorial re: running openvpn in docker, and works great.
I now have a VPS in digitalocean that can act as a full blown VPN proxy, woohoo. (its a bit of a step up from simply forwarding the squid port over SSH!).
https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04 (https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04)
Since the openvpn bits are nicely packaged in docker, its more of value as a dirty intro to docker than openvpn, but its all good. From my previous XP with openvpn it wasn't the server bit that was hard, it was sorting out the iptables so it knew how to not only let you VPN in but NAT you back out (as well as pushing the reverse routes). Which the prebuilt docker has taken care of completely.
Thanks for the link. I've got it running at home without Docker but it's an interesting approach.
can you elaborate on what you had to do re: iptables?
i.e. did this basically work or was more involved?
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting (https://community.openvpn.net/openvpn/wiki/BridgingAndRouting)
With a VPS my public IP is directly on the box so I'm pretty much scenario 1 - except that docker did it all and I didn't manually do anything.
The iptables is really confusing, below kind of makes sense. I'm really green on linux NAT - I'm OK with basic iptables allow and drop in the input chain but this is forcing me to go back to basics completely.
https://docs.docker.com/v1.8/articles/networking/
That basically worked. You just 1) enable IPv4 forwarding, 2) allow the OpenVPN port inbound in iptables and 3) NAT everything using iptables (masquerade) towards the internet from the tunnel interface.