The Paranoid Sysadmin’s Guide to OpenVPN in Norway
Let’s be honest: The internet is becoming a hostile place. Between the release of Firesheep late last year and the increasing aggressive snooping by ISPs, transmitting cleartext data over public WiFi is practically begging for identity theft. If you are still logging into servers or checking email at a coffee shop without a tunnel, you are leaking session cookies. Period.
Commercial VPN services are an option, but do you really trust them with your logs? The only way to ensure total privacy is to roll your own endpoint. You control the keys, you control the logs (or lack thereof), and you control the bandwidth.
Today, we are setting up a hardened OpenVPN server on a Linux VPS. We are choosing Norway as our jurisdiction. Why? Because the Datatilsynet (Data Inspectorate) actually has teeth, and hosting outside the immediate reach of the US Patriot Act is a strategic move for any European sysadmin.
The Hardware Reality: TUN/TAP and IO
Before we touch the terminal, a warning. Most budget VPS providers oversell their nodes using cheap containerization that lacks the necessary kernel modules. If your provider disables the TUN/TAP device to save overhead, OpenVPN will not work.
Pro Tip: We enable TUN/TAP and iptables modules by default on all CoolVDS instances. We use KVM and Xen virtualization, so you get a dedicated kernel. Don't waste hours debugging a `modprobe` error that is actually a host-node restriction.
Step 1: The Environment
We are using Debian 6 (Squeeze) or Ubuntu 10.04 LTS. The instructions are nearly identical. Log in as root.
apt-get update
apt-get install openvpn host
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
Step 2: The PKI Infrastructure
Edit the vars file. Don't skip this. You don't want your certificate parameters defaulting to "San Francisco" if you are hosting in Oslo.
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Private"
export KEY_EMAIL="[email protected]"
Now, build the Certificate Authority (CA) and server keys. We are bumping the Diffie-Hellman parameters to 1024-bit (or 2048 if you are paranoid and have CPU cycles to burn).
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
Note: Generating `dh1024.pem` involves heavy math. On a sluggish VPS, this takes minutes. On CoolVDS high-frequency cores, it’s done before you finish your coffee.
Step 3: Server Configuration
Create /etc/openvpn/server.conf. We are going to use UDP for speed. TCP over TCP leads to "meltdown" when packet loss occurs.
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Step 4: Routing and IPTables
This is where 90% of setups fail. You need to tell the Linux kernel to forward traffic.
Edit /etc/sysctl.conf and uncomment:
net.ipv4.ip_forward=1
Apply it with `sysctl -p`. Now, configure iptables to handle the NAT (Network Address Translation). Replace `eth0` with your public interface if different.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
To make this persistent across reboots on Debian/Ubuntu, dump the rules:
iptables-save > /etc/iptables.rules
Then add this line to your network interface config in /etc/network/interfaces under `eth0`:
pre-up iptables-restore < /etc/iptables.rules
Why Latency Matters
Encryption adds overhead. Every packet is encrypted, encapsulated, routed, decapsulated, and decrypted. If your VPS has high "steal time" (CPU stolen by noisy neighbors) or slow disk I/O when writing logs, your throughput crashes.
In Norway, peering is excellent thanks to NIX (Norwegian Internet Exchange). If you are connecting from Europe, latency to Oslo is often under 30ms. This makes the VPN feel invisible.
| Feature | Budget OpenVZ Host | CoolVDS (KVM/Xen) |
|---|---|---|
| TUN/TAP | Often Disabled | Always Enabled |
| Kernel Access | Shared | Dedicated |
| Storage | Slow SATA | RAID-10 SAS/SSD |
Final Thoughts
With this setup, your traffic is encrypted inside an AES tunnel. Your ISP sees nothing but UDP garbage on port 1194. You are compliant with Norwegian privacy standards, and you aren't relying on a third-party VPN service that might sell your data.
Security is not a product; it's a process. But having the right foundation helps.
Need a server that respects your privacy and performance needs? Deploy a CoolVDS instance in Oslo today. We accept major cards and wire transfers.