Hardened OpenVPN Deployment Guide: Privacy in the Age of DLD
I don't trust the WiFi at Kaffebrenneriet. I don't trust the open network at the airport in Gardermoen. And with the Data Retention Directive (Datalagringsdirektivet) passing in Stortinget this April, I am starting to trust the ISPs a lot less, too. If you are serious about data privacy in 2011, you cannot rely on proprietary protocols or hope for the best.
You need a tunnel. You need OpenVPN.
Too many sysadmins take the lazy route: PPTP. It is built into Windows 7, sure, but it is fundamentally broken. MS-CHAPv2 has been cracked. If you are moving sensitive corporate data or just want to browse VG.no without leaking your session cookies to a script kiddie running Firesheep, you need 2048-bit RSA and AES encryption.
Here is how we deploy a production-grade OpenVPN 2.2 gateway on CentOS 6, optimized for the Norwegian network landscape.
1. The Hardware Reality: Encryption Eats CPU
Before touching a config file, let's talk about the metal. OpenVPN runs in userspace. Every packet you push through that tunnel has to be context-switched, encrypted, and encapsulated. This is CPU intensive.
Most budget VPS providers oversell their CPU cores. You might see "2.4GHz" in /proc/cpuinfo, but you are sharing that cycle time with fifty other noisy neighbors running heavy PHP scripts. When your CPU wait increases, your VPN throughput tanks. Packet loss on a TCP stream kills performance instantly.
Pro Tip: For VPN gateways, avoid OpenVZ containers if you can. You often run into issues with the TUN/TAP device drivers not being enabled on the host node. We use CoolVDS for our endpoints because they use KVM virtualization. You get a dedicated kernel and, more importantly, guaranteed CPU cycles. No steal time means no jitter in your tunnel.
2. Prerequisites and Installation
We are using CentOS 6.0 (released just a few months ago). It is stable, predictable, and supports the EPEL repositories. First, enable EPEL and install the binaries.
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
yum update -y
yum install openvpn easy-rsa -y
3. The Configuration Strategy
Copy the sample configuration to your working directory. We aren't going to use the defaults; we are going to harden them.
cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/
Edit /etc/openvpn/server.conf. Here are the critical directives for a secure, high-speed connection:
- Protocol: Use
proto udp. TCP over TCP leads to the "meltdown" effect when packet loss occurs. UDP is faster and more resilient. - Device:
dev tunfor routing (Layer 3). Usetaponly if you need to broadcast NetBIOS traffic, which you probably don't. - Encryption: The default is Blowfish (BF-CBC). It's fast, but for higher security, switch to AES-256-CBC. Note: This will require more CPU power—another reason to host on a platform like CoolVDS with high-performance specs.
Network Routing
To force all your client traffic through the VPN (preventing leaks), uncomment this line:
push "redirect-gateway def1 bypass-dhcp"
And to ensure DNS queries don't leak to your local ISP (a common oversight), push secure DNS servers:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
4. IPtables and NAT: The Glue
OpenVPN handles the tunnel, but the Linux kernel handles the routing. You need to enable IP forwarding in sysctl.conf:
net.ipv4.ip_forward = 1
Apply it with sysctl -p. Now, configure iptables to Masquerade traffic leaving your VPS interface. This allows your client to browse the internet appearing as the VPS IP.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
5. Why Location Matters: The Oslo Advantage
Physics is the enemy. If you are sitting in Oslo but your VPN endpoint is in Texas, your packets are making a trans-Atlantic round trip for every request. That adds 100ms+ latency. For SSH sessions or VoIP, that is unusable.
For Norwegian users, you want your VPN endpoint peering directly at NIX (Norwegian Internet Exchange). This keeps latency typically under 10ms. CoolVDS hosts out of data centers with direct fiber paths to NIX, ensuring that your secure tunnel is nearly as fast as your raw line.
6. Verification
Start the service:
service openvpn start
chkconfig openvpn on
Check /var/log/messages. If you see "Initialization Sequence Completed", you are live. Connect your client, visit a site like whatismyip.com, and verify you are broadcasting the CoolVDS IP, not your home IP.
Final Thoughts
Privacy requires vigilance. The Data Retention Directive means ISPs are required to store your metadata. By tunneling out to a neutral, high-performance VPS, you regain control of your digital footprint. Don't let a slow server be the bottleneck in your security setup.
Ready to lock down your connection? Spin up a CentOS 6 instance on CoolVDS today. With our SSD-backed storage and KVM architecture, your encryption overhead won't slow you down.