Stop Trusting Public WiFi: The Battle-Hardened Guide to OpenVPN

Let’s be honest: if you are still logging into your servers via unencrypted FTP or checking corporate email over the coffee shop's open WiFi, you are asking for a data breach. With the explosion of smartphones like the new iPhone 4 and Android devices, mobile data usage is skyrocketing, and so are the risks of packet sniffing. I've seen sysadmins lose root passwords because they were lazy about tunneling. Don't be that guy.

Today, we aren't just setting up a VPN; we are building a secure tunnel through the untrusted internet, anchored right here in Norway. We are using OpenVPN 2.1 because PPTP is dead to anyone who actually cares about security (Bruce Schneier called it out years ago).

Why Location and Latency Matter

You might ask, "Why not just host this in the US?" Two reasons: Latency and Law.

First, if you are working from Oslo or Bergen, routing your traffic through Texas adds 150ms of lag. You want your SSH sessions crisp. Hosting on a VPS Norway ensures your ping stays in the single digits.

Second, we have the Personopplysningsloven (Personal Data Act). Keeping your data within Norwegian borders under the watchful eye of Datatilsynet offers a layer of legal protection you don't get with cheap offshore hosting. This is critical for compliance if you are handling customer data.

The Prerequisites: Hardware and Virtualization

Before we touch the terminal, you need a VPS that actually supports VPNs. Many budget providers using older OpenVZ kernels disable the TUN/TAP device to save resources. If you can't enable TUN/TAP, OpenVPN won't work.

Pro Tip: At CoolVDS, we enable TUN/TAP support by default on all our nodes. We also run on high-performance RAID-10 SAS and enterprise SSD tiers, so encryption overhead doesn't kill your throughput.

Step 1: The Setup (CentOS 5.5)

We are using CentOS 5.5 for its stability. First, we need the EPEL repository because Red Hat doesn't ship OpenVPN in the base repo.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
yum update
yum install openvpn

Step 2: Building the PKI (Public Key Infrastructure)

Don't use static keys; they don't provide Perfect Forward Secrecy. We will use the easy-rsa scripts included in the documentation. Copy them to your config directory to avoid messing up the originals.

cp -R /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
vi vars

Edit the vars file. Change the default KEY_COUNTRY, KEY_PROVINCE, etc., to match your organization. Don't leave these blank.

source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh

This generates your Diffie-Hellman parameters. It will take a while. Go grab a coffee. If you were on a CoolVDS instance with high-priority CPU cycles, you'd be done by now, but patience is a virtue.

Step 3: Server Configuration

Create /etc/openvpn/server.conf. We are going to use UDP for speed (TCP over TCP leads to meltdown) and the tun interface.

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Step 4: Routing and Iptables

This is where most people fail. You need to enable IP forwarding so your server acts as a router.

Edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Apply it with sysctl -p. Now, configure iptables to NAT the traffic out of your WAN interface (usually eth0 or venet0).

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart

Why Infrastructure Matters

You can configure the tightest server.conf in the world, but if the underlying host is oversold, your VPN will jitter, and your SSH sessions will lag. VPN encryption requires constant CPU interrupts.

This is why serious admins choose CoolVDS. We don't oversell our cores, and our connection to the NIX (Norwegian Internet Exchange) ensures that when you tunnel home, it feels like you're on the LAN. Plus, with our emerging DDoS protection strategies, your gateway won't get knocked offline by a script kiddie.

Final Check

Start the service: service openvpn start. Check your logs at /var/log/messages. If you see "Initialization Sequence Completed," you have successfully built a secure tunnel. Copy the client keys to your laptop, install the OpenVPN client, and browse safely from anywhere.

Don't risk your data on open networks. Deploy a rock-solid VPN on a CoolVDS instance today and keep your traffic private.