Bulletproof Your Traffic: Setting Up OpenVPN on Ubuntu 10.04 LTS
Letβs be honest: connecting to the internet from a hotel room or a coffee shop in 2010 is asking for trouble. Packet sniffers are getting easier to use, and if you are sending POP3 or FTP credentials over the wire in plain text, you might as well hand your server keys to the teenager at the next table. Even SSL isn't a silver bullet if you're worried about traffic analysis or geo-restrictions.
The solution isn't a pricey proprietary appliance. It's OpenVPN. It is robust, open-source, and handles NAT traversal better than IPsec ever could. In this guide, we are going to build a dedicated VPN gateway using Ubuntu 10.04 LTS (Lucid Lynx). Why? because Long Term Support matters when you're building security infrastructure.
The Hardware Reality: Why Virtualization Matters
Before we touch the terminal, let's talk about where this code runs. You don't need a bare metal server for a VPN, but you do need a VPS that respects the kernel. Many budget providers stuff hundreds of users onto a single OpenVZ node and disable the tun/tap device to save overhead. If your provider doesn't allow kernel-level tun modules, OpenVPN will refuse to start.
At CoolVDS, we enable TUN/TAP by default on all our nodes, and our Xen-based plans offer full hardware virtualization (HVM), guaranteeing that your encryption overhead doesn't fight for CPU cycles with a neighbor's PHP script. Plus, hosting this in Norway keeps your latency low when connecting from Oslo or Bergen, thanks to our direct peering at NIX (Norwegian Internet Exchange).
Step 1: Installation and Preparation
First, update your repositories. We want the latest stable build from the Lucid repos.
apt-get update
apt-get upgrade
apt-get install openvpn libssl-dev opensslOpenVPN relies heavily on PKI (Public Key Infrastructure). Setting up a Certificate Authority (CA) manually is tedious, so we will use the easy-rsa scripts provided with the package. Copy them to your configuration directory to keep things clean.
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/Step 2: Building the Certificate Authority
Edit the vars file. This saves you from typing your country and organization details fifty times. Open /etc/openvpn/easy-rsa/vars and change the bottom parameters:
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"
export KEY_EMAIL="admin@yourdomain.com"Now, initialize the PKI. Warning: The ./clean-all command will wipe any existing keys. Be careful if you are re-doing this on an existing setup.
source ./vars
./clean-all
./build-caYou will be prompted for details. Since we edited the vars file, just hit Enter to accept the defaults.
Step 3: Generating Server and Client Certificates
Now we generate the certificate and private key for the server itself.
./build-key-server serverAccept the challenge phrases. When asked to sign the certificate and commit, answer 'y'. Next, we need Diffie-Hellman parameters. This creates the cryptographic strength for the key exchange. On a VPS with shared entropy, this can take a minute. Go grab a coffee.
./build-dhFinally, generate a client key for your laptop. Repeat this step for every user, changing the name 'client1' to something unique.
./build-key client1Step 4: Configuring server.conf
We need a configuration file. Ubuntu provides a zipped example, but we will write a streamlined one optimized for a standard VPS Norway environment.
Create /etc/openvpn/server.conf:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Push routes to the client to redirect ALL traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"
# Use Google Public DNS or OpenDNS (Launched recently) to avoid leaks
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Pro Tip: We use proto udp because tunneling TCP over TCP leads to "TCP Meltdown" when packet loss occurs. Always use UDP for the tunnel unless a firewall strictly blocks it.
Step 5: IP Forwarding and Routing
Having a tunnel is useless if the server doesn't know how to pass that traffic out to the internet. We need to enable IP forwarding in the kernel.
Edit /etc/sysctl.conf and uncomment:
net.ipv4.ip_forward=1Reload the change:
sysctl -pConfiguring iptables NAT
This is where many sysadmins get stuck. We need to NAT the traffic coming from the VPN subnet (10.8.0.0/24) so it leaves the VPS with the server's public IP. Assuming your WAN interface is eth0 (standard on CoolVDS instances):
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADETo make this persist after a reboot, use a simple up-script or save the rules. On Ubuntu/Debian, the easiest way right now is typically adding it to rc.local or using iptables-save.
iptables-save > /etc/iptables.rulesThen add this line to your /etc/network/interfaces under eth0:
pre-up iptables-restore < /etc/iptables.rulesStep 6: Start the Engine
Start the OpenVPN service:
/etc/init.d/openvpn startCheck the logs at /var/log/syslog. You should see Initialization Sequence Completed. If you see errors about the TUN device, contact your hosting provider. (If you are on CoolVDS, you won't see this error).
Client Configuration
On your client machine (Windows 7 or XP), install the OpenVPN GUI. You will need to securely transfer these files from the server (use SCP/WinSCP):
ca.crtclient1.crtclient1.key
Create a client.ovpn file on your laptop:
client
dev tun
proto udp
remote YOUR_VPS_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3Why Hosting Location Matters
Under the Norwegian Personopplysningsloven (Personal Data Act), your data is afforded strict protections compared to many other jurisdictions. By hosting your VPN endpoint in Oslo, you ensure that your traffic is governed by Norwegian law.
Furthermore, encryption requires CPU power. OpenVPN runs in userspace, which means context switching can become a bottleneck. CoolVDS nodes use high-performance RAID-10 storage and Xeon processors that ensure your encrypted throughput remains high, avoiding the dreaded "lag" often associated with VPNs.
Don't leave your data exposed on public networks. Deploy a secure tunnel today. Spin up a CoolVDS instance in 55 seconds and take control of your network traffic.