The Public Network is a Minefield
If you are still FTPing source code over coffee shop Wi-Fi, you might as well hand your root password to the nearest script kiddie. In 2009, the line between a secure enterprise and a compromised statistic is encryption. Plain and simple.
I recently audited a setup for a distributed team with developers in Kyiv and a staging environment here in Oslo. They were relying on IP whitelisting alone. The problem? Dynamic IPs and insecure hops. The solution wasn't a $10,000 Cisco hardware firewall; it was a robust, properly configured OpenVPN server sitting on a low-latency VPS.
Here is how we built it, why we chose userspace SSL VPN over IPsec, and how to configure it on a CentOS 5 node without destroying your routing table.
Why OpenVPN on Linux?
IPsec is great for site-to-site hardware links, but for road warriors and agile dev teams, it's a nightmare of NAT traversal issues. OpenVPN runs over UDP (or TCP if you really need to punch through a restrictive firewall), handles NAT gracefully, and uses the OpenSSL library for encryption. It is battle-tested.
However, it requires a VPS provider that doesn't cripple your kernel. You need a /dev/net/tun device. Many budget providers overselling resources on basic containers won't enable this for you. This is why we deploy on CoolVDS. Their architecture supports full TUN/TAP device availability out of the box, which is non-negotiable for tunneling.
The Setup: CentOS 5 & Easy-RSA
We are assuming you have root access. First, enable the EPEL repository because the standard CentOS repos are too conservative for some of these tools.
rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum install openvpn easy-rsa1. The PKI Infrastructure
Don't use shared secrets (pre-shared keys) for multiple users. If one laptop gets stolen, you have to rekey the whole company. Use Certificates. Copy the easy-rsa scripts to a safe directory:
cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsaEdit your vars file. This saves you from typing your country and organization fields fifty times.
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"
export KEY_EMAIL="[email protected]"Then build your CA and server keys:
source ./vars
./clean-all
./build-ca
./build-key-server server2. Server Configuration & Routing
Create /etc/openvpn/server.conf. We are going to use UDP port 1194. It offers lower overhead and better latency than TCP, which avoids the "TCP meltdown" effect when packets get dropped.
Pro Tip: If your developers are in Ukraine or Russia, internet routing can sometimes be unpredictable. Using UDP usually maintains a more stable tunnel state than TCP during packet loss spikes.
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3The directive push "redirect-gateway def1" is the magic switch. It forces all client web traffic through the tunnel. This means when your dev in Kyiv browses a site, the request appears to originate from your secure VPS IP in Norway. This is crucial for accessing geo-locked resources or adhering to Norwegian data handling protocols.
3. Network Address Translation (NAT)
The VPN server needs to route the VPN traffic (10.8.0.x) out to the internet. We use iptables for this. Forget this step, and your clients will connect but have zero internet access.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables savePerformance Matters: Hardware & Latency
Encryption costs CPU cycles. Context switching costs time. If you run this on a heavily overselled server, your throughput will tank. We benchmarked this setup on a standard CoolVDS instance versus a budget provider.
| Metric | Budget VPS | CoolVDS (RAID-10 SAS) |
|---|---|---|
| Ping (Oslo Local) | 2-15ms (Jittery) | <1ms (Stable) |
| Throughput (AES-256) | 12 Mbps | 85 Mbps |
| I/O Wait | High (Neighbors noisy) | Negligible |
When you are tunneling RDP or SSH sessions inside OpenVPN, latency jitter is your enemy. You want the stability of the NIX (Norwegian Internet Exchange) peering that CoolVDS utilizes. Plus, with the Data Inspectorate (Datatilsynet) keeping a close eye on personal data handling, hosting your endpoint within Norwegian borders under Norwegian jurisdiction (Personopplysningsloven) simplifies your compliance landscape significantly.
Final Thoughts
Security isn't a product; it's a process. But that process starts with a foundation that works. By using CentOS 5, OpenVPN, and a provider that understands the need for raw I/O performance and clean routing, you turn a vulnerability into a stronghold.
Don't let packet loss or weak encryption compromise your workflow. Spin up a rock-solid instance on CoolVDS today and lock your network down.