Stop Trusting Public Wi-Fi: A Sysadmin's Guide to OpenVPN
Last week, sitting in a coffee shop in Grünerløkka, I watched a script kiddie running Firesheep on an open network. He was hijacking Facebook sessions left and right. If you are still sending unencrypted HTTP traffic over public hotspots in 2011, you aren't just negligent; you're asking to be compromised. The solution isn't to stop working remotely; it's to tunnel your traffic through a trusted endpoint.
We are going to set up OpenVPN on Debian 6 (Squeeze). Why OpenVPN? Because IPsec is a nightmare to configure through NAT, and PPTP is about as secure as a screen door on a submarine. OpenVPN uses OpenSSL, is robust, and handles dynamic IPs gracefully.
The Architecture of Trust
Latency kills VPN usability. If you are routing your Oslo traffic through a cheap VPS in Texas, your SSH sessions will lag, and your browsing will crawl. Physics is undefeated. For this setup, we are using a CoolVDS KVM instance located in Norway. We need the kernel-level control KVM offers (specifically for the TUN/TAP device drivers) which often breaks on oversold OpenVZ containers.
Furthermore, by keeping the endpoint in Norway, you ensure your data remains under the jurisdiction of the Personopplysningsloven (Personal Data Act), rather than being subject to the US Patriot Act. For European businesses, this distinction is becoming critical.
Step 1: The Environment
We assume you have a fresh install of Debian 6. Log in as root (or use sudo).
apt-get update
apt-get install openvpn chkconfig
Debian puts the easy-rsa scripts in a documentation folder, which is annoying. Copy them to your config directory so we can work without messing up the originals.
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Step 2: Building the PKI
Edit the vars file in /etc/openvpn/easy-rsa/. Don't leave the defaults; they don't look professional.
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"
export KEY_EMAIL="[email protected]"
Pro Tip: Look for export KEY_SIZE=1024. Change it to 2048. Paranoia is a virtue in security. Generating a 2048-bit key takes longer, but with the CPU power available on modern Xeon-based host nodes, it’s negligible.
Now, build the Certificate Authority and server keys:
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
Go grab a coffee. The Diffie-Hellman parameter generation (build-dh) involves serious math.
Step 3: Server Configuration
Create /etc/openvpn/server.conf. This is where the magic happens. We want to use UDP for speed (TCP over TCP leads to meltdown), and we want to push all traffic through the tunnel.
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Step 4: IP Forwarding and Routing
Your VPN server needs to act like a router. Enable packet forwarding in the kernel by editing /etc/sysctl.conf:
net.ipv4.ip_forward=1
Run sysctl -p to apply it. Now, we need iptables to masquerade the traffic so it looks like it's coming from the server itself. This command assumes your WAN interface is eth0:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Make sure this rule survives a reboot. On Debian, I usually dump the rules to a file and load them in /etc/network/interfaces using a pre-up command.
Client Generation
Generate a key for your laptop:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key client1
Transfer the ca.crt, client1.crt, and client1.key to your local machine securely (use SCP, not email). Configure your OpenVPN client (Tunnelblick on Mac or the standard GUI on Windows 7) and connect.
Why Infrastructure Matters
You can run OpenVPN on a plug computer at home, but your home uplink speed is the bottleneck. Most residential ADSL lines in Norway have terrible upload speeds. By hosting this on CoolVDS, you leverage our symmetrical Gigabit uplinks. Your VPN speed is only limited by where you are, not where your server is.
Note on Virtualization: Many budget providers disable the TUN/TAP interface inside their VPS containers to save resources. At CoolVDS, we treat you like a root user. TUN/TAP is enabled by default on all our plans.
Don't let a script kiddie sniff your passwords. Spin up a Debian instance, lock down your traffic, and browse as if you were sitting inside our Oslo datacenter.