Hardening the Pipe: Deploying OpenVPN on CentOS 6 for Secure Remote Access
Let’s be honest: trusting the WiFi at Gardermoen or your local Scandic hotel is professional suicide. I’ve sat in lobbies with Wireshark running and watched unencrypted traffic float by like a parade. If you are a sysadmin, a developer, or just someone who values the privacy of your data under the Norwegian Personopplysningsloven, you need a tunnel.
Forget expensive hardware appliances. In this guide, we are building a bulletproof OpenVPN gateway on CentOS 6.3. We aren't just clicking 'install'; we are configuring the RSA keys, setting up the routing tables manually, and ensuring your traffic exits right here in Oslo with low latency.
The Hardware Reality: Why KVM Matters
Before we touch the terminal, let's talk architecture. A lot of budget VPS providers in Europe stuff you onto OpenVZ containers. The problem? They often lock down kernel modules. If the host node hasn't enabled the tun/tap device, your OpenVPN server is dead on arrival.
This is why for serious infrastructure, I only provision CoolVDS instances. They use KVM (Kernel-based Virtual Machine). You get your own kernel, full control over IP tables, and guaranteed resources. When I'm pushing encrypted traffic, I don't want 'noisy neighbors' stealing my CPU cycles during the encryption handshake.
Step 1: The Prerequisites
I assume you have a fresh CoolVDS instance running CentOS 6 (32-bit or 64-bit). First, we need the EPEL (Extra Packages for Enterprise Linux) repository because the standard repo is too vanilla for what we need.
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
yum update -y
Now, install OpenVPN and Easy-RSA. Easy-RSA is a set of scripts to manage our Public Key Infrastructure (PKI). We aren't using passwords here; we use certificates. Passwords can be brute-forced; a 2048-bit key file cannot.
yum install openvpn easy-rsa -y
Step 2: Building the PKI (Public Key Infrastructure)
Copy the Easy-RSA scripts to a working directory so updates don't overwrite your keys.
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Now, edit the vars file. This saves you from typing your country and organization a hundred times. Open /etc/openvpn/easy-rsa/vars in vi or nano.
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"
export KEY_EMAIL="admin@yourdomain.no"
export KEY_OU="IT_Sec"
Pro Tip: Look for theexport KEY_SIZE=1024line. Change it to2048. Generating the Diffie-Hellman parameters will take longer, but in 2012, 1024-bit keys are becoming questionably weak against state-level actors. Invest the CPU cycles now for peace of mind later.
Source the variables and clean the slate:
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
Now generate the server certificate and the Diffie-Hellman parameters. This is the heavy lifting.
./build-key-server server
./build-dh
Finally, generate your client key. You'll move this file to your laptop later.
./build-key client1
Step 3: The Server Configuration
This is where the magic happens. We need to create /etc/openvpn/server.conf. Most tutorials give you a basic config. This is a performance config tailored for a high-speed CoolVDS node connected to NIX (Norwegian Internet Exchange).
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
# The VPN subnet
server 10.8.0.0 255.255.255.0
# Push routes to the client to redirect ALL traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"
# Use Google DNS or your ISP's DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Keep-alive to prevent timeouts
keepalive 10 120
# Security Ciphers
cipher AES-256-CBC # Stronger than the default Blowfish
comp-lzo # Compression to save bandwidth
# Drop privileges for security
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3Step 4: Routing and IP Tables
Having the software running isn't enough. We need the Linux kernel to forward packets from the virtual TUN interface to the physical ETH interface. Open /etc/sysctl.conf and change net.ipv4.ip_forward from 0 to 1.
sysctl -p
Now, the firewall. We need iptables to MASQUERADE the traffic. This essentially turns your CoolVDS server into a router for your laptop.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
Start the OpenVPN service:
service openvpn start
chkconfig openvpn on
Step 5: Client Side & Data Sovereignty
Transfer the ca.crt, client1.crt, and client1.key to your local machine safely (use SCP). On your client config, match the settings: proto udp, dev tun, and cipher AES-256-CBC.
Why Hosting in Norway Matters
Latency is physics. If your team is working from Oslo or Bergen, routing your encrypted traffic through a server in Germany or the US adds unnecessary milliseconds. By hosting on CoolVDS in our Oslo datacenter, you keep your ping usually below 10ms.
Furthermore, we adhere to the Datatilsynet regulations. Unlike US-based "Safe Harbor" hosting which is legally murky, keeping your data on Norwegian soil ensures you are protected by strong national privacy laws. In an era where data retention directives are being debated in the Storting, knowing exactly where your server physically resides is not just a technical detail—it's a compliance requirement.
Final Thoughts
You now have a secure, encrypted tunnel. Whether you are accessing corporate intranets or just want to watch NRK while traveling abroad without geo-blocks, this setup is robust. Don't rely on "free" VPN services that likely sell your logs. Build it yourself on hardware you control.
Need a clean IP and dedicated resources for your gateway? Deploy a CoolVDS KVM instance today. It takes 55 seconds to provision, which is just enough time to grab a coffee before you start coding.