Hardening Your Mobile Workforce: Building a Bulletproof OpenVPN Gateway on CentOS 5

Let’s be honest. If you are logging into your corporate backend from a hotel lobby in Oslo or a coffee shop in Kyiv using plain HTTP or standard FTP, you aren't just taking a risk. You are practically handing your credentials to anyone with a packet sniffer. In 2009, unencrypted traffic is negligence.

The solution isn't expensive hardware appliances. It's open source, it's robust, and it runs beautifully on a standard Linux slice. I'm talking about OpenVPN.

I've seen too many sysadmins rely on PPTP because it's "easy" to set up on Windows clients. It’s also broken. Bruce Schneier flagged MS-CHAPv2 vulnerabilities years ago. If you care about data integrity, you build an SSL-based VPN.

The Architecture: Why Location Matters

Before we touch the terminal, let's talk latency and law. Tunneling your traffic adds overhead. If your VPN endpoint is in Texas but you are working in Trondheim, your SSH sessions will lag. Physics is undefeated.

For operations in Northern Europe, you need a termination point close to the NIX (Norwegian Internet Exchange). Furthermore, hosting in Norway places your data under the jurisdiction of the Datatilsynet (Norwegian Data Inspectorate), offering protection distinct from the overreach of the US Patriot Act. This is why we deploy on CoolVDS. We get low-latency peering and legal clarity.

Step 1: The Environment

We are using CentOS 5.3. It’s boring, stable, and enterprise-ready. You need the TUN/TAP device enabled. Many budget VPS providers oversell their nodes using cheap OpenVZ containers with locked kernels. If cat /dev/net/tun returns a permission error, move to a provider that supports real virtualization like Xen—standard on CoolVDS.

Prerequisites

First, enable the RPMForge repository because OpenVPN isn't in the base CentOS repos.

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
yum update
yum install openvpn openssl-devel

Step 2: The PKI Infrastructure

Security is only as good as your keys. We will use the easy-rsa scripts included with OpenVPN. Don't be lazy and use the default settings.

Copy the scripts to a safe location:

cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0

Edit the vars file. Increase the key size. The default 1024-bit is okay for now, but compute power is cheap. Go for 2048-bit to future-proof against brute force attacks over the next few years.

export KEY_SIZE=2048
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"

Now, build the Certificate Authority (CA) and server keys:

. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh

Pro Tip: Generating Diffie-Hellman parameters (build-dh) on a VPS can take a while if the entropy pool is low. While you wait, check your disk I/O. If you aren't on high-performance RAID-10 SAS storage, this step is painful.

Step 3: Server Configuration

Create /etc/openvpn/server.conf. We are going to use UDP for speed (TCP over TCP leads to meltdown) and the tun device for routing.

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

The line push "redirect-gateway def1" is the magic. It forces all client traffic—web browsing, email, IM—through the tunnel. This is what secures you on public WiFi.

Step 4: Routing and IPTables

A VPN is useless if packets can't leave the server. Enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Now, configure iptables to masquerade the traffic. This effectively turns your CoolVDS instance into a router for your connected clients.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service openvpn start

Client Deployment

On your Windows XP or Vista laptop, install the OpenVPN GUI. Transfer the ca.crt, client.crt, and client.key securely (use SCP, not email!).

Why Performance Defines Security

Encryption costs CPU cycles. Routing costs I/O. If you run this setup on a cheap, oversold VPS where the host CPU is thrashing, your encrypted tunnel will feel like a 56k modem. You will get frustrated, turn it off, and then get hacked.

Stability is a security feature. We benchmark our CoolVDS instances to ensure that CPU steal time is negligible, even during peak hours. When you are tunneling RDP or VNC sessions through OpenVPN, that consistent throughput keeps you productive.

Final Check

Run a traceroute from your client. The first hop should be 10.8.0.1. The second hop should be the gateway at the CoolVDS datacenter in Oslo. If you see that, congratulations. You are now invisible to the guy sniffing packets at the cafe table next to you.

Need a rock-solid endpoint? Deploy a CentOS 5 instance on CoolVDS today. It takes less than two minutes to get root.