Tunneling Through the Noise: Deploying OpenVPN on Enterprise Linux
Let’s be honest: connecting to a client's server from a hotel Wi-Fi or a coffee shop in downtown Oslo is a game of Russian Roulette. Packet sniffers are getting smarter, and unencrypted HTTP traffic is low-hanging fruit for anyone with a laptop and a customized network card. If you are a systems administrator, you cannot rely on trust. You rely on encryption.
I recently audited a setup for a logistics firm in Bergen. Their developers were FTPing source code over open 3G connections. It took me less than ten minutes to capture credentials. The solution isn't to stop working remotely; it's to tunnel your traffic through a trusted endpoint. That is where OpenVPN comes in.
Why OpenVPN in 2010?
While IPsec is the standard for site-to-site hardware links, OpenVPN gives us the flexibility of SSL/TLS user-space VPNs. It is robust, handles NAT traversal far better than IPsec, and works across Linux, Windows, and Mac OS X. However, it is resource-intensive regarding context switching.
Pro Tip: Many budget VPS providers oversell their nodes using basic OpenVZ templates that lack the tun/tap device required for OpenVPN. Without this kernel module, your VPN will never route packets. At CoolVDS, we enable TUN/TAP by default on all our nodes and prioritize I/O for network interrupts, ensuring your tunnel doesn't choke under load.
Prerequisites
We will be using CentOS 5.5 (32-bit or 64-bit). You need root access. For this guide, I assume you are using a CoolVDS instance in our Oslo datacenter to minimize latency to the Norwegian Internet Exchange (NIX).
1. Install the Repository and Software
OpenVPN isn't in the default CentOS repositories. We need EPEL (Extra Packages for Enterprise Linux).
wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -ivh epel-release-5-4.noarch.rpm
yum update
yum install openvpn
2. The PKI Setup (Public Key Infrastructure)
Security relies on keys. Do not use shared passwords. We will use the easy-rsa scripts included in the documentation.
cp -R /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
vi vars
Edit the vars file to reflect your organization. This is crucial for compliance with the Norwegian Personopplysningsloven (Personal Data Act) if you are logging user access. Ensure the country is set to NO and the organization is accurate.
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
This process generates the Diffie-Hellman parameters. On a standard shared host, this calculation can take ages. On CoolVDS high-performance instances, the CPU allocation handles this prime-number crunching significantly faster.
3. Server Configuration
Create /etc/openvpn/server.conf. We are going to use UDP for speed (TCP over TCP leads to meltdown due to retransmission timers).
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Note the push "redirect-gateway def1" line. This forces all your client's web traffic through the VPN. This is what secures you at the coffee shop.
4. Routing and Iptables
Having the server running is useless if Linux doesn't know how to route the packets. Enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now, configure iptables to NAT the traffic out to the internet. This effectively turns your CoolVDS server into your personal router.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables restart
5. Start the Engine
/etc/init.d/openvpn start
chkconfig openvpn on
The Latency Factor
When you tunnel traffic, you add overhead. Encryption takes CPU cycles, and routing adds hops. If your VPS is hosted in Germany but you are working in Oslo, your packets travel to Frankfurt and back just to load vg.no.
This is why geography matters. For Norwegian businesses, hosting your VPN endpoint on CoolVDS infrastructure in Oslo keeps your latency low—often under 10ms within the country. We peer directly with major Norwegian ISPs, ensuring that your secure tunnel doesn't feel like a dial-up connection.
Furthermore, relying on standard hard drives for system logging can cause I/O wait times that lag the connection. While standard HDDs are common, our premium storage arrays utilize high-speed SAS drives and aggressive caching to prevent I/O bottlenecks during heavy logging or multiple concurrent connections.
Final Security Check
Remember that a VPN only encrypts the transit. It does not protect the server itself. Ensure you have fail2ban installed to watch for brute-force attempts on SSH, and consider moving your SSH port away from 22. In the eyes of Datatilsynet, you are responsible for securing the data processor.
Don't let a slow network or a crowded node compromise your security strategy. Deploy your dedicated VPN node on CoolVDS today—because your data is nobody else's business.