Stop Trusting Public Networks: Your Personal Encrypted Tunnel
I recently watched a 'security consultant' at a coffee shop in Oslo demonstrated how easy it is to sidejack a session on an unencrypted HTTP connection. In less than 30 seconds, he had access to a stranger's webmail. It was a sobering reminder: if you are working remotely from a hotel, airport, or cafe, and you aren't tunneling your traffic, you are bleeding data.
SSH tunnels are a quick fix for web browsing, but for a true transparent extension of your office network, you need a VPN. While IPsec is the corporate standard, it's a nightmare to configure through NAT firewalls. OpenVPN is the pragmatic choice. It operates in user space, handles NAT traversal gracefully, and uses the OpenSSL library for encryption.
This guide covers deploying a hardened OpenVPN server on CentOS 5.5. We choose CoolVDS for this implementation because OpenVPN requires a tun/tap device, which many budget VPS providers disable on their over-subscribed nodes. CoolVDS Xen instances provide this kernel-level access out of the box.
The Architecture of Trust
We are building a routed IP tunnel (using the tun driver). This minimizes overhead compared to a bridged Ethernet tunnel (tap), which is only necessary if you need to rely on broadcast traffic (like NetBIOS).
Latency Matters: A VPN adds encryption overhead. If your server is in Texas and you are in Trondheim, your RTT (Round Trip Time) will make terminal work unbearable. By hosting on CoolVDS, your traffic routes via NIX (Norwegian Internet Exchange), keeping latency low—often under 10ms within Norway.
Step 1: Preparation and Dependencies
First, ensure your repository definitions are up to date. OpenVPN isn't in the base CentOS repository, so we need the EPEL (Extra Packages for Enterprise Linux) repository.
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
yum update
yum install openvpn
Step 2: The PKI (Public Key Infrastructure)
Shared secrets are for amateurs. We will use a proper Certificate Authority (CA). OpenVPN ships with easy-rsa, a set of scripts to manage this.
cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
When prompted, fill in your details. For the 'Common Name', use something distinct like 'CoolVDS-CA'. Next, generate the server certificate:
./build-key-server server
./build-dh
Pro Tip: Generating Diffie-Hellman parameters (build-dh) can take a long time on a standard VPS due to entropy starvation. On a CoolVDS high-performance node, this typically completes rapidly, but if it hangs, generate some disk I/O in another terminal to feed/dev/random.
Step 3: Server Configuration
Create /etc/openvpn/server.conf. This is where we define the behavior of our tunnel. Do not stick with defaults; they are rarely optimized for speed.
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Note that we use proto udp. Running TCP over TCP (OpenVPN TCP tunnel carrying HTTP traffic) leads to the "TCP Meltdown" phenomenon where packet loss causes massive retransmission loops. Always use UDP for the tunnel transport layer unless a strict firewall forces you to use TCP port 443.
Step 4: IP Forwarding and Routing
This is where most installations fail. The server needs to forward traffic from the virtual VPN interface to the physical Ethernet adapter.
Enable forwarding in the kernel:
sysctl -w net.ipv4.ip_forward=1
Now, configure iptables to masquerade the traffic. This effectively turns your CoolVDS instance into a router for your connected clients.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
Step 5: Client Deployment
Generate a key for your laptop:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key my-laptop
Transfer the ca.crt, my-laptop.crt, and my-laptop.key securely (use SCP, not email) to your client machine. On your client (whether it's a Windows machine running the OpenVPN GUI or a Linux netbook), ensure your config matches the server's settings (UDP, compression on, etc.).
Why Location and Jurisdiction Matter
Beyond the technical configuration, there is a legal layer to consider. By hosting your VPN endpoint in Norway, your data falls under the jurisdiction of the Personopplysningsloven (Personal Data Act). Unlike servers in the US subject to the Patriot Act, Norwegian data privacy laws are among the strictest in Europe. The Datatilsynet (Data Inspectorate) actively enforces these rights.
Furthermore, running your own VPN on a dedicated slice of hardware via CoolVDS gives you guaranteed CPU cycles for encryption. Cheaper shared hosting often chokes on the math required for AES or Blowfish encryption, slowing your connection to a crawl.
Final Check
Start the service and ensure it survives a reboot:
service openvpn start
chkconfig openvpn on
Your traffic is now encrypted, your IP address is masked, and your data is routed through a jurisdiction that respects privacy. Don't wait for a security breach to upgrade your infrastructure. Deploy a secure VPS Norway instance on CoolVDS today and regain control of your network perimeter.