Paranoid Networking: Building a Bulletproof OpenVPN Gateway on Ubuntu 12.04
Let’s be honest: trusting public WiFi in 2012 is digital suicide. Whether you are coding from a coffee shop in Grünerløkka or connecting to your corporate intranet from a hotel in Bergen, cleartext traffic is a liability. With the Norwegian Data Retention Directive (Datalagringsdirektivet) looming over our heads and packet sniffers becoming standard tools for script kiddies, a secure tunnel isn't a luxury—it's hygiene.
I've seen too many developers rely on flimsy PPTP connections that can be cracked in minutes. Today, we are doing this the right way. We are building an OpenVPN bridge on Ubuntu 12.04 LTS (Precise Pangolin). Why OpenVPN? Because it runs in user space, uses OpenSSL, and is robust enough to punch through aggressive corporate firewalls.
The Hardware Reality: Why KVM Matters
Before we touch the terminal, let's talk about the metal. OpenVPN is CPU intensive due to the context switching involved in encrypting and decrypting packets. If you try to run this on a cheap OpenVZ container where the host kernel is over-subscribed, you will see jitter. Your SSH sessions will lag. It’s painful.
This is why I deploy my gateways on CoolVDS. They use KVM (Kernel-based Virtual Machine) virtualization. Unlike containers, KVM gives you a dedicated kernel and reserved RAM. When I'm pushing AES-256 encryption, I need to know the CPU cycles are mine, not being stolen by a noisy neighbor running a Minecraft server next door. Plus, their datacenter in Oslo peers directly with NIX (Norwegian Internet Exchange), keeping latency to local ISPs essentially non-existent.
Step 1: Preparation and PKI
First, grab a fresh CoolVDS instance running Ubuntu 12.04. Update your repositories. We want the latest stable build.
apt-get update
apt-get upgrade -y
apt-get install openvpn easy-rsaOpenVPN relies on a Public Key Infrastructure (PKI). We need a Certificate Authority (CA) to sign our server and client keys. Copy the easy-rsa generation scripts to a safe location so updates don't overwrite your config.
mkdir -p /etc/openvpn/easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/Now, edit the vars file. This saves you from typing your country and organization fifty times. Use nano /etc/openvpn/easy-rsa/vars:
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"
export KEY_EMAIL="admin@example.com"Pro Tip: In the same file, increase the key size. The default is often 1024 bits. In 2012, computing power is cheap enough that 1024 is getting weak. Changeexport KEY_SIZE=1024to2048. Paranoia pays off.
Load the variables and build your CA. Warning: running ./clean-all will wipe any existing keys.
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-caStep 2: Generating Certificates
Now we generate the server certificate and the Diffie-Hellman parameters. This takes time. Go grab a coffee.
./build-key-server server
./build-dhOnce the entropy gathering is done, generate your client keys. If you have a developer named "Bjorn", make him his own key. Never share keys between users; revocation becomes a nightmare.
./build-key bjorn_laptopCopy the resulting keys (server.crt, server.key, ca.crt, dh2048.pem) to /etc/openvpn/.
Step 3: The Server Configuration
Create /etc/openvpn/server.conf. This is where the magic happens. We are going to use UDP for speed (TCP over TCP results in meltdown during packet loss) and a TUN interface for routing IP traffic.
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Push routes to the client to redirect their gateway
push "redirect-gateway def1 bypass-dhcp"
# Use Google's DNS or OpenDNS to avoid local ISP censorship
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3Step 4: IP Forwarding and Iptables
A VPN server that doesn't route traffic is just a dead end. We need to tell the Linux kernel to forward packets.
Edit /etc/sysctl.conf and uncomment this line:
net.ipv4.ip_forward=1Apply it immediately with sysctl -p.
Now, the firewall. I don't use wrapper tools. I use raw iptables because I need to know exactly what is happening in the NAT table. We need to masquerade the VPN traffic so it looks like it's coming from the CoolVDS server IP.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADETo ensure this survives a reboot on Ubuntu, I usually dump the rules to a file and load them via rc.local, or use iptables-persistent if you prefer the package manager route.
iptables-save > /etc/iptables.rulesAdd pre-up iptables-restore < /etc/iptables.rules to your network interface config in /etc/network/interfaces if you want it rock solid.
Step 5: Client Connectivity
Start the service:
service openvpn startCheck the logs at /var/log/syslog. If you see "Initialization Sequence Completed", you are golden.
On your client machine, you'll need the ca.crt, bjorn_laptop.crt, and bjorn_laptop.key. Create a client.ovpn config file:
client
dev tun
proto udp
remote [YOUR_COOLVDS_IP] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert bjorn_laptop.crt
key bjorn_laptop.key
ns-cert-type server
comp-lzo
verb 3Why This Architecture Wins
This setup gives you an encrypted tunnel directly into the backbone of the Norwegian internet. By using CoolVDS, you are leveraging enterprise-grade SSD storage (if you opt for the high-performance tier) and KVM stability. In a world where Datatilsynet is constantly fighting for privacy rights, taking control of your own data flow is the only responsible move for a systems administrator.
Don't rely on "free" VPNs that likely sell your logs. Build your own. It takes ten minutes, and the peace of mind is worth every second.
Ready to secure your traffic?
Stop dealing with high-latency connections. Deploy a KVM instance on CoolVDS today and get your OpenVPN gateway running on a network built for professionals.