Secure Your Data: Deploying OpenVPN on Ubuntu 10.04 LTS in Norway
It’s 10:00 AM at Kaffebrenneriet on Gr?nerl?kka. You’re sipping a latte, pushing code to your production server over the coffee shop's open Wi-Fi. It feels productive. It’s also suicidal.
Packet sniffing tools like Wireshark and Firesheep have made it trivial for anyone sitting two tables away to hijack your unencrypted sessions. Whether you are a system administrator managing sensitive infrastructure or a developer accessing corporate resources, relying on public networks without a tunnel is negligence. We need to fix this immediately.
Today, we are building a bulletproof OpenVPN gateway. We aren't using PPTP, which has been cryptographically broken for years. We are using OpenVPN (SSL/TLS based) on a trusted Norwegian VPS. This ensures your traffic is encrypted with AES-256 and, crucially, that your data traffic physically enters the internet via Oslo, keeping you compliant with local regulations like Personopplysningsloven.
The Hardware Reality: Encryption Eats CPU
Before we touch the config, let's talk metal. Encrypting and decrypting every single packet at line speed is CPU intensive. Most cheap VPS providers oversell their CPU cycles using OpenVZ containers. The moment your VPN tunnel is under load, the host node throttles you, and your latency spikes to unusable levels.
I recently migrated a client who was complaining about sluggish RDP sessions through their previous VPN provider. The issue wasn't bandwidth; it was CPU steal time. We moved them to a CoolVDS instance running on Xen virtualization. Because Xen offers better resource isolation and guaranteed CPU cycles compared to standard containers, their throughput stabilized instantly. If you value your connection speed, don't skimp on the virtualization technology.
Step 1: Installation on Ubuntu 10.04 (Lucid Lynx)
We assume you are root on a fresh CoolVDS instance. First, update your repositories and install the binary.
apt-get update
apt-get install openvpn libssl-dev opensslCopy the easy-rsa generation scripts to a temporary directory so we don't mess up future updates.
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/Step 2: The PKI Infrastructure
OpenVPN relies on a Public Key Infrastructure (PKI). We need a Certificate Authority (CA), a server key, and client keys. Edit the vars file in your easy-rsa directory to reflect your organization. This is important for verification later.
cd /etc/openvpn/easy-rsa
# Edit these fields in the 'vars' file:
# export KEY_COUNTRY="NO"
# export KEY_PROVINCE="Oslo"
# export KEY_ORG="CoolVDS_User"Now, build the keys:
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dhThis will generate your Diffie-Hellman parameters. On a slow VPS, this takes forever. On CoolVDS's high-performance nodes, it should take just a minute or two.
Step 3: Server Configuration
Create /etc/openvpn/server.conf. We will use UDP for speed (TCP over TCP leads to meltdown due to retransmission timers) and the tun device for routing.
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3Step 4: IP Forwarding and NAT
Your server needs to act as a router. Enable packet forwarding in the kernel.
echo 1 > /proc/sys/net/ipv4/ip_forwardTo make this permanent, uncomment net.ipv4.ip_forward=1 in /etc/sysctl.conf.
Next, we need iptables to Masquerade the traffic leaving your VPN subnet out to the internet. This is where the magic happens.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEPro Tip: Save your iptables rules so they survive a reboot. Use iptables-save > /etc/iptables.rules and load it in your network interface config. Nothing is worse than a rebooted server locking you out.Why Location Matters
Routing your traffic through a server in the US or Asia adds massive latency. If your business is in Norway, your VPN endpoint should be in Norway. Connecting via CoolVDS gives you direct peering with NIX (Norwegian Internet Exchange), ensuring your packets take the shortest physical path to local services.
Furthermore, keeping data within Norwegian borders satisfies the requirements of Datatilsynet regarding the processing of personal data. Don't risk routing sensitive client data through jurisdictions with questionable privacy laws.
Final Check
Start the service:
/etc/init.d/openvpn startTransfer the ca.crt, client1.crt, and client1.key to your local machine securely (use SCP, not email!). Configure your local OpenVPN client, and connect. If you see the "Initialization Sequence Completed" message, congratulations. You are now invisible on the local network.
Security is not a product; it's a process. But having the right infrastructure makes that process a lot smoother. Don't let a slow host bottleneck your encrypted tunnel.
Need a dedicated IP and rock-solid I/O for your VPN? Deploy a Xen-based instance on CoolVDS today and lock down your connection.