Secure Your Traffic: Deploying OpenVPN on Ubuntu 12.04 LTS
Let’s be honest: trusting public WiFi in 2012 is professional suicide. Since the release of Firesheep, every script kiddie in a coffee shop can hijack your unencrypted sessions. If you are managing servers, pushing code, or accessing sensitive corporate data over an open network without a tunnel, you aren't just negligent; you're asking to be breached.
I've seen it happen. A junior dev logged into a non-SSL Admin panel from an airport lounge in Gardermoen. By the time he landed, our database was being dumped. The solution is mandatory encryption. While PPTP is widespread, it is fundamentally broken. The only serious choice for a battle-hardened systems administrator is OpenVPN.
In this guide, we are going to build a ruthlessly secure OpenVPN gateway on Ubuntu 12.04 LTS (Precise Pangolin). We will use 2048-bit RSA keys, configure proper NAT routing with iptables, and discuss why the underlying virtualization technology of your VPS Norway provider makes or breaks your tunnel's stability.
The Prerequisite: KVM vs. OpenVZ
Before touching the terminal, check your virtualization. Many budget hosts oversell resources using OpenVZ. The problem? OpenVZ kernels are shared. Enabling the tun/tap device—required for OpenVPN—can be a nightmare of support tickets and kernel module restrictions.
This is why I deploy on CoolVDS. They use KVM (Kernel-based Virtual Machine) by default. This gives you a dedicated kernel, guaranteed RAM, and full control over network modules. Plus, encryption is math-heavy. OpenVPN runs in userspace and encrypts every packet. If you are on a sluggish host with high CPU steal, your latency will skyrocket. CoolVDS offers pure SSD storage and dedicated CPU cycles, ensuring your VPN throughput handles your fiber connection without choking.
Step 1: Installation and PKI Setup
We are using the standard repositories. Ensure your system is up to date.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install openvpn easy-rsaOpenVPN relies on a Public Key Infrastructure (PKI). We need a Certificate Authority (CA) to sign our keys. Ubuntu 12.04 places the easy-rsa scripts in a documentation folder. Let's copy them to a workspace to avoid permission issues.
sudo mkdir -p /etc/openvpn/easy-rsa
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/Configuring the Variables
Edit the vars file. This saves you from typing your country and organization fields fifty times. It also sets the key size. By default, it might be 1024-bit. In 2012, 1024-bit is effectively dead. Bump it to 2048.
cd /etc/openvpn/easy-rsa
sudo vim varsChange the following lines to match your organization. Since we are operating under strict Datatilsynet guidelines here in Norway, accurate identification is good practice.
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"
export KEY_EMAIL="admin@coolvds.com"
export KEY_SIZE=2048Now, load the variables and build the CA. Warning: The clean-all command will wipe any existing keys in that folder.
source ./vars
./clean-all
./build-caStep 2: Generating Server and Client Certificates
Generate the server key. When prompted for a "Common Name", use server.
./build-key-server serverNow, generate the Diffie-Hellman parameters. This takes time. On a standard spinning disk VPS, you might wait 10 minutes. On a CoolVDS instance with high-speed SSD storage, this finishes rapidly because the entropy generation isn't stalled by I/O wait.
./build-dhFinally, generate your client key. If you have multiple engineers, generate a unique key for each.
./build-key laptop-clientMove the required keys to the OpenVPN directory:
cd /etc/openvpn/easy-rsa/keys
sudo cp server.crt server.key ca.crt dh2048.pem /etc/openvpn/Step 3: The Server Configuration
Create the /etc/openvpn/server.conf file. We will use UDP for speed (TCP over TCP leads to meltdown), LZO compression, and a persistent TUN device.
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Push routes to the client to redirect gateway
push "redirect-gateway def1 bypass-dhcp"
# Use Google DNS or OpenDNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3Pro Tip: If you are connecting from networks with restrictive firewalls (like corporate offices blocking non-standard ports), changeport 1194toport 443andproto tcp. However, this incurs a performance penalty. For raw speed and low latency, stick to UDP.
Step 4: Packet Forwarding and Routing
By default, Linux does not forward packets between interfaces. We need to enable this to allow traffic from the VPN tunnel to exit via the server's internet connection.
Edit /etc/sysctl.conf:
net.ipv4.ip_forward=1Apply the change:
sudo sysctl -pIptables Masquerading
We need to NAT the traffic coming from 10.8.0.0/24 out through eth0. Do not rely on uncomplicated firewall wrappers if you want to understand what is happening. Use raw iptables.
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADETo ensure this rule persists after a reboot, I prefer adding it to /etc/rc.local before the exit 0 line, or using iptables-save.
Step 5: Client Configuration
On your local machine (Linux/Mac/Windows), you need the ca.crt, laptop-client.crt, and laptop-client.key files. Securely transfer them (SCP or SFTP only).
Create a client.ovpn file:
client
dev tun
proto udp
remote YOUR_COOLVDS_IP 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert laptop-client.crt
key laptop-client.key
comp-lzo
verb 3Why Infrastructure Matters
You can configure the perfect software stack, but if the physical layer is weak, your VPN will stutter. When routing all your traffic through a single point, that point becomes a bottleneck.
For Norwegian and European businesses, data sovereignty is critical under the Data Protection Directive. Hosting your VPN endpoint in Oslo means your data stays within the correct legal jurisdiction. Furthermore, CoolVDS offers robust ddos protection. Even if your personal IP gets targeted, your VPN gateway stands firm, absorbing the noise so your connection doesn't drop.
Don't let packet loss ruin your SSH sessions. Deploy a test instance on CoolVDS today and experience what managed hosting hardware should feel like.