Stop Trusting Public WiFi: The Definitive OpenVPN Guide for 2011
Let’s be honest: if you are logging into your production servers via the coffee shop WiFi without a tunnel, you are asking for trouble. With tools like Firesheep making session hijacking child's play, and the looming shadow of the US Patriot Act making data sovereignty a nightmare, the "I'll just use SFTP" excuse doesn't cut it anymore.
As systems administrators, we need total control. We need encryption that we own. We need to route our traffic through a jurisdiction that respects privacy.
In this guide, I’m going to walk you through setting up a hardened OpenVPN server on a CentOS 6 VPS. Why OpenVPN? Because PPTP is broken (MS-CHAPv2 is a joke), and IPsec is a configuration purgatory. OpenVPN is the industry standard for SSL VPNs—robust, flexible, and open source.
Why Hosting Location Matters: The Norwegian Advantage
Before we touch the terminal, let's talk about where your packets live. Latency matters. If you are working with clients in Oslo or managing infrastructure across the Nordics, routing your encrypted traffic through a server in Texas adds 150ms of lag to every keystroke. That is unacceptable.
Furthermore, we have the Personopplysningsloven (Personal Data Act) and the watchful eye of Datatilsynet here in Norway. Hosting your VPN endpoint within Norwegian borders ensures your data falls under strict EEA regulations, not US jurisdiction where hardware seizures are a real risk.
Pro Tip: When choosing a VPS for OpenVPN, ensure your provider supports TUN/TAP devices. Many budget hosts oversell their OpenVZ nodes and disable this kernel module. At CoolVDS, we enable TUN/TAP by default on all our unmanaged instances because we know you need it.
Step 1: The Environment
We are using a fresh install of CentOS 6.0 (64-bit). You will need root access.
First, enable the EPEL repository, as OpenVPN isn't in the standard CentOS repos:
wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
rpm -ivh epel-release-6-5.noarch.rpm
yum update -y
Step 2: Install and Configure OpenVPN
Install OpenVPN and the Easy-RSA scripts for managing your SSL certificates:
yum install openvpn easy-rsa -y
Copy the sample configuration file to the working directory:
cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/
The Configuration
Edit /etc/openvpn/server.conf. We want to use UDP for speed (TCP over TCP leads to meltdown) and ensure we are pushing traffic through the tunnel.
Uncomment or modify these lines:
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222" # OpenDNS
push "dhcp-option DNS 208.67.220.220"
user nobody
group nobody
Step 3: The PKI (Public Key Infrastructure)
This is the tedious part, but it's vital. We need a Certificate Authority (CA), a server certificate, and client keys.
- Copy `easy-rsa` to `/etc/openvpn`:
cp -R /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa - Edit `/etc/openvpn/easy-rsa/vars` to match your organization details (Country=NO, etc.).
- Source the variables:
source ./vars - Clean all:
./clean-all - Build CA:
./build-ca - Build Server Key:
./build-key-server server - Generate Diffie-Hellman parameters:
./build-dh(This takes time!)
Note: If you are running this on a slow legacy VPS, generating 1024-bit DH params can take forever. On CoolVDS instances, our high-performance CPUs crunch this in seconds.
Step 4: IP Forwarding and Iptables
Your server needs to act like a router. Enable IP forwarding in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward
To make it permanent, edit /etc/sysctl.conf and set net.ipv4.ip_forward = 1.
Now, configure iptables to NAT the traffic out to the internet. Replace venet0 with eth0 depending on your virtualization type (CoolVDS uses standard KVM networking, so check your interface name):
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
Step 5: Client Setup
Generate a client key on the server:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key client1
Securely transfer ca.crt, client1.crt, and client1.key to your laptop. If you are on Windows 7, you'll need the OpenVPN GUI running as Administrator. If you are on Linux, just run openvpn --config client.ovpn.
Performance: The SSD Difference
Encryption adds overhead. While OpenVPN is CPU bound, the responsiveness of the underlying OS matters. When logs rotate, or when you are pulling large files through the tunnel, disk I/O wait can kill your throughput.
This is where CoolVDS shines. Unlike budget hosts spinning rusty SATA drives in RAID 5, we utilize Enterprise SSD storage. The random I/O performance means your VPN doesn't choke when the system is under load. Combined with our low-latency connection to the NIX (Norwegian Internet Exchange), you get a tunnel that feels like a local connection.
Summary of Commands
| Action | Command |
|---|---|
| Start OpenVPN | service openvpn start |
| Check Status | service openvpn status |
| Follow Logs | tail -f /var/log/messages |
Conclusion
Setting up OpenVPN isn't just a "nice to have" in 2011; it's a requirement for anyone serious about security. By hosting it in Norway, you gain legal protections and superior latency. By hosting it on CoolVDS, you get the raw power needed to handle strong encryption without the lag.
Don't let your data traverse the web naked. Spin up a CoolVDS SSD VPS today and lock down your connection.