The Coffee Shop Threat Vector
It is 2010, and I still see developers logging into production servers via plain FTP over open airport Wi-Fi. It sends shivers down my spine. Packet sniffers are not just for the NSA anymore; script kiddies with a laptop can pull your session cookies and plain-text passwords out of the air in seconds. If you are managing infrastructure or accessing sensitive client data, relying on the "security" of a hotel hotspot is professional suicide.
The solution isn't to stop working remotely; it's to tunnel your traffic through a trusted endpoint. You need a VPN. Not a sluggish, paid service that routes your data through a congested server in Panama, but your own private gateway running on a dedicated slice of hardware.
In this guide, we are going to build a bulletproof OpenVPN server on a CoolVDS instance. Why CoolVDS? Because unlike many budget providers jamming users into restrictive OpenVZ containers, CoolVDS offers true virtualization. You get your own kernel modules—specifically the tun/tap device required for VPN tunneling—without having to beg support to enable it.
Prerequisites: The Foundation
We are deploying this on CentOS 5.4. It’s stable, boring, and enterprise-ready. You will need:
- Root access to a VPS (Virtual Private Server).
- The
yumpackage manager. - A basic understanding of IP addressing.
Pro Tip: Latency kills VPN performance. If you are in Oslo or Bergen, hosting your VPN endpoint in the US will add 150ms of lag to every packet request. For seamless RDP or SSH sessions, you need physical proximity. A CoolVDS instance located at the NIX (Norwegian Internet Exchange) ensures your ping stays in the single digits.
Step 1: Installing OpenVPN and Dependencies
OpenVPN isn't in the default CentOS repositories. We need the EPEL (Extra Packages for Enterprise Linux) repository. Stop compiling from source unless you enjoy dependency hell.
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum install openvpn easy-rsa iptablesStep 2: The PKI Nightmare (Simplified)
The most daunting part of OpenVPN is the Public Key Infrastructure (PKI). We need a Certificate Authority (CA), a server certificate, and client keys. Do not skip this. Pre-shared keys are for amateurs.
Copy the easy-rsa scripts to a safe location to prevent updates from wiping your config:
cp -R /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/Edit the vars file. This is crucial. If you leave the defaults, your certificate will say you are in "CA" (California) and when your boss asks why the logs show traffic from the US, you will have some explaining to do. Set KEY_COUNTRY="NO" and KEY_PROVINCE="Oslo".
Now, build the keys:
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dhThis generates the Diffie-Hellman parameters. On a slow shared host, this takes forever. On CoolVDS's high-performance architecture, it’s done before you can finish a sip of coffee.
Step 3: Server Configuration
Create /etc/openvpn/server.conf. We are using UDP for speed (TCP over TCP leads to meltdown) and the tun interface for routing.
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3The line push "redirect-gateway def1" is the magic switch. It tells the client: "Send everything through the VPN." Without this, you are just talking to the server securely while your web browsing still leaks out the side.
Step 4: IP Forwarding and NAT
A VPN server is just a fancy router. We need to tell the Linux kernel to forward packets. Edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1Apply it with sysctl -p. Now, we configure iptables to masquerade the traffic. This effectively turns your VPS into a NAT router for your laptop.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service openvpn startThe Compliance & Performance Angle
Beyond security, there is a legal aspect. Under the Norwegian Personal Data Act (Personopplysningsloven), you have a responsibility to secure personal data. If you are accessing customer databases remotely without encryption, you are likely in violation.
Furthermore, hosting your VPN on a VPS in Norway offers a distinct advantage: Data Sovereignty. Your encrypted tunnel endpoints remain within Norwegian jurisdiction, a factor that is becoming increasingly relevant for businesses concerned with corporate espionage or foreign data retention laws.
Why Hardware Matters
Encryption is CPU intensive. While OpenVPN is efficient, pushing 10Mbps+ of AES or Blowfish encrypted traffic requires decent CPU cycles. Many budget hosts oversell their CPUs, leading to "jitter" in your connection. CoolVDS guarantees resource availability. We also utilize high-speed RAID arrays (far faster than standard SATA drives) which helps when you are logging verbose connection data or running additional services alongside your VPN.
Don't risk your credentials on open airwaves. A proper VPN setup takes 15 minutes and costs less per month than two coffees. Secure your infrastructure today.