Stop Trusting Public Wi-Fi: A Battle-Hardened Guide to OpenVPN on Debian 6

Let’s be honest: if you are still logging into SSH or your corporate email from a hotel Wi-Fi without a tunnel, you are practically begging to be compromised. Last year's release of Firesheep proved that session hijacking isn't just for elite hackers anymore—it's for anyone with a Firefox extension.

Many sysadmins settle for PPTP because it's "easy" and built into Windows. It is also fundamentally broken. MS-CHAPv2 has known vulnerabilities, and frankly, I don't trust it to secure a grocery list, let alone root credentials.

The only robust solution in 2011 is OpenVPN. It’s open-source, uses OpenSSL encryption, and is tough as nails. But it’s not exactly user-friendly to set up. I’ve spent too many nights debugging routing tables and MTU issues. Today, I’m sharing a configuration that actually works—specifically for a VPS Norway environment where privacy laws like the Personal Data Act (Personopplysningsloven) still mean something, despite the looming shadow of the Data Retention Directive (DLD).

The Architecture: Why Location Matters

Latency kills TCP throughput. If you are working in Oslo or deploying code to European servers, tunneling through a US node is suicide for your connection speed. You need a termination point physically close to you.

This is where our infrastructure at CoolVDS comes in. We peer directly at NIX (Norwegian Internet Exchange). When you ping `vg.no` or `finn.no` from our nodes, you are looking at single-digit millisecond responses.

Step 1: The Pre-Flight Check

I am assuming you are running a fresh install of Debian 6 (Squeeze). You can use CentOS 5, but Debian's package management is just cleaner for this.

Pro Tip: Avoid cheap OpenVZ containers that disable the TUN/TAP device. If `cat /dev/net/tun` returns "File descriptor in bad state", your host has oversold the kernel resources. CoolVDS instances are KVM-based (or properly configured OpenVZ), so the TUN device is always available. We don't cripple your kernel.

Step 2: Server Installation & Keys

First, update your repositories and install the package. We aren't compiling from source today; the repo version (2.1.x/2.2) is stable enough.

Now, the tedious part: PKI (Public Key Infrastructure). Do not skip this. Shared secrets are for amateurs. We are generating 2048-bit RSA keys. 1024-bit is no longer sufficient in 2011.

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh

This will generate `server.crt`, `server.key`, `ca.crt`, and your Diffie-Hellman parameters. Move these into `/etc/openvpn/`.

Step 3: The Configuration (server.conf)

Most default configs are garbage. They don't push routes, and they use weak cyphers. Create `/etc/openvpn/server.conf` with this exact content:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Notice `proto udp`. TCP over TCP results in "meltdown" when packet loss occurs. Always use UDP for the tunnel unless a restrictive corporate firewall forces you to use TCP port 443.

Step 4: IP Forwarding & IPTables

Your VPS needs to act like a router. If you forget this, you connect, but you can't reach the internet.

To make it permanent, edit `/etc/sysctl.conf` and set `net.ipv4.ip_forward=1`.

Now, the NAT rule. Since we aren't using complex firewall managers yet, raw `iptables` is the way. This assumes your WAN interface is `eth0`:

Performance: SSD vs. HDD

VPN encryption is CPU intensive, but logging and status updates hit the disk. On a traditional spinner (HDD), I've seen high-traffic VPN logs cause I/O wait that slows down the whole system.

This is why we deployed Enterprise SSD storage across our new nodes. It might not be standard in the industry yet, but the random write performance ensures your logs don't choke the encryption process. When you combine that with our low latency network, the VPN feels invisible.

Client Side

On Windows 7, use the OpenVPN GUI (run as Administrator!). On Mac OS X Snow Leopard, Tunnelblick is the client of choice. Drop your `client1.crt`, `client1.key`, and `ca.crt` into the config folder, and you are dark.

Why Not Just Use a Proxy?

Proxies only secure the browser. OpenVPN secures everything—your FTP client, your Outlook connection, and your SSH sessions. With the Data Retention Directive discussions heating up in Stortinget, ensuring that your metadata isn't easily sniffed by the guy at the next table is basic digital hygiene.

Don't risk your credentials on an open network. Spin up a Debian instance, lock it down, and own your traffic.

Ready to secure your connection? Deploy a high-performance VPS on CoolVDS today and get root access in under 60 seconds.