Tunnel Vision: Building a Bulletproof OpenVPN Gateway on CentOS 6
Let's be honest. If you are logging into your production servers via plain FTP or Telnet from a coffee shop in Grünerløkka, you deserve to get hacked. Even unencrypted HTTP traffic is a goldmine for anyone running Firesheep or a basic packet sniffer on the local network.
Security isn't about paranoia; it's about physics and protocol. As a sysadmin, you need a secure pipe. You need to route your traffic through a trusted endpoint before it hits the open internet. You need a VPN. But relying on third-party VPN services means trusting their logs. The only way to be sure is to build it yourself.
Today, we are deploying OpenVPN 2.2 on CentOS 6. Why OpenVPN? Because IPsec can be a nightmare to debug through NAT, and PPTP has been cryptographically broken for years. OpenVPN is the industry standard for SSL-based tunneling.
The Latency Equation
Before we touch the terminal, let's talk about geography. If you are working in Oslo and your VPN endpoint is in Texas, your packets are crossing the Atlantic twice. Your ping goes from 4ms to 180ms. Your SSH sessions will lag. It becomes unusable.
For Norwegian professionals, the endpoint needs to be in Norway. This is why I provision my tunnels on CoolVDS. Their datacenter is peered directly at NIX (Norwegian Internet Exchange), meaning the latency from my laptop to the VPN server is effectively negligible. You want your encryption overhead to be the bottleneck, not the speed of light.
Step 1: The Foundation
We assume you have a fresh CoolVDS VPS instance running CentOS 6.2 (or similar RHEL 6 derivative). First, we need the EPEL (Extra Packages for Enterprise Linux) repository, as OpenVPN isn't in the standard Red Hat repos.
su -
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
yum update -y
yum install openvpn -y
Step 2: The PKI Infrastructure
OpenVPN relies on a Public Key Infrastructure (PKI). We need a Certificate Authority (CA), a server certificate, and client certificates. We will use the easy-rsa scripts provided with the documentation.
Copy the scripts to a working directory so future updates don't overwrite your keys:
mkdir -p /etc/openvpn/easy-rsa/2.0
cp -r /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
cd /etc/openvpn/easy-rsa/2.0
Edit the vars file. This saves you from typing your country and organization fifty times. Open it with vi and scroll to the bottom:
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS_Ops"
export KEY_EMAIL="admin@yourdomain.com"
Now, build the CA and the Server Key. Warning: The `clean-all` command wipes any existing keys. Only run this on a fresh install.
source ./vars
./clean-all
./build-ca
./build-key-server server
When asked for the "Common Name", use your server's hostname. Next, generate the Diffie-Hellman parameters. This generates the entropy needed for key exchange. On a standard VPS, this might take a minute or two.
./build-dh
Step 3: Server Configuration
This is where the magic happens. We need to tell OpenVPN how to handle the tunnel. Create /etc/openvpn/server.conf. I prefer UDP over TCP for tunnels to avoid the "TCP meltdown" effect where retransmissions stack up.
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Push routes to the client to send all traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"
# Use Google Public DNS or your ISP's DNS
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Pro Tip: If you are concerned about Datatilsynet compliance and data retention, ensure your logging verbosity is kept low (verb 3 is standard) and setup log rotation. You don't want to store connection logs longer than necessary.
Step 4: Packet Forwarding & Routing
By default, Linux is a host, not a router. We need to enable IP forwarding. Edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1
Apply the change immediately:
sysctl -p
Now, we must configure iptables to translate the private 10.8.0.x addresses from the VPN clients to the public IP of your CoolVDS instance. This is NAT (Network Address Translation).
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
If you don't save the iptables rules, they vanish on reboot, and your VPN connects but passes zero traffic. I've seen senior admins lose hours debugging this.
Step 5: Client Generation
Generate a key for your laptop:
cd /etc/openvpn/easy-rsa/2.0
source ./vars
./build-key client1
You need to securely transport ca.crt, client1.crt, and client1.key to your local machine. Use SCP (Secure Copy). Do not email these files.
Why Infrastructure Matters
You can configure the tightest encryption in the world (AES-256-CBC), but if the underlying host is unstable, your connection drops. OpenVPN is sensitive to packet loss. When I deploy these gateways for clients in Oslo or Bergen, I specifically request CoolVDS instances because of the I/O stability.
In a shared hosting environment, a "noisy neighbor" maxing out their disk can cause jitter in your VPN packets. CoolVDS uses strict resource isolation (KVM), ensuring your CPU cycles are actually yours. For a security gateway, that consistency is non-negotiable.
Final Verification
Start the service:
service openvpn start
chkconfig openvpn on
Connect from your client. Once the tunnel is up, visit a site like `whatismyip.com`. You should see the IP address of your VPS, not your local ISP connection. You are now encrypted. You are now tunneling through a secure fortress in Norway.
Security is a process, not a product. Keep your server updated, rotate your keys annually, and never settle for high-latency connections. Ready to build your own secure gateway? Deploy a high-performance instance on CoolVDS today and lock down your traffic.