Secure Your Traffic: The Battle-Hardened Guide to OpenVPN

It’s 2010. You are sitting at a coffee shop in Grünerløkka, sipping a dark roast, connected to an open WiFi network. You check your email, maybe SSH into a production server. Stop. Right. There.

If you aren't tunneling that traffic, you might as well be broadcasting your root passwords on a billboard in downtown Oslo. With tools like Wireshark and the increasing prevalence of packet sniffing on unencrypted networks, relying on standard HTTPS or plain SSH isn't enough paranoia for my taste. You need a VPN.

Commercial VPN services are popping up, but why trust a third party with your data? As systems administrators, we build our own. Today, I’m walking you through setting up a robust OpenVPN server on a Linux VPS. We are focusing on CentOS 5.5 because it’s the rock-solid standard for enterprise environments right now.

The Prerequisite: A VPS that Doesn't Lie

Before we touch the config files, let's talk about the hardware. OpenVPN requires a virtual network device called a TUN/TAP adapter. Many budget hosting providers cram hundreds of users onto a single OpenVZ node and disable this module to save overhead. If you try to run OpenVPN there, it will fail silently.

You need a provider that treats your slice of the server like a real machine. This is where CoolVDS excels. Unlike the oversold budget boxes, CoolVDS instances come with TUN/TAP enabled by default, and their Xen-based virtualization ensures that my heavy encryption cycles don't get stolen by a noisy neighbor. Plus, if you are working from Norway, routing your traffic through a server in Oslo (connected to NIX) keeps your latency down to single-digit milliseconds. Speed matters.

Step 1: Installing OpenVPN

First, we need the EPEL (Extra Packages for Enterprise Linux) repository, as OpenVPN isn't in the default CentOS base.

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
yum update
yum install openvpn

We also need openssl installed, but you should have that already if you are running a server.

Step 2: The PKI Infrastructure

OpenVPN relies on a Public Key Infrastructure (PKI). We need a Certificate Authority (CA), a server certificate, and client certificates. Do not skip this. Shared keys are for amateurs.

Copy the Easy-RSA generation scripts to a safe directory:

cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

Edit the vars file. This is crucial for local compliance. If you are hosting in Norway to comply with the Personal Data Act (Personopplysningsloven), ensure your certificate details reflect that.

export KEY_COUNTRY="NO"
export KEY_PROVINCE="Oslo"
export KEY_CITY="Oslo"
export KEY_ORG="CoolVDS-Admin"
export KEY_EMAIL="[email protected]"

Now, build the CA and the server key:

. ./vars
./clean-all
./build-ca
./build-key-server server

When asked to sign the certificate, hit 'y'. Finally, generate the Diffie-Hellman parameters. This will take time. Go verify your backups while you wait.

./build-dh

Step 3: Server Configuration

Create /etc/openvpn/server.conf. I prefer UDP for speed, as TCP-over-TCP can lead to meltdown on unstable 3G connections.

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222" # Use OpenDNS or your provider's DNS
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Pro Tip: The `push "redirect-gateway def1"` directive is the magic sauce. It forces all your client's web traffic through the tunnel, encrypting everything. Without this, you're just accessing the server, not securing your browsing.

Step 4: Routing and IP Forwarding

Your Linux kernel needs to forward traffic. Edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Apply it with sysctl -p.

Now, the firewall. We need to NAT the traffic coming from the VPN subnet out to the internet. This is where iptables earns its keep.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart

Step 5: Client Setup & Testing

Generate a client key on the server:

cd /etc/openvpn/easy-rsa
. ./vars
./build-key client1

Transfer ca.crt, client1.crt, and client1.key to your laptop securely (use SCP, not email!). On your client machine (Windows 7 or Mac OS X Snow Leopard), install the OpenVPN client and connect.

Why Hosting Location Matters

Legally, data residency is becoming a hot topic in Europe. By hosting your VPN endpoint on a Norwegian server, you ensure that your traffic is subject to Norwegian privacy laws, which are overseen by Datatilsynet. It’s a cleaner legal framework than routing through servers in jurisdictions with less respect for privacy.

Furthermore, performance is critical. Decryption costs CPU cycles. On a shared host with high "steal time" (CPU stealing), your throughput will tank. CoolVDS uses high-performance enterprise RAID arrays and guarantees CPU availability. This means your VPN won't choke when you try to stream video or transfer large ISOs.

Final Thoughts

Security isn't a product; it's a process. Setting up OpenVPN is the first step in reclaiming your privacy on the wild web. Don't let a script kiddie at the airport snatch your session cookies.

Ready to build your fortress? Deploy a CentOS instance on CoolVDS today. With our instant provisioning and native TUN/TAP support, you'll be encrypted and secure in under 10 minutes.