Tunneling Through the Ice: Building a Bulletproof OpenVPN Gateway on CentOS 5

Let’s be honest: The internet is becoming a hostile environment. Ever since the Firesheep extension for Firefox dropped late last year, the illusion of security on public networks has shattered. If you are logging into your production servers or checking corporate email from a coffee shop in Grünerløkka without a tunnel, you aren't just taking a risk; you are negligent.

I’ve seen seasoned sysadmins lose credentials because they trusted a hotel network. Don't be that guy. The solution isn't expensive hardware; it's a Linux box, a 2048-bit key, and the glorious tun0 interface.

Today, we are setting up a hardened OpenVPN server on CentOS 5.6. Why Norway? Because latency matters, and jurisdiction matters even more. With the ongoing debates in Stortinget about the Data Retention Directive (DLD), keeping your traffic encrypted and routing it through a jurisdiction you understand—protected by the Personopplysningsloven—is critical for Norwegian businesses.

The Architecture of Trust

We aren't just yum installing a package and walking away. We are building a PKI (Public Key Infrastructure). Most tutorials tell you to use the default 1024-bit keys. In 2011, that is borderline irresponsible. We will generate 2048-bit RSA keys. It takes longer to generate, but CPU cycles are cheap. Data breaches are expensive.

Prerequisites

• A CoolVDS Linux instance (CentOS 5 or 6). We recommend at least 256MB RAM.
• Root access.
• The TUN/TAP module enabled (Standard on all CoolVDS KVM/Xen nodes).

Pro Tip: Many budget VPS providers use oversold OpenVZ containers where the tun module is disabled by the host node kernel. If you see cat: /dev/net/tun: File descriptor in bad state, move your workload to CoolVDS immediately. We don't cripple your kernel.

Step 1: The Foundation (EPEL & Install)

CentOS repositories are conservative. To get OpenVPN 2.2, we need the EPEL (Extra Packages for Enterprise Linux) repository.

# Install EPEL (Check architecture, i386 or x86_64)
rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

# Update and Install
yum update -y
yum install openvpn -y

We also need openssl, but that should already be on your system. If not, install it. You cannot tunnel without math.

Step 2: Building the PKI

OpenVPN comes with a set of scripts called easy-rsa. Copy them to your config directory so updates don't wipe your keys.

cp -R /usr/share/doc/openvpn-2.2*/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

Now, edit the vars file. This saves you from typing your country and organization fifty times. Set KEY_SIZE=2048. Do not leave it at 1024.

source ./vars
./clean-all
./build-ca
# Establish the server credentials
./build-key-server server
# Generate Diffie-Hellman parameters (This will take time)
./build-dh

"Why is this taking so long?" because you are generating entropy. On a CoolVDS instance, the high-performance disk I/O helps, but math is math. Go grab a coffee.

Step 3: Server Configuration

Create /etc/openvpn/server.conf. We are going to use UDP because TCP-over-TCP leads to the "tcp meltdown" problem when packets drop.

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Pushing routes to the client so ALL traffic goes through the VPN
push "redirect-gateway def1 bypass-dhcp"

# Use Google or OpenDNS to prevent DNS leaks
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Step 4: The IPTables Nightmare

You can have the best VPN config in the world, but if your kernel doesn't route packets, you're just talking to yourself. First, enable IP forwarding.

sysctl -w net.ipv4.ip_forward=1
# Make it permanent
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

Now, Configure iptables to NAT the traffic. This is where most admins fail.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart

If you are running a strict firewall (which you should be), ensure port 1194 UDP is OPEN.

Step 5: Client Generation

Generate a key for your laptop.

cd /etc/openvpn/easy-rsa
source ./vars
./build-key client-laptop

Securely copy ca.crt, client-laptop.crt, and client-laptop.key to your local machine. Do not email these. Use SCP or SFTP.

Why Infrastructure Matters

When you are tunneling traffic, latency is your enemy. Routing your traffic through a budget server in Texas when you are sitting in Oslo is inefficient. The speed of light is a hard limit.

This is why we architect CoolVDS with a focus on local peering. Our connectivity to the NIX (Norwegian Internet Exchange) ensures that your VPN overhead is limited to encryption time, not network lag. Plus, with our RAID-10 SAS storage, logs and status updates are written instantly, preventing I/O locks during high throughput.

Security is not a product; it is a process. But that process runs better on reliable metal. Start your OpenVPN instance on CoolVDS today and stop leaking your data to the world.