Scribd
Upload
137 views

CSA NET200-4-Lab-OpenVPN

This document provides instructions for setting up and analyzing OpenVPN traffic using two Ubuntu virtual machines. It describes installing OpenVPN on one VM to act as a server and the other to act as a client. The objective is to configure an OpenVPN server and add a new client. Wireshark is used to view the encrypted OpenVPN traffic between the VMs.

Uploaded by

Akbar Shakoor
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
137 views

CSA NET200-4-Lab-OpenVPN

This document provides instructions for setting up and analyzing OpenVPN traffic using two Ubuntu virtual machines. It describes installing OpenVPN on one VM to act as a server and the other to act as a client. The objective is to configure an OpenVPN server and add a new client. Wireshark is used to view the encrypted OpenVPN traffic between the VMs.

Uploaded by

Akbar Shakoor
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

2 2 28 B L A K E S T # 10 0

D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

OpenVPN
Last Updated: May 3, 2021

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

Table of Contents
Environment Setup ............................................................................................................... 3
Abstract ................................................................................................................................... 3
Exercise Objective(s).............................................................................................................4
Pre & Post conditions of lab ...................................................................................................... 4
System Requirements & Configuration ...........................................................................4
Network Requirements ............................................................................................................... 4
Software Requirements .............................................................................................................. 5
Data Requirements ....................................................................................................................... 5
Procedure – Detailed Lab Steps......................................................................................... 5
Setup ................................................................................................................................................ 5
Procedure – Detailed Lab Steps......................................................................................... 5
Setup ................................................................................................................................................ 5
Lab Execution ................................................................................................................................. 5
Install GIT .................................................................................................................................... 5
Download OpenVPN install Script from Github ................................................................ 5
Add a new client to the OpenVPN server ............................................................................ 6
Use Wireshark to view the OpenVPN traffic ........................................................................ 7
Advanced Lab ................................................................................................................................. 9
Lab “Tear-down” ........................................................................................................................... 9
Questions/Responses.................................................................................................................. 9
Appendix.................................................................................................................................. 9
Lab Assistance ............................................................................................................................... 9
Terminology.................................................................................................................................... 9
Revision History ..................................................................................................................... 9

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

Environment Setup
No special environment setups required.

Abstract
Virtual Private Networks (VPNs) allow traffic to move from one endpoint to
anther within an encrypted tunnel. This means the data-in-motion cannot be
observed by nodes along the way.

Consider the following unencrypted communication between a sender and


receiver.

The Hacker is pulling traffic from the TCP/IP Stream. Since the packet is
unencrypted, the Hacker can see all details of the TCP/IP packet, including the
payload of the message.

Now consider a software VPN. The VPN establishes a channel through the
TCP/IP that allows traffic to be encrypted. That is, the payload of the TCP/IP
packet is now encrypted. Since TCP/IP needs the header information (MAC
address, IP address, etc.) the full TCP/IP packet cannot be encrypted.

Notice the lock on either side of the TCP/IP pipe, indicating that the traffic is
encrypted. The Hacker can still pull this traffic from the pipe, but since the
payload is now encrypted, they have no access to that data.

The Software VPN sets up a Virtual NIC. In other words, there are 4 NICs
involved in sending traffic from the Sender to the Receiver and back. The two

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

physical NICs will be on the TCP/IP subnet. The two virtual NICs, represented in
purple, will be creating a network segment within the TCP/IP network segment.
The physical NICs will route the traffic across the network, while the virtual
NICs will maintain the encrypted channel within the payload of the TCP/IP
connection.

This lab will install and analyze OpenVPN traffic.

Exercise Objective(s)
By the end of this lab, you should be able to:

• Configure an OpenVPN server

Pre & Post conditions of lab


No changes to the current lab environment are expected.

System Requirements & Configuration


Network Requirements
Your provided cyber range environment. This lab can also be completed using
local Ubuntu VMs. See the Advanced topics section below for more information
on how to adjust the lab to make this easier.

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

Software Requirements
OpenVPN server and client will be installed on Xubuntu 1 and Xubuntu 2,
respectively.

Data Requirements
No data needs to be provided.

Procedure – Detailed Lab Steps


Setup
No special lab setup required.

Procedure – Detailed Lab Steps


Setup
No special lab setup required. See the advance lab directions for setup
information if you are using local VMs to complete this lab.

Lab Execution
Before starting, make note of the IP addresses for Xubuntu 1 and Xubuntu 2.

Install GIT
From Xubuntu 1:

Install GIT with the following command:

sudo apt install git

Download OpenVPN install Script from Github


Obtain and start the OpenVPN script from GitHub.

git clone https://github.com/Nyr/openvpn-install.git

Once the file has been downloaded locally, go the directory it just
downloaded. Typically, with following command:

cd openvpn-install/

Check to see if there is a .sh file in the directory.

ls -l

Give the .sh file permissions to execute then execute the script.

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

chmod +x openvpn-install.sh
sudo ./openvpn-install.sh

Once you start the script you will be asked a serious of questions:

IP Address: <IP of Xubuntu 1>


Protocol: udp
Port: 1194
DNS: 8.8.8.8
Client name: client
Press any key to continue

For the DNS, does 8.8.8.8 make sense and why? Would it be different for
different environments? What if we had a server configured to forward DNS
requests?

After the initial script has finished, review the server configuration file which
can be normally located at /etc/openvpn/server/server.conf.

How can you search to find the server.conf?


What command(s) can you use to review the configuration?
What command(s) can you use to determine if you have a new interface?

Add a new client to the OpenVPN server


Add a client by restarting the openvpn install script with the command.

sudo ./openvpn-install.sh

You will be asked a series of questions:

What do you want to do: Add a new client

Clientname: <your_name>
Once the script has completed, look for the ovpn file it created. It should be
located in /root/<your_name>.ovpn however you can use the following
command to locate it:

sudo find / -name <your_name>.ovpn

Move a copy of the file to your local home directory.

sudo cp /root/<your_name>.ovpn /home/student

From Xubuntu 2, you will use secure copy to move the client configuration file
(this is one command).

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

scp student@<IP of Xubuntu 1>:/home/student/<your_name>.ovpn


~/<your_name>.ovpn

Next, we need to install the OpenVPN client on Xubuntu 2.

sudo apt install openvpn

Start the OpenVPN client on Xbuntu 2 to talk with the server on Xubuntu 1.

sudo openvpn --config <your_name>.ovpn

You will need to leave this terminal open to keep the OpenVPN connection.

Use Wireshark to view the OpenVPN traffic


In the lab, Netcat_SSH_Generate_Traffic_Analyze_via_Wireshark, we sent
netcat traffic over the wire and could see the traffic. Now that we have put the
traffic over a VPN tunnel, can we still see the traffic? Find out with the
following:

From Xubuntu 1: start a new capture in Wireshark on the NIC, usually enp4s1.

From the Xubuntu 2 machine, create a text file called example.txt. Add some
text, like This is my example sentence for my example file. (or type whatever
you want).

On Xubuntu 1, create a netcat listener with the following command:

nc -l -p 1234 > example.txt

On Xubuntu 2 machine, send the file over netcat to Xubuntu 1 machine with the
following command:

nc -w 3 <IP of Xubuntu 1> 1234 < example.txt

On Xubuntu 1 machine, run the command cat example.txt to see if the file was
received.

Stop the Wireshark capture on Xubuntu 1.

Can you find the example.txt text in clear text?


Can you download the file from Wireshark?

Consider that the IP address of Xubuntu 1 is on the full TCP/IP subnet. Since
netcat will send TCP traffic on port 1234, in this case, we can see the full
packet, including the file, and it is not encrypted. Filter out unnecessary traffic

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

using a filter like !icmp && !arp. Continue adding additional protocols to
eliminate unwanted traffic in the results. Note that this is easier than trying to
filter in the traffic wanted unless that is known. For example, the VPN is
sending traffic on UDP port 1194 (see the configuration file). However, it would
be insufficient to look for that traffic, since netcat is sending TCP traffic on
port 1234. It is often easier to filter out unwanted traffic, to isolate all relevant
traffic.

Look in the server configuration file on Xubuntu 1 and notice the OpenVPN
server is using 10.8.0.0/24 for the VPN segment. So, modify the above
command to point to the VPN Server.

nc -w 3 10.8.0.1 1234 < example.txt

Use ip a to validate the NICs that are on the system. With OpenVPN connected,
there should be a tun0 or similar virtual NIC created. This is the VPN tunnel. By
specifically routing traffic to that IP, the traffic is going through the tunnel. In
the configuration file, the command push “route 10.10.0.0 255.255.255.0” is
used to tell the clients to use the tunnel for that traffic. Alternatively, or in
addition, the config file may contain push “redirect-gateway def1” which
should push a new gateway to the client and redirect all traffic through the
VPN.

Wireshark on Xubuntu 1 has an option for the physical NIC, typically enp4s1, or
something similar, and for the tunnel, tun0, or whatever it created on the
system. Run through the steps again using netcat on Xubuntu 1 and 2 while
observing traffic on enp4s1 and then on tun0.

Use the following image to explain the results from the two captures.

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

The virtual NIC only exists on the application layer within the computer, not
the actual network layer established by enp4s1. Why are you able to see the
plaintext at tun0 but not at enp4s1?

Advanced Lab
Reproduce this lab in your own network but create 3 VMs with two different
subnets. For example, have Xubuntu 1 on a 192.168.0.0/24 subnet and Xubuntu
2 on a 10.10.10.0/24 subnet. The third computer, Xubuntu 3, should be dual-
homed and have a physical NIC in each subnet. This is reproducing the
environment from CSA NET200-2-Lab-Forwarding. Using that lab, forward
traffic from Xubuntu 1 to Xubuntu 2 and vice versa.

Now repeat this lab and set up a VPN from Xubuntu 1 to Xubuntu 2. Verify that
the lab performs as expected and that a Wireshark monitoring on Xubuntu 3
cannot see any of the encrypted traffic. In fact, Xubuntu 3 should not even
have a virtual NIC at all!

Lab “Tear-down”
N/A

Questions/Responses
Student: Please record anything that was unclear about this lab.

Appendix
Lab Assistance
N/A

Terminology
N/A

Revision History
Date Updated By Description

4/22/2021 Josh Gillam Initial Development.

4/28/2021 Gary Whitsett Updated and expanded the lab.

5/5/2021 Stephen Barnes Made local VM option available using advanced lab
section.

S E C U R E S E T.C O M
2 2 28 B L A K E S T # 10 0
D E N V E R , C O 8 020 5
8 0 0 4 4 5 0 024 X 1

S E C U R E S E T.C O M

You might also like