Disclaimer
This was originally posted on the Game of Active Directory repository:
https://github.com/Orange-Cyberdefense/GOAD/issues/233
Descriptions
I've setup a tap/bridged VPN using this guide to get into my host-only subnet from the internet. Although the VPN connects, I can't seem to access any of the GOAD hosts on the host-only adapter's subnet. I'd appreciate some help on figuring out why this is (nothing has been changed about regarding the GOAD setup).
Setup
OpenVPN server.conf
port 64015
proto udp6
dev tap0
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server-bridge 192.168.56.4 255.255.255.0 192.168.56.128 192.168.56.254
ifconfig-pool-persist ipp.txt
client-to-client
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.56.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_a3WkLFewyDbsTk5b.crt
key server_a3WkLFewyDbsTk5b.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
OpenVPN client.conf
client
proto udp
explicit-exit-notify
remote OMMITED 64015
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_a3WkLFewyDbsTk5b name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
#setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
# Route all traffic through the VPN
redirect-gateway def1 bypass-dhcp
# Route to reach the vboxnet0 subnet
route 192.168.56.0 255.255.255.0
<ca>
OMMITED
</ca>
<cert>
OMMITED
</cert>
<key>
OMMITED
</key>
<tls-crypt>
OMMITED
</tls-crypt>
Relevant interfaces
$ ifconfig
tap0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::f816:eaff:fef3:a0c2 prefixlen 64 scopeid 0x20<link>
ether fa:16:ea:f3:a0:c2 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 1482 (1.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vboxnet0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::800:27ff:fe00:0 prefixlen 64 scopeid 0x20<link>
ether 0a:00:27:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 4577 overruns 0 frame 0
TX packets 42 bytes 6148 (6.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.1 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::6496:fdff:fe73:3444 prefixlen 64 scopeid 0x20<link>
ether 66:96:fd:73:34:44 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 4124 (4.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Relevant firewall rules, some rules are repeated while I was messing around with stuff
$ ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
64015/udp ALLOW IN Anywhere # Allow openvpn connections
192.168.56.0/24 ALLOW IN 192.168.56.0/24 # Allow all traffic inside lab
Anywhere on tap0 ALLOW IN Anywhere # Allow traffic into tap interface
Anywhere on br0 ALLOW IN Anywhere # Allow traffic into bridged interface
Anywhere on vboxnet0 ALLOW IN Anywhere # Allow traffic into vboxnet
9090 ALLOW IN fd42:42:42::1/64 # Allow VPN clients to internal sites IPv6
64015/udp (v6) ALLOW IN Anywhere (v6) # Allow openvpn connections
Anywhere (v6) on tap0 ALLOW IN Anywhere (v6) # Allow traffic into tap interface
Anywhere (v6) on br0 ALLOW IN Anywhere (v6) # Allow traffic into bridged interface
Anywhere (v6) on vboxnet0 ALLOW IN Anywhere (v6) # Allow traffic into vboxnet
Anywhere on vboxnet0 ALLOW FWD Anywhere on tap0 # Allow traffic from VPN to GOAD lab
Anywhere on tap0 ALLOW FWD Anywhere on vboxnet0 # Allow traffic from GOAD lab to VPN
Anywhere (v6) on vboxnet0 ALLOW FWD Anywhere (v6) on tap0 # Allow traffic from VPN to GOAD lab
Anywhere (v6) on tap0 ALLOW FWD Anywhere (v6) on vboxnet0 # Allow traffic from GOAD lab to VPN
UFW Defaults
$ cat /etc/default/ufw
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf
# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""
UFW sysctl.conf defaults
$ cat /etc/ufw/sysctl.conf
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=1
net/ipv4/conf/default/accept_redirects=1
net/ipv6/conf/all/accept_redirects=1
net/ipv6/conf/default/accept_redirects=1
# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800
# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1
#net/ipv6/conf/all/autoconf=1
# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2
Method to reproduce
- Connect to vpn with config file
$ sudo openvpn client.conf
2024-05-09 23:47:06 Note: dev-type not tun, disabling data channel offload.
2024-05-09 23:47:06 OpenVPN 2.6.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-05-09 23:47:06 library versions: OpenSSL 3.1.5 30 Jan 2024, LZO 2.10
2024-05-09 23:47:06 DCO version: N/A
2024-05-09 23:47:06 TCP/UDP: Preserving recently used remote address: [AF_INET]<OMMITED>:64015
2024-05-09 23:47:06 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-05-09 23:47:06 UDPv4 link local: (not bound)
2024-05-09 23:47:06 UDPv4 link remote: [AF_INET<OMMITED>:64015
2024-05-09 23:47:06 TLS: Initial packet from [AF_INET]<OMMITED>:64015, sid=a8c2e031 15d7fd0b
2024-05-09 23:47:07 VERIFY OK: depth=1, CN=cn_lDRVUWpZEvcHBVf8
2024-05-09 23:47:07 VERIFY KU OK
2024-05-09 23:47:07 Validating certificate extended key usage
2024-05-09 23:47:07 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-05-09 23:47:07 VERIFY EKU OK
2024-05-09 23:47:07 VERIFY X509NAME OK: CN=server_a3WkLFewyDbsTk5b
2024-05-09 23:47:07 VERIFY OK: depth=0, CN=server_a3WkLFewyDbsTk5b
2024-05-09 23:47:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: ecdsa-with-SHA256, peer temporary key: 256 bits ECprime256v1
2024-05-09 23:47:07 [server_a3WkLFewyDbsTk5b] Peer Connection Initiated with [AF_INET]<OMMITED>:64015
2024-05-09 23:47:07 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-05-09 23:47:07 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-05-09 23:47:07 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 192.168.56.0 255.255.255.0,route-gateway 192.168.56.4,ping 10,ping-restart 120,ifconfig 192.168.56.128 255.255.255.0,peer-id 0,cipher AES-128-GCM'
2024-05-09 23:47:07 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2024-05-09 23:47:07 OPTIONS IMPORT: --ifconfig/up options modified
2024-05-09 23:47:07 OPTIONS IMPORT: route options modified
2024-05-09 23:47:07 OPTIONS IMPORT: route-related options modified
2024-05-09 23:47:07 net_route_v4_best_gw query: dst 0.0.0.0
2024-05-09 23:47:07 net_route_v4_best_gw result: via 192.168.1.1 dev eth1
2024-05-09 23:47:07 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth1 HWADDR=08:00:27:44:da:4b
2024-05-09 23:47:07 TUN/TAP device tap0 opened
2024-05-09 23:47:07 net_iface_mtu_set: mtu 1500 for tap0
2024-05-09 23:47:07 net_iface_up: set tap0 up
2024-05-09 23:47:07 net_addr_v4_add: 192.168.56.128/24 dev tap0
2024-05-09 23:47:07 net_route_v4_add: <OMMITED>/32 via 192.168.1.1 dev [NULL] table 0 metric -1
2024-05-09 23:47:07 net_route_v4_add: 0.0.0.0/1 via 192.168.56.4 dev [NULL] table 0 metric -1
2024-05-09 23:47:07 net_route_v4_add: 128.0.0.0/1 via 192.168.56.4 dev [NULL] table 0 metric -1
2024-05-09 23:47:07 net_route_v4_add: 192.168.56.0/24 via 192.168.56.4 dev [NULL] table 0 metric -1
2024-05-09 23:47:07 net_route_v4_add: 192.168.56.0/24 via 192.168.56.4 dev [NULL] table 0 metric -1
2024-05-09 23:47:07 sitnl_send: rtnl: generic error (-17): File exists
2024-05-09 23:47:07 NOTE: Linux route add command failed because route exists
2024-05-09 23:47:07 Initialization Sequence Completed
2024-05-09 23:47:07 Data Channel: cipher 'AES-128-GCM', peer-id: 0
2024-05-09 23:47:07 Timers: ping 10, ping-restart 120
2024-05-09 23:47:07 Protocol options: explicit-exit-notify 1
- Scan local network with nmap. Nothing has been returned:
$ nmap -Pn -v -sTCV --top-ports 10 192.168.56.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-09 23:49 BST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:49
Completed NSE at 23:49, 0.00s elapsed
Initiating NSE at 23:49
Completed NSE at 23:49, 0.00s elapsed
Initiating NSE at 23:49
Completed NSE at 23:49, 0.00s elapsed
Initiating Parallel DNS resolution of 256 hosts. at 23:49
Completed Parallel DNS resolution of 256 hosts. at 23:49, 11.44s elapsed
Initiating Connect Scan at 23:49
Scanning 102 hosts [10 ports/host]
Completed Connect Scan at 23:50, 8.23s elapsed (1020 total ports)
Initiating Service scan at 23:50
NSE: Script scanning 102 hosts.
Initiating NSE at 23:50
Completed NSE at 23:50, 25.29s elapsed
Initiating NSE at 23:50
Completed NSE at 23:50, 0.00s elapsed
Initiating NSE at 23:50
Completed NSE at 23:50, 0.00s elapsed
Nmap scan report for 192.168.56.0
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 192.168.56.1
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
...
Nmap scan report for 192.168.56.10
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 192.168.56.11
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 192.168.56.12
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 192.168.56.13
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
...
Nmap scan report for 192.168.56.22
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap scan report for 192.168.56.23
Host is up.
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
What I expect
Services running on the GOAD machines should be exposed to the VPN client
What I've tried
- Disabled firewall rules
- Restarted VMs and system
- Used sample config and server files from the openvpn repository
- Bringing relevant adapters up and down
- Tracking openvpn traffic with wireshark (only ARP traffic seems present on the tap0 and br0 interfaces)
My suspicion in that there is something wonky with the internal networking on my host but can't prove it
Environment
- OS =
Linux <HOSTNAME-OMMITED> 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux - Hosting = Hosted in the cloud
- OpenVPN Version:
OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2022 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=yes with_sysroot=no
- VirtualBox Version = 6.1.50_Ubuntur161033
- Vagrant Version = 2.4.1
- UFW Version = 0.36.1
