Tunneling your way out of corporate networks PART2: OpenVPN

The next way to tunnel out of corporate networks (that have an auth proxy, blahblablah,…) is using a SSL VPN. Openvpn (http://openvpn.net/index.php/open-source.html) is a piece of software which is not too hard to configure and it also supports proxies out of the box. Ofcourse, it also has a client and a server side component and – because it uses SSL – you need certificates. So first of all, let's set up the certificates. We'll assume we are using our Backtrack box, somewhere on the Internet with a public IP. Luckily for us, we have OpenVPN installed by default on BT5. First, we generate the certificates of the CA (Certificate Authority) and then the ones of the server, the client and a diffie-hellman key to exchange a secret. Instead of just copy pasting how-to do this, I refer to http://openvpn.net/index.php/open-source/documentation/howto.html#pki After you generated all this stuff (let's assume we only generated 1 client and 1 server), we need the following on our server (let's put everything in the same directory): server.crt, server.key, dh1024.pem and ca.crt. Next, we create a server.conf like this:

 tls-server
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
 

A bunch of stuff is not required, but I found that these are the best options for me. In order to run the server and make sure that clients get internet access, we have to make sure that – in addition to the 'push' directive – we enable ip forwarding and create a NAT rule on our box (so our box acts as a gateway). In order to do so and to start the server as well, you can create a little bash script:

 #!/bin/bash
#setup forwarding and natting
#start openvpn server

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
openvpn --config /etc/openvpn/server.conf –daemon

If we run our script (making sure that our server.conf and all cert files are in /etc/openvpn), we should see our VPN listening on port 443:

root@bt:~# netstat -tpan | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1481/openvpn

Now to our client. There are several clients available for openvpn. Most of them let you import a config file which looks like this:

 client
dev tun
proto tcp
remote  443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
http-proxy  8080 stdin basic

Replace the SERVERIP and the PROXYIP with the IP of your server and your proxy. Make sure that the client certs and the ca cert are in the same dir (or that the path in the config file is correct). We assume here that we have a basic auth proxy and we will provide the credentials interactively when we start up the client. Basically, that's all. The nice thing is that now on our client all traffic will be routed through our tunnel, without needing any other configuration and it will work in usermode (not requiring admin access after the client is installed). Openvpn also supports NTLM proxy, although some people reported problems

LATEST BLOGPOST

The easy way to clone a website is by using wget and dumping the results in your apache vhost folder. However, it's sometimes useful to add your own scripts etc... in order to do the nasty stuff.... read more