Sec560A OpenVPN Instructions for Class VM

Conventions used


Installing OpenVPN on the Sec560A Class VM


The OpenVPN software is pre-installed on the Sec560A course VM.

Configuration for OpenVPN on the Sec560A Class VM


To configure OpenVPN, do the following:
  1. Login to the Linux host by double clicking on the student username and entering the password:

    !linuxpw!

  2. Double click on the Terminal icon on the desktop

  3. First, we are going to change the student user's password. To do so, type:

    [student@linux ~]$ passwd

    When prompted, enter the current password for student, !linuxpw! (it will not display as you type),
    then enter the new password twice (it also will not display as you type). If successful, you will see:

    [student@linux ~]$ passwd
    Changing password for user student.
    Changing password for student.
    (current) UNIX password:
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.


    Please remember this password continuing forward.

  4. In the Terminal window, type:

    [student@linux ~]$ su -

  5. When prompted, enter the root user's password, !templinpw!. If successful, you'll see the prompt change to

    [root@linux ~]#

  6. Now, we are going to change the root user's password. To do so, type:

    [root@linux ~]# passwd

    When prompted, enter the new password twice (it will not display as you type). If successful, you will see:

    [root@linux ~]# passwd
    Changing password for user root.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.


    Please remember this password continuing forward.

  7. Type the following command:

    [root@linux ~]# openvpn --version

    If the command works, you should see output similar to:

    [root@linux ~]# openvpn --version
    OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] [PKCS11] built on Mar 9 2009
    Developed by James Yonan
    Copyright (C) 2002-2008 Telethra, Inc.

  8. Type the following command:

    [root@linux ~]# ifconfig eth0

    If the command works, you should see output similar to:

    [root@linux ~]# ifconfig eth0
    eth0 Link encap:Ethernet HWaddr 00:0C:29:63:9C:DE
    inet addr:10.10.75.1 Bcast:10.10.255.255 Mask:255.255.0.0
    inet6 addr: fe80::20c:29ff:fe63:9cde/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:11 errors:0 dropped:0 overruns:0 frame:0
    TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1253 (12.0 KiB) TX bytes:816 (9.0 KiB)
    Interrupt:19 Base address:0x2000


  9. Type the following command:

    [root@linux ~]# dhclient eth0 && ifconfig eth0

    If the command works, you should see output similar to:

    [root@linux ~]# dhclient eth0 && ifconfig eth0
    eth0 Link encap:Ethernet HWaddr 00:0C:29:63:9C:DE
    inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::20c:29ff:fe63:9cde/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:231 errors:0 dropped:0 overruns:0 frame:0
    TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:24080 (23.5 KiB) TX bytes:16956 (16.5 KiB)
    Interrupt:19 Base address:0x2000


    Verify that the "inet addr:" line lists an IP address, Broadcast and Netmask that matches the network (home, work, or internet cafe) to which your class system is connected.

    In these instructions, for an example going forward, the following will be used:

    IP: 192.168.1.100
    Broadcast: 192.168.1.255
    Netmask: 255.255.255.0

  10. Now, type the following command:

    [root@linux ~]# gedit /etc/nsswitch.conf

    If the command works, you should see a window similar to:


    Scroll down to the lines that say:

    #Add dns to the end of the following line to enable DNS -Ed
    hosts: files


    Change the line to read:

    hosts: files dns

    Click on Save, and then exit the program.

  11. Next, type the following:

    [root@linux ~]# ping -c 3 www.google.com

    If the command works, you should see output similar to:

    [root@linux ~]# ping -c 3 www.google.com
    PING www.l.google.com (74.125.19.99) 56(84) bytes of data.
    64 bytes from nuq04s01-in-f99.1e100.net (74.125.19.99): icmp_seq=1 ttl=54 time=100 ms
    64 bytes from nuq04s01-in-f99.1e100.net (74.125.19.99): icmp_seq=2 ttl=54 time=67.1 ms
    64 bytes from nuq04s01-in-f99.1e100.net (74.125.19.99): icmp_seq=3 ttl=54 time=67.4 ms

    --- www.l.google.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2069ms
    rtt min/avg/max/mdev = 67.157/78.498/100.899/15.841 ms


  12. From within the Linux VM, launch Firefox and download your user specific OpenVPN configuration file. The URL is provided in the email you received that had the subject "SEC560A Virtual Lab Access". The URL is in the "User Authentication" section of the message. Make sure to right click on the link and select "Save Link As ...". By default, Firefox will prompt you to save the files in /home/student/Download.

  13. Switch back to your Terminal window, and type the following command:

    [root@linux ~]# cd /home/student/Downloads

  14. Type the following command:

    [root@Download ~]# ls -l

    You should see output similar to:

    [root@linux Download]# cd /home/student/Downloads
    [root@linux Download]# ls -l
    total 12
    -rw-rw-r-- 1 student student 3564 2010-12-09 20:43 sec560a-XXXXX-YYYYYY.ovpn

    where XXXXX is your event ID and YYYYYY is your SD number for your SANS portal account.

  15. Next, type the following command:

    [root@linux Download]# mv sec560a-XXXXX-YYYYYY.ovpn /etc/openvpn

    You should see output similar to:

    [root@linux Download]# mv sec560a-XXXXX-YYYYYY.ovpn /etc/openvpn
  16. In the Terminal window, run the command:

    [root@linux Download]# openvpn --config /etc/openvpn/sec560a-XXXXX-YYYYY.ovpn

    When prompted, enter the password

    VpnPassword

    The password will not display when typed.

    If the password is entered correctly, you should see output similar to:

    [root@linux Download]# openvpn --config /etc/openvpn/sec560a-XXXXX-YYYYY.ovpn
    Thu Dec 9 22:26:12 2010 OpenVPN 2.1_rc15 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2008
    Thu Dec 9 22:26:12 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Thu Dec 9 22:26:12 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Enter Private Key Password:
    Thu Dec 9 22:26:17 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Thu Dec 9 22:26:17 2010 WARNING: file 'sec560a-XXXXX-YYYYYY.key' is group or others accessible
    Thu Dec 9 22:26:18 2010 LZO compression initialized
    Thu Dec 9 22:26:18 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Thu Dec 9 22:26:18 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Thu Dec 9 22:26:18 2010 Local Options hash (VER=V4): 'd79ca330'
    Thu Dec 9 22:26:18 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Thu Dec 9 22:26:18 2010 Socket Buffers: R=[112640->131072] S=[112640->131072]
    Thu Dec 9 22:26:18 2010 UDPv4 link local: [undef]
    Thu Dec 9 22:26:18 2010 UDPv4 link remote: 66.35.59.34:1194
    Thu Dec 9 22:26:18 2010 TLS: Initial packet from 66.35.59.34:1194, sid=174d8e58 7b9b5177
    Thu Dec 9 22:26:18 2010 VERIFY OK: depth=1, /C=US/ST=Maryland/L=Bethesda/O=SANS/OU=SEC560A_LAB/CN=lab-sec560a/emailAddress=noc@sans.org
    Thu Dec 9 22:26:18 2010 VERIFY OK: depth=0, /C=US/ST=Maryland/O=SANS/OU=SEC560A_LAB/CN=lab-sec560a/emailAddress=noc@sans.org
    Thu Dec 9 22:26:19 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Dec 9 22:26:19 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Dec 9 22:26:19 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Dec 9 22:26:19 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Dec 9 22:26:19 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Thu Dec 9 22:26:19 2010 [lab-sec560a] Peer Connection Initiated with 66.35.59.34:1194
    Thu Dec 9 22:26:20 2010 SENT CONTROL [lab-sec560a]: 'PUSH_REQUEST' (status=1)
    Thu Dec 9 22:26:20 2010 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.10.60,dhcp-option DOMAIN target.tgt,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.75.1 255.255.0.0'
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: route-related options modified
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Thu Dec 9 22:26:20 2010 TUN/TAP device tap0 opened
    Thu Dec 9 22:26:20 2010 TUN/TAP TX queue length set to 100
    Thu Dec 9 22:26:20 2010 /sbin/ip link set dev tap0 up mtu 1500
    Thu Dec 9 22:26:21 2010 /sbin/ip addr add dev tap0 10.10.75.1/16 broadcast 10.10.255.255
    Thu Dec 9 22:26:21 2010 Initialization Sequence Completed

  17. Open another Terminal window, and type the command

    [root@linux ~]# ping -c 3 10.10.10.60

    If you see output similar to:

    [root@linux ~]# ping -c 3 10.10.10.60
    PING 10.10.10.60 (10.10.10.60) 56(84) bytes of data.
    64 bytes from 10.10.10.60: icmp_seq=1 ttl=64 time=177 ms
    64 bytes from 10.10.10.60: icmp_seq=2 ttl=64 time=178 ms
    64 bytes from 10.10.10.60: icmp_seq=3 ttl=64 time=180 ms

    --- 10.10.10.60 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2183ms
    rtt min/avg/max/mdev = 177.641/178.822/180.520/1.323 ms


    Congratulations, you have successfully configured the VPN and connected to lab network, and can now do the exercises.

    NOTE: Leave this Terminal window alone while working on the exercises.

Reconnecting to OpenVPN on the Sec560A Class VM


Follow these steps only after completing Configuration for OpenVPN on the Sec560A Class VM steps above.

  1. Login to the Linux host as student.
  2. Double click on the Terminal icon on the desktop

  3. In the Terminal window, type:

    [student@linux ~]$ su -

  4. When prompted, enter the root user's password. If successful, you'll see the prompt change to

    [root@linux ~]#

  5. Type the following command:

    [root@linux ~]# ifconfig eth0

    If the command works, you should see output similar to:

    [root@linux ~]# ifconfig eth0
    eth0 Link encap:Ethernet HWaddr 00:0C:29:63:9C:DE
    inet addr:10.10.75.1 Bcast:10.10.255.255 Mask:255.255.0.0
    inet6 addr: fe80::20c:29ff:fe63:9cde/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:11 errors:0 dropped:0 overruns:0 frame:0
    TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1253 (12.0 KiB) TX bytes:816 (9.0 KiB)
    Interrupt:19 Base address:0x2000


  6. Type the following command:

    [root@linux ~]# dhclient eth0 && ifconfig eth0

    If the command works, you should see output similar to:

    [root@linux ~]# dhclient eth0 && ifconfig eth0
    eth0 Link encap:Ethernet HWaddr 00:0C:29:63:9C:DE
    inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::20c:29ff:fe63:9cde/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:231 errors:0 dropped:0 overruns:0 frame:0
    TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:24080 (23.5 KiB) TX bytes:16956 (16.5 KiB)
    Interrupt:19 Base address:0x2000


    Verify that the inet addr: line lists an IP address, Broadcast and Netmask that matches the network (home, work, or internet cafe) to which your class system is connected.

    In these instructions, for an example going forward, the following will be used:

    IP: 192.168.1.100
    Broadcast: 192.168.1.255
    Netmask: 255.255.255.0

  7. In the Terminal window, run the command:

    [root@linux Download]# openvpn --config /etc/openvpn/sec560a-XXXXX-YYYYYY.ovpn

    When prompted, enter the password

    VpnPassword

    The password will not display when typed.

    If the password is entered correctly, you should see output similar to:

    [root@linux Download]# openvpn --config /etc/openvpn/sec560a-XXXXX-YYYYYY.ovpn
    Thu Dec 9 22:26:12 2010 OpenVPN 2.1_rc15 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2008
    Thu Dec 9 22:26:12 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Thu Dec 9 22:26:12 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Enter Private Key Password:
    Thu Dec 9 22:26:17 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Thu Dec 9 22:26:17 2010 WARNING: file 'sec560a-XXXXX-YYYYYY.key' is group or others accessible
    Thu Dec 9 22:26:18 2010 LZO compression initialized
    Thu Dec 9 22:26:18 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Thu Dec 9 22:26:18 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Thu Dec 9 22:26:18 2010 Local Options hash (VER=V4): 'd79ca330'
    Thu Dec 9 22:26:18 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Thu Dec 9 22:26:18 2010 Socket Buffers: R=[112640->131072] S=[112640->131072]
    Thu Dec 9 22:26:18 2010 UDPv4 link local: [undef]
    Thu Dec 9 22:26:18 2010 UDPv4 link remote: 66.35.59.34:1194
    Thu Dec 9 22:26:18 2010 TLS: Initial packet from 66.35.59.34:1194, sid=174d8e58 7b9b5177
    Thu Dec 9 22:26:18 2010 VERIFY OK: depth=1, /C=US/ST=Maryland/L=Bethesda/O=SANS/OU=SEC560A_LAB/CN=lab-sec560a/emailAddress=noc@sans.org
    Thu Dec 9 22:26:18 2010 VERIFY OK: depth=0, /C=US/ST=Maryland/O=SANS/OU=SEC560A_LAB/CN=lab-sec560a/emailAddress=noc@sans.org
    Thu Dec 9 22:26:19 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Dec 9 22:26:19 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Dec 9 22:26:19 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Dec 9 22:26:19 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Dec 9 22:26:19 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Thu Dec 9 22:26:19 2010 [lab-sec560a] Peer Connection Initiated with 66.35.59.34:1194
    Thu Dec 9 22:26:20 2010 SENT CONTROL [lab-sec560a]: 'PUSH_REQUEST' (status=1)
    Thu Dec 9 22:26:20 2010 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.10.60,dhcp-option DOMAIN target.tgt,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.75.1 255.255.0.0'
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: route-related options modified
    Thu Dec 9 22:26:20 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Thu Dec 9 22:26:20 2010 TUN/TAP device tap0 opened
    Thu Dec 9 22:26:20 2010 TUN/TAP TX queue length set to 100
    Thu Dec 9 22:26:20 2010 /sbin/ip link set dev tap0 up mtu 1500
    Thu Dec 9 22:26:21 2010 /sbin/ip addr add dev tap0 10.10.75.1/16 broadcast 10.10.255.255
    Thu Dec 9 22:26:21 2010 Initialization Sequence Completed

  8. Open another Terminal window, and type the command

    [root@linux ~]# ping -c 3 10.10.10.60

    If you see output similar to:

    [root@linux ~]# ping -c 3 10.10.10.60
    PING 10.10.10.60 (10.10.10.60) 56(84) bytes of data.
    64 bytes from 10.10.10.60: icmp_seq=1 ttl=64 time=177 ms
    64 bytes from 10.10.10.60: icmp_seq=2 ttl=64 time=178 ms
    64 bytes from 10.10.10.60: icmp_seq=3 ttl=64 time=180 ms

    --- 10.10.10.60 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2183ms
    rtt min/avg/max/mdev = 177.641/178.822/180.520/1.323 ms


    Congratulations, you have successfully configured the VPN and connected to lab network, and can now do the exercises.

    NOTE: Leave this Terminal window alone while working on the exercises.

Disconnecting OpenVPN on the Sec560A Class VM


  1. Bring the original Terminal window where you started OpenVPN back up.

  2. Within that window, hit Ctrl-C (press and hold Ctrl and then hit the c key). You should see output similar to:

    Wed Nov 10 22:52:29 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Nov 10 22:52:29 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Nov 10 22:52:29 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    ^CWed Nov 10 23:21:16 2010 event_wait : Interrupted system call (code=4)
    Wed Nov 10 23:21:16 2010 TCP/UDP: Closing socket
    Wed Nov 10 23:21:16 2010 Closing TUN/TAP interface
    Wed Nov 10 23:21:16 2010 /sbin/ifconfig tap0 0.0.0.0
    Wed Nov 10 23:21:16 2010 SIGINT[hard,] received, process exiting
    [root@linux Download]#

    If so, then the VPN is disconnected.