SANS SEC573A Virtual Lab Access Information

Installing OpenVPN on the Xubuntu Course VM


To install and configure OpenVPN, do the following:
  1. Login to the Xubuntu Linux host:
    username: student 
    password: student
    
  2. Click on the Terminal icon on the desktop

  3. In the Terminal window, type:
    student@sec573:~/Documents/pythonclass$ sudo su -
  4. When prompted, enter the student user's password (hint: student). If successful, you'll see the prompt change to
    root@573:~#
  5. Type the following command:
    root@573:~# echo "deb http://archive.ubuntu.com/ubuntu xenial main universe" >> /etc/apt/sources.list
  6. Type the following command:
    root@573:~# apt-get update
    You should see output similar to:
    root@573:~# apt-get update
    Get:1 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
    Get:2 http://archive.ubuntu.com/ubuntu xenial/main i386 Packages [1,196 kB]
    Get:3 http://archive.ubuntu.com/ubuntu xenial/main Translation-en [568 kB]
    Get:4 http://archive.ubuntu.com/ubuntu xenial/main i386 DEP-11 Metadata [733 kB]
    Get:5 http://archive.ubuntu.com/ubuntu xenial/main DEP-11 64x64 Icons [409 kB]
    Get:6 http://archive.ubuntu.com/ubuntu xenial/universe i386 Packages [7,512 kB]
    Get:7 http://archive.ubuntu.com/ubuntu xenial/universe Translation-en [4,354 kB]
    Get:8 http://archive.ubuntu.com/ubuntu xenial/universe i386 DEP-11 Metadata [3,407 kB]
    Get:9 http://archive.ubuntu.com/ubuntu xenial/universe DEP-11 64x64 Icons [7,448 kB]
    Fetched 25.9 MB in 9s (2,704 kB/s)                                            
    Reading package lists... Done
    root@573:~# 
    
  7. To install the OpenVPN software, type:
    root@573:~# apt-get -y install openvpn
    You will see output similar to:
    root@573:~# apt-get install -y openvpn
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following packages were automatically installed and are no longer required:
      dkms libdumbnet1 libgtkmm-2.4-1v5 open-vm-tools-dkms zerofree
    Use 'apt autoremove' to remove them.
    The following additional packages will be installed:
      libpkcs11-helper1
    Suggested packages:
      easy-rsa
    The following NEW packages will be installed:
      libpkcs11-helper1 openvpn
    0 upgraded, 2 newly installed, 0 to remove and 3 not upgraded.
    Need to get 494 kB of archives.
    After this operation, 1,317 kB of additional disk space will be used.
    Get:1 http://archive.ubuntu.com/ubuntu xenial/main i386 libpkcs11-helper1 i386 1.11-5 [47.2 kB]
    Get:2 http://archive.ubuntu.com/ubuntu xenial/main i386 openvpn i386 2.3.10-1ubuntu2 [447 kB]
    Fetched 494 kB in 1s (306 kB/s)  
    Preconfiguring packages ...
    Selecting previously unselected package libpkcs11-helper1:i386.
    (Reading database ... 217702 files and directories currently installed.)
    Preparing to unpack .../libpkcs11-helper1_1.11-5_i386.deb ...
    Unpacking libpkcs11-helper1:i386 (1.11-5) ...
    Selecting previously unselected package openvpn.
    Preparing to unpack .../openvpn_2.3.10-1ubuntu2_i386.deb ...
    Unpacking openvpn (2.3.10-1ubuntu2) ...
    Processing triggers for libc-bin (2.23-0ubuntu3) ...
    Processing triggers for man-db (2.7.5-1) ...
    Processing triggers for systemd (229-4ubuntu7) ...
    Processing triggers for ureadahead (0.100.0-19) ...
    Setting up libpkcs11-helper1:i386 (1.11-5) ...
    Setting up openvpn (2.3.10-1ubuntu2) ...
     * Restarting virtual private network daemon(s)...                              *   No VPN is running.
    Processing triggers for libc-bin (2.23-0ubuntu3) ...
    Processing triggers for systemd (229-4ubuntu7) ...
    Processing triggers for ureadahead (0.100.0-19) ...
    root@573:~# 
    

  8. Type the following command:
    root@573:~# openvpn --version
    If the command works, you should see output similar to:
    root@573:~# openvpn --version
    OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
    library versions: OpenSSL 1.0.2g-fips  1 Mar 2016, LZO 2.08
    Originally developed by James Yonan
    Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
    Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no
    root@573:~# 
    
  9. From within the Xubuntu VM, launch Firefox and download your user specific OpenVPN configuration file (unique link provided via email). Go to the URL provided in the email you received that had the subject "SEC573A Virtual Lab Access". The URL is in the "User Authentication" section of the message. Save the file in /home/student/Downloads.

  10. Switch back to your Terminal window, and type the following command:
    root@573:~# cd /home/student/Downloads
  11. Type the following command:
    root@573:/home/student/Downloads# ls -l *.ovpn
    You should see output similar to:
    root@573:/home/student/Downloads# ls -l *.ovpn
    -rw-r--r-- 1 student student 6100 Aug 17 15:30 sec573a-XXXXX-YYYYY.ovpn
    
    where XXXXX is your event-id and YYYYYY is your SD number for your SANS portal account.

  12. Type the following command:
    root@573:~# mv sec573a<tab>/etc/openvpn/.
    You should see output similar to:
    root@573:/home/student/Downloads# mv sec573a-XXXXX-YYYYYY.ovpn /etc/openvpn/.
    root@573:/home/student/Downloads#
    

Starting OpenVPN on the Xubuntu Course VM


  1. If you do not currently have a root-level Terminal window open, bring up a new Terminal window and in the Terminal window, type:
    student@573:~/Documents/pythonclass sudo su -
  2. In the root-level Terminal window, run the command:
    root@573:~# openvpn --config /etc/openvpn/sec573a<tab>
    When prompted, enter the password
    VpnPassword
    If the password is entered correctly, you should see output similar to:
    root@573:~# openvpn --config /etc/openvpn/sec573a-XXXXX-YYYYYY.ovpn 
    Thu Aug 17 10:35:44 2017 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
    Thu Aug 17 10:35:44 2017 library versions: OpenSSL 1.0.2g-fips  1 Mar 2016, LZO 2.08
    Thu Aug 17 10:35:44 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Enter Private Key Password: ***********
    Thu Aug 17 10:35:48 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Thu Aug 17 10:35:48 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
    Thu Aug 17 10:35:48 2017 UDPv4 link local: [undef]
    Thu Aug 17 10:35:48 2017 UDPv4 link remote: [AF_INET]10.2.14.56:1194
    Thu Aug 17 10:35:48 2017 TLS: Initial packet from [AF_INET]10.2.14.56:1194, sid=4090fef3 6dc4a8a9
    Thu Aug 17 10:35:48 2017 VERIFY OK: depth=1, C=US, ST=Maryland, L=Bethesda, O=SANS, OU=SEC573A LAB, CN=vpn-sec573a, emailAddress=noc@sans.org
    Thu Aug 17 10:35:48 2017 VERIFY OK: depth=0, C=US, ST=Maryland, O=SANS, OU=SEC573A LAB, CN=vpn-sec573a, emailAddress=noc@sans.org
    Thu Aug 17 10:35:48 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Aug 17 10:35:48 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Aug 17 10:35:48 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Aug 17 10:35:48 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Aug 17 10:35:48 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
    Thu Aug 17 10:35:48 2017 [vpn-sec573a] Peer Connection Initiated with [AF_INET]10.2.14.56:1194
    Thu Aug 17 10:35:50 2017 SENT CONTROL [vpn-sec573a]: 'PUSH_REQUEST' (status=1)
    Thu Aug 17 10:35:50 2017 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.76.1 255.255.0.0,peer-id 0'
    Thu Aug 17 10:35:50 2017 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Aug 17 10:35:50 2017 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Aug 17 10:35:50 2017 OPTIONS IMPORT: route-related options modified
    Thu Aug 17 10:35:50 2017 OPTIONS IMPORT: peer-id set
    Thu Aug 17 10:35:50 2017 OPTIONS IMPORT: adjusting link_mtu to 1577
    Thu Aug 17 10:35:50 2017 TUN/TAP device tap0 opened
    Thu Aug 17 10:35:50 2017 TUN/TAP TX queue length set to 100
    Thu Aug 17 10:35:50 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Aug 17 10:35:50 2017 /sbin/ip link set dev tap0 up mtu 1500
    Thu Aug 17 10:35:50 2017 /sbin/ip addr add dev tap0 10.10.76.1/16 broadcast 10.10.255.255
    Thu Aug 17 10:35:52 2017 Initialization Sequence Completed
    
  3. Open another Terminal window, and type the command
    student@573:~/Documents/pythonclass$ ping -c 3 10.10.10.10
    If you see output similar to:
    student@573:~/Documents/pythonclass$ ping -c 3 10.10.10.10
    PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
    64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=192 ms
    64 bytes from 10.10.10.10: icmp_seq=3 ttl=64 time=100 ms
    
    --- 10.10.10.10 ping statistics ---
    3 packets transmitted, 2 received, 33% packet loss, time 2012ms
    rtt min/avg/max/mdev = 100.147/146.405/192.663/46.258 ms
    student@573:~/Documents/pythonclass$ 
    
    then congratulations, you have successfully configured the VPN and connected to lab network, and can now do the Day 1-5 exercises.

  4. Leave OpenVPN running in the Terminal window until you no longer need the active OpenVPN connection.

Stopping OpenVPN on the Xubuntu Course VM

  1. Bring the original Terminal window where you started OpenVPN back up.
  2. Within that window, hit Ctrl-C (press and hold Ctrl and then hit the c key). You should see output similar to:
     
    Thu Aug 17 10:35:52 2017 Initialization Sequence Completed
    ^CThu Aug 17 10:40:10 2017 event_wait : Interrupted system call (code=4)
    Thu Aug 17 10:40:10 2017 Closing TUN/TAP interface
    Thu Aug 17 10:40:10 2017 /sbin/ip addr del dev tap0 10.10.76.1/16
    Thu Aug 17 10:40:10 2017 SIGINT[hard,] received, process exiting
    root@573:~# 
    
    If so, then the VPN is disconnected.

Common Configuration Issues

For a list of common configuration issues that we have seen, please refer to Common Configuration Issues