Sec580 OpenVPN Instructions for Class VM

Conventions used


Installing OpenVPN on the Sec580 Class VM


Configuration for OpenVPN on the Sec580 Class VM


To configure OpenVPN, do the following:
  1. Login to the Linux host by double clicking on the sec580 username and entering the password:

    sec580

  2. Double click on the Terminal icon on the desktop

  3. First, we are going to change the sec580 user's password. To do so, type:

    sec580@slingshot:~$ passwd

    When prompted, enter the current password for the sec580 account, sec580 (it will not display as you type),
    then enter the new password twice (it also will not display as you type). If successful, you will see:

    sec580@slingshot:~$ passwd
    Changing password for user sec580.
    Changing password for sec580.
    (current) UNIX password:
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.


    Please remember this password continuing forward.

  4. In the Terminal window, type:

    sec580@slingshot:~$ su -

  5. When prompted, enter the root user's password, root. If successful, you'll see the prompt change to

    root@slingshot:~#

  6. Now, we are going to change the root user's password. To do so, type:

    root@slingshot:~# passwd

    When prompted, enter the new password twice (it will not display as you type). If successful, you will see:

    root@slingshot:~# passwd
    Changing password for user root.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.


    Please remember this password continuing forward.

  7. Type the following command:

    root@slingshot:~# openvpn --version

    If the command works, you should see output similar to:

    root@slingshot:~# openvpn --version
    OpenVPN 2.3.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014

    library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08

    Originally developed by James Yonan

    Copyright (C) 2002-2010 OpenVPN Technologies, Inc.

    Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no

  8. Type the following command:

    root@slingshot:~# ifconfig eth0

    If the command works, you should see output similar to:

    root@slingshot:~# ifconfig eth0
    eth0 Link encap:Ethernet HWaddr 00:0C:29:63:9C:DE
    inet addr:10.10.75.1 Bcast:10.10.255.255 Mask:255.255.0.0
    inet6 addr: fe80::20c:29ff:fe63:9cde/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:11 errors:0 dropped:0 overruns:0 frame:0
    TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1253 (12.0 KiB) TX bytes:816 (9.0 KiB)
    Interrupt:19 Base address:0x2000


  9. Next, type the following:

    root@slingshot:~# ping -c 3 www.google.com

    If the command works, you should see output similar to:

    root@slingshot:~# ping -c 3 www.google.com
    PING www.google.com (74.125.19.99) 56(84) bytes of data.
    64 bytes from www.google.com (74.125.19.99): icmp_seq=1 ttl=54 time=100 ms
    64 bytes from www.google.com (74.125.19.99): icmp_seq=2 ttl=54 time=67.1 ms
    64 bytes from www.google.com (74.125.19.99): icmp_seq=3 ttl=54 time=67.4 ms

    --- www.google.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2069ms
    rtt min/avg/max/mdev = 67.157/78.498/100.899/15.841 ms


  10. From within the Linux VM, launch Firefox and download your user specific OpenVPN configuration file. The URL is provided in the email you received that had the subject "SEC580 Virtual Lab Access". The URL is in the "User Authentication" section of the message. Make sure to right click on the link and select "Save Link As ...". By default, Firefox will prompt you to save the files in /home/sec580/Downloads.

  11. Switch back to your Terminal window, and type the following command:

    root@slingshot:~# cd /home/sec580/Downloads

  12. Type the following command:

    root@slingshot:~# ls -l

    You should see output similar to:

    root@slingshot:~]# cd /home/sec580/Downloads
    root@slingshot:/home/sec580/Downloads]# ls -l
    total 12
    -rw-rw-r-- 1 sec580 sec580 3564 2015-12-09 20:43 sec580-XXXXX-YYYYYY.ovpn

    where XXXXX is your event ID and YYYYYY is your SD number for your SANS portal account.

  13. Next, type the following command:

    root@slingshot:/home/sec580/Downloads# mv sec580-XXXXX-YYYYYY.ovpn /etc/openvpn


  14. In the Terminal window, run the command:

    root@slingshot:/home/sec580/Downloads# openvpn --config /etc/openvpn/sec580-XXXXX-YYYYY.ovpn

    When prompted, enter the password

    VpnPassword

    The password will not display when typed.

    If the password is entered correctly, you should see output similar to:

    root@slingshot:/home/sec580/Downloads# openvpn --config /etc/openvpn/sec580-XXXXX-YYYYY.ovpn
    Wed Dec 9 22:26:12 2015 OpenVPN 2.1_rc15 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2008
    Wed Dec 9 22:26:12 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Wed Dec 9 22:26:12 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Enter Private Key Password:
    Wed Dec 9 22:26:17 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Dec 9 22:26:17 2015 WARNING: file 'sec580-XXXXX-YYYYYY.key' is group or others accessible
    Wed Dec 9 22:26:18 2015 LZO compression initialized
    Wed Dec 9 22:26:18 2015 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Dec 9 22:26:18 2015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Wed Dec 9 22:26:18 2015 Local Options hash (VER=V4): 'd79ca330'
    Wed Dec 9 22:26:18 2015 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Wed Dec 9 22:26:18 2015 Socket Buffers: R=[112640->131072] S=[112640->131072]
    Wed Dec 9 22:26:18 2015 UDPv4 link local: [undef]
    Wed Dec 9 22:26:18 2015 UDPv4 link remote: 66.35.59.122:1194
    Wed Dec 9 22:26:18 2015 TLS: Initial packet from 66.35.59.122:1194, sid=174d8e58 7b9b5177
    Wed Dec 9 22:26:18 2015 VERIFY OK: depth=1, /C=US/ST=Maryland/L=Bethesda/O=SANS/OU=SEC580_LAB/CN=lab-sec580/emailAddress=noc@sans.org
    Wed Dec 9 22:26:18 2015 VERIFY OK: depth=0, /C=US/ST=Maryland/O=SANS/OU=SEC580_LAB/CN=lab-sec580/emailAddress=noc@sans.org
    Wed Dec 9 22:26:19 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Dec 9 22:26:19 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 9 22:26:19 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Dec 9 22:26:19 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 9 22:26:19 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Dec 9 22:26:19 2015 [lab-sec580] Peer Connection Initiated with 66.35.59.122:1194
    Wed Dec 9 22:26:20 2015 SENT CONTROL [lab-sec580]: 'PUSH_REQUEST' (status=1)
    Wed Dec 9 22:26:20 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.10.45,dhcp-option DOMAIN target.tgt,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.75.1 255.255.0.0'
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: route-related options modified
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Dec 9 22:26:20 2015 TUN/TAP device tap0 opened
    Wed Dec 9 22:26:20 2015 TUN/TAP TX queue length set to 100
    Wed Dec 9 22:26:20 2015 /sbin/ip link set dev tap0 up mtu 1500
    Wed Dec 9 22:26:21 2015 /sbin/ip addr add dev tap0 10.10.75.1/16 broadcast 10.10.255.255
    Wed Dec 9 22:26:21 2015 Initialization Sequence Completed

  15. Open another Terminal window, and type the command

    root@slingshot:~# ping -c 3 10.10.10.45

    If you see output similar to:

    root@slingshot:~# ping -c 3 10.10.10.45
    PING 10.10.10.45 (10.10.10.45) 56(84) bytes of data.
    64 bytes from 10.10.10.45: icmp_seq=1 ttl=64 time=177 ms
    64 bytes from 10.10.10.45: icmp_seq=2 ttl=64 time=178 ms
    64 bytes from 10.10.10.45: icmp_seq=3 ttl=64 time=180 ms

    --- 10.10.10.45 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2183ms
    rtt min/avg/max/mdev = 177.641/178.822/180.520/1.323 ms


    Congratulations, you have successfully configured the VPN and connected to lab network, and can now do the exercises.

    NOTE: Leave this Terminal window alone while working on the exercises.

Disconnecting OpenVPN on the Sec580 Class VM


  1. Bring the original Terminal window where you started OpenVPN back up.

  2. Within that window, hit Ctrl-C (press and hold Ctrl and then hit the c key). You should see output similar to:

    Wed Dec 9 22:52:29 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Dec 9 22:52:29 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 9 22:52:29 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    ^CWed Dec 9 23:21:16 2010 event_wait : Interrupted system call (code=4)
    Wed Dec 9 23:21:16 2015 TCP/UDP: Closing socket
    Wed Dec 9 23:21:16 2015 Closing TUN/TAP interface
    Wed Dec 9 23:21:16 2015 /sbin/ifconfig tap0 0.0.0.0
    Wed Dec 9 23:21:16 2015 SIGINT[hard,] received, process exiting
    root@slingshot:/home/sec580/Downloads]#

    If so, then the VPN is disconnected.

Reconnecting to OpenVPN on the Sec580 Class VM


Follow these steps only after completing Configuration for OpenVPN on the Sec580 Class VM steps above.

  1. Login to the Linux host as sec580.
  2. Double click on the Terminal icon on the desktop

  3. In the Terminal window, type:

    sec580@slingshot:~$ su -

  4. When prompted, enter the root user's password. If successful, you'll see the prompt change to

    root@slingshot:~#


  5. In the Terminal window, run the command:

    root@slingshot:~# openvpn --config /etc/openvpn/sec580-XXXXX-YYYYYY.ovpn

    When prompted, enter the password

    VpnPassword

    The password will not display when typed.

    If the password is entered correctly, you should see output similar to:

    root@slingshot:~# openvpn --config /etc/openvpn/sec580-XXXXX-YYYYYY.ovpn
    Wed Dec 9 22:26:12 2015 OpenVPN 2.1_rc15 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2008
    Wed Dec 9 22:26:12 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Wed Dec 9 22:26:12 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Enter Private Key Password:
    Wed Dec 9 22:26:17 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Dec 9 22:26:17 2015 WARNING: file 'sec580-XXXXX-YYYYYY.key' is group or others accessible
    Wed Dec 9 22:26:18 2015 LZO compression initialized
    Wed Dec 9 22:26:18 2015 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Dec 9 22:26:18 2015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Wed Dec 9 22:26:18 2015 Local Options hash (VER=V4): 'd79ca330'
    Wed Dec 9 22:26:18 2015 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Wed Dec 9 22:26:18 2015 Socket Buffers: R=[112640->131072] S=[112640->131072]
    Wed Dec 9 22:26:18 2015 UDPv4 link local: [undef]
    Wed Dec 9 22:26:18 2015 UDPv4 link remote: 66.35.59.122:1194
    Wed Dec 9 22:26:18 2015 TLS: Initial packet from 66.35.59.122:1194, sid=174d8e58 7b9b5177
    Wed Dec 9 22:26:18 2015 VERIFY OK: depth=1, /C=US/ST=Maryland/L=Bethesda/O=SANS/OU=SEC580_LAB/CN=lab-sec580/emailAddress=noc@sans.org
    Wed Dec 9 22:26:18 2015 VERIFY OK: depth=0, /C=US/ST=Maryland/O=SANS/OU=SEC580_LAB/CN=lab-sec580/emailAddress=noc@sans.org
    Wed Dec 9 22:26:19 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Dec 9 22:26:19 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 9 22:26:19 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Dec 9 22:26:19 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 9 22:26:19 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Dec 9 22:26:19 2015 [lab-sec580] Peer Connection Initiated with 66.35.59.122:1194
    Wed Dec 9 22:26:20 2015 SENT CONTROL [lab-sec580]: 'PUSH_REQUEST' (status=1)
    Wed Dec 9 22:26:20 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.10.45,dhcp-option DOMAIN target.tgt,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.75.1 255.255.0.0'
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: route-related options modified
    Wed Dec 9 22:26:20 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Dec 9 22:26:20 2015 TUN/TAP device tap0 opened
    Wed Dec 9 22:26:20 2015 TUN/TAP TX queue length set to 100
    Wed Dec 9 22:26:20 2015 /sbin/ip link set dev tap0 up mtu 1500
    Wed Dec 9 22:26:21 2015 /sbin/ip addr add dev tap0 10.10.75.1/16 broadcast 10.10.255.255
    Wed Dec 9 22:26:21 2015 Initialization Sequence Completed

  6. Open another Terminal window, and type the command

    root@slingshot:~# ping -c 3 10.10.10.45

    If you see output similar to:

    root@slingshot:~# ping -c 3 10.10.10.45
    PING 10.10.10.45 (10.10.10.45) 56(84) bytes of data.
    64 bytes from 10.10.10.45: icmp_seq=1 ttl=64 time=177 ms
    64 bytes from 10.10.10.45: icmp_seq=2 ttl=64 time=178 ms
    64 bytes from 10.10.10.45: icmp_seq=3 ttl=64 time=180 ms

    --- 10.10.10.45 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2183ms
    rtt min/avg/max/mdev = 177.641/178.822/180.520/1.323 ms


    Congratulations, you have successfully configured the VPN and connected to lab network, and can now do the exercises.

    NOTE: Leave this Terminal window alone while working on the exercises.