Sec350‐Project2 - ConnorEast/Tech-Journal GitHub Wiki
We've hired Tanisha, a remote systems administrator. This administrator will have access to our most sensitive systems via MGMT02 on the MGMT Segment. We need to ensure that the access method is secure, encrypted and features multiple authentication steps.
Your job is to allow Tanisha the ability to administer the network via RDP session into MGMT02. You will research and deploy a VPN solution to make this happen. The VPN server should be deployed to either edge01 or jump. You have wide discretion in picking the solution to use. Some of these include OpenVPN, Wireguard, Zerotier, Radius, Teleport as well as many others. You will also need to employ new firewall rules and possibly zones to enable the DMZ based VPN server to connect to MGMT02. (note, Chrome Remote Desktop is not what we are after).
- Default Port: [51820]
| Edge01 NAT Rules | |
|---|---|
| Command | Purpose |
| set nat destination rule 30 inbound-interface eth0 | |
| set nat destination rule 30 destination port 51820 | |
| set nat destination rule 30 port 51820 | |
| set nat rule 30 protocol udp | |
| set nat rule 30 translation address 172.16.50.4 | |
| set nat destination rule 30 translation port 51820 | |
| set nat destination rule 30 description "WG client to Jump forwarding" | |
| Temporary network access | |
| set firewall name DMZ-to-WAN rule 999 action accept | |
| set firewall name DMZ-to-WAN source address 172.16.50.4 |
for Assignment 9.2 I completed the firewall rules neccessary for the LAN-to-MGMT connection. Below is my firewall rules for RDP access to Management 02
| MGMT02 Firewall Rules | |
|---|---|
| Command | Purpose |
| set firewall name LAN-to-MGMT rule 10 action accept | |
| set firewall name LAN-to-MGMT rule 10 destination address 172.16.200.11 | |
| set firewall name LAN-to-MGMT rule 10 destination port 3389,3390 | |
| set firewall name LAN-to-MGMT rule 10 protocol tcp_udp | |
| set firewall name LAN-to-MGMT rule 10 source address 172.16.50.4 |
- sudo apt update
--- May take some time as it will update Wazuh - sudo apt install wireguard
--- Installs the wireguard service on jump allows for remote access - wg genkey | sudo tee /etc/wireguard/private.key
--- Creates a private WireGuard key which is encoded in base64 - sudo chmod go= /etc/wireguard/private.key
--- This updates the permissions for the private key - sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
--- This reads the private key and uses its output in the proccess of creating a public key. Following this it saves the file as public.key - Create the file wg0.conf under /etc/wireguard
--- - Create the file client.conf
--- - run the command "wg-quick up wg0"
---
| Key | Code |
|---|---|
| Private | GKbMB22k/arVR/4h1AJdjC1Gwe2E9VCzCbBRFpd6YFU= |
| Public | 1hUgnfMdQTykx1ALZLFuU3S8cshaCKkreP1ut1P+1o |
- On Traveler download the Wireguard Client
- Go through the install process and transfer the client config file from jump to traveler
--- Activate your Wireguard Network -
--- -
--- -
--- -
--- -
--- -
---