Project Desctiption

• We've hired Tanisha, a remote systems administrator. This administrator will have access to our most sensitive systems via MGMT02 on the MGMT Segment. We need to ensure that the access method is secure, encrypted and features multiple authentication steps.

• Your job is to allow Tanisha the ability to administer the network via RDP session into MGMT02. You will research and deploy a VPN solution to make this happen. The VPN server should be deployed to either edge01 or jump. You have wide discretion in picking the solution to use. Some of these include OpenVPN, Wireguard, Zerotier, Radius, Teleport as well as many others. You will also need to employ new firewall rules and possibly zones to enable the DMZ based VPN server to connect to MGMT02. (note, Chrome Remote Desktop is not what we are after).

MGMT02 Setup

• The first thing that needs to take place is making sure the RDP is enabled using PowerShell using the following command in administrative Powershell:

   Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
   Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
  

Firewall Setup

• Next is to make sure that the firewall is configured so that an RDP session is allowed and that Jump can access the internet to download Wireguard.

edge01

1. DMZ-to-LAN rule 20 allows for JUMP to RDP to MGMT02

2. WAN-to-DMZ rule 30 allows Wireguard from WAN to JUMP

3. DMZ-to-WAN rule 999 allows Jump to download Wiregurad (this gets deleted at the end)

4. nat destination rule 30 allows a VPN to Jump

   configure
   
   set firewall name DMZ-to-LAN rule 20 action 'accept'
   set firewall name DMZ-to-LAN rule 20 description 'Jump RDP to mgmt02'
   set firewall name DMZ-to-LAN rule 20 destination address '172.16.200.11'
   set firewall name DMZ-to-LAN rule 20 destination port '3389'
   set firewall name DMZ-to-LAN rule 20 protocol 'tcp'
   set firewall name DMZ-to-LAN rule 20 source address '172.16.50.4'
   
   set firewall name WAN-to-DMZ rule 30 action 'accept'
   set firewall name WAN-to-DMZ rule 30 description 'Allow Wireguard from WAN to JUMP'
   set firewall name WAN-to-DMZ rule 30 destination address '172.16.50.4'
   set firewall name WAN-to-DMZ rule 30 destination port '51820'
   set firewall name WAN-to-DMZ rule 30 protocol 'udp'
   
   set nat destination rule 30 destination port 51820
   set nat destination rule 30 inbound-interface eth0
   set nat destination rule 30 protocol udp
   set nat destination rule 30 translation address 172.16.50.4
   set nat destination rule 30 translation port 51820
   set nat destination rule 30 description VPN->Jump
   
   set firewall name DMZ-to-WAN rule 999 action accept
   set firewall name DMZ-to-WAN rule 999 source address 172.16.50.4
   
   commit
   save
   

fw-mgmt

1. LAN-to-MGMT rule 40 allows LAN RDP to MGMT02

   configure
   set firewall name LAN-to-MGMT rule 40 action 'accept'
   set firewall name LAN-to-MGMT rule 40 description 'LAN RDP to mgmt02'
   set firewall name LAN-to-MGMT rule 40 destination address '172.16.200.11'
   set firewall name LAN-to-MGMT rule 40 destination port '3389'
   set firewall name LAN-to-MGMT rule 40 protocol 'tcp'
   set firewall name LAN-to-MGMT rule 40 source address '172.16.50.4'
   commit
   save
   

Jump Setup

• first update and install Wireguard:

   sudo apt update
   sudo apt install wireguard -y
  

• At this point we can delete Rule 999 from edge01

• As root (sudo -i) run the following commands to generate server and client public and private keys:

          wg genkey | tee /etc/wireguard/server_private_key | wg pubkey > /etc/wireguard/server_public_key
          wg genkey | tee /etc/wireguard/client_private_key | wg pubkey > /etc/wireguard/client_public_key
  

• Then within the /etc/wireguard directory, create a file called wg0.conf this will be the Wireguard server configuration fiule and add the following into the file:

   [Interface]
   PrivateKey = {CONTENTS OF '/etc/wireguard/server_private_key'}
   Address = 192.168.0.1/24
   ListenPort = 51820
   SaveConfig = true
   PreUp = sysctl -w net.ipv4.ip_forward=1
   PreUp = iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 3389 -j DNAT --to-destination                                    172.16.200.11:3389
   PostDown = iptables -t nat -D PREROUTING -p tcp -d 192.168.0.1 --dport 3389 -j DNAT --to-destination        172.16.200.11:3389
   PreUp = iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
   PostDown = iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
  
   [Peer]
   PublicKey = {CONTENTS OF '/etc/wireguard/client_public_key'}
   AllowedIPs = 192.168.0.2/32
  

• It is important to note that ens160 is the interface with the address 172.16.50.4/29 which is the IP interface that masquerades when accessing mgmt02.

• The within the same directory /etc/wireguard create another file client.conf this will be the Wireguard Client configuration file:

   [Interface]
   PrivateKey = {CONTENTS OF '/etc/wireguard/client_private_key'}
   Address = 192.168.0.2/24
   ListenPort = 51820
  
   [Peer]
   PublicKey = {CONTENTS OF '/etc/wireguard/server_public_key'}
   AllowedIPs = 192.168.0.1/32
   Endpoint = 10.0.17.119:51820
   PersistentKeepalive = 25
  

• Once both files have been created exit root and run the following command:

   sudo wg-quick up wg0
  

Traveler Setup

• The first thing to do is to get the client.conf file from Jump on to Traveler. There are multiple ways this can be done. I chose to upload the file to a private github page and download it from there.

• With the client.conf file on Taveler, now its time to install Wireguard using PowerShell:

   (New-Object Net.WebClient).DownloadFile("https://download.wireguard.com/windows-client/wireguard-installer.exe", "$env:temp\wireguard-installer.exe") | Start-Process "$env:temp\wireguard-installer.exe"
  

• Once installed the Wireguard GUI is now accessible and can be found using the windows search bar and searching for "Wireguard"

• With the GUI open there is an option that says "Add Tunnel" click that, then select the client.conf file, press open, and activate the interface.

• with the tunnel activated, open up RDP, us 192.168.0.1 as the client address and start the RDP session which will then connect to 172.16.200.11(mgmt02).

---

Sources:

• https://docs.vyos.io/en/equuleus/configuration/interfaces/wireguard.html#site-to-site-vpn
• https://docs.vyos.io/en/equuleus/configuration/interfaces/wireguard.html#keypairs
• https://docs.vyos.io/en/equuleus/configuration/interfaces/wireguard.html#interface-configuration
• https://docs.vyos.io/en/equuleus/configuration/interfaces/wireguard.html#firewall-exceptions
• https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/
• https://www.procustodibus.com/blog/2021/04/wireguard-point-to-site-port-forwarding/
• https://www.procustodibus.com/blog/2021/01/wireguard-endpoints-and-ip-addresses/