Project 2 Remote Access Research and Integration - FlameSpyro/Tech-Journal GitHub Wiki

Project 2 - Remote Access Research and Integration

Objective

  • We have a new person coming in and they need admin access to the mgmt02 system. To do this a VPN and rdp will be used

Wireguard

  • I used wireguard for this project and installed it onto the traveler system.
  • Once I installed it, I created a empty tunnel and activated it giving me a key pair which we will bring to edge.

Edge01's wireguard interface

  • Reference
  • Now we create the tunnel by creating both ends ips.
  • We NEED to get the public key from wireguard onto edge. While theres probably a better way to do it I just copied it as the key is tiny
set interfaces wireguard wg0 address 10.0.21.1/24
set interfaces wireguard wg0 description 'VPN interface'
set interfaces wireguard wg0 peer traveler-eric allowed-ips 10.0.21.100/32
set interfaces wireguard wg0 peer traveler-eric public-key <key>
set interfaces wireguard wg0 port 51820 (wireguard)
  • Now we need to get another keypair to bring back to wireguard
run generate pki wireguard key-pair install interface wg0
  • Nearly there, now we need to take the key and new ips and put it into the empty tunnel we made earlier. (Thx David)
Address = 10.0.21.100/32

[Peer]
PublicKey = <key>
AllowedIPs = 10.0.21.1/32, 172.16.200.0/28
Endpoint = 10.0.17.116:51820

Firewall Configuration

  • If we activate the VPN, the connection has been established. Although its not that easy as we need to now configure edge to allow this connection through with RDP.
set firewall name VPN-to-LAN default-action drop
set firewall name VPN-to-LAN enable-default-log
set firewall name VPN-to-LAN rule 10 action accept
set firewall name VPN-to-LAN rule 10 destination address 172.16.200.11
set firewall name VPN-to-LAN rule 10 destination port 3389
set firewall name VPN-to-LAN rule 10 protocol tcp
set firewall name VPN-to-LAN rule 10 source address 10.0.21.100
  • DONT FORGET I needed to add a rule 1 back. I forgot this and spent a little too much time troubleshooting a simple problem.
set firewall name LAN-to-VPN default-action drop
set firewall name LAN-to-VPN enable-default-log
set firewall name LAN-to-VPN rule 1 action accept
set firewall name LAN-to-VPN rule 1 state established enable

Zone Policy

  • With a new firewall means we need to now link it up to a new policy. We also need to include our new interface as well.
set zone-policy zone LAN from VPN firewall name VPN-to-LAN
set zone-policy zone VPN from LAN firewall name LAN-to-VPN
set zone-policy zone VPN interface wg0

Fw-MGMT

  • While we don't have to create a new firewall on mgmt, we still need to extend the connection through by entering the same as VPN-to-LAN
set firewall name LAN-to-MGMT rule 30 action accept
set firewall name LAN-to-MGMT rule 30 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 30 destination port 3389
set firewall name LAN-to-MGMT rule 30 protocol tcp 
set firewall name LAN-to-MGMT rule 30 source address 10.0.21.100

Conclusion

  • Since we already tackled tunnels and rdp in the lat short lab its already all setup and ready to go! ll you need to do is open RDP and enter mgmt02's address and login info and we are in! It took me a long time to fully understand this concept and thanks to everyone for explaining it to me. I made a chart to help me understand it.

image

⚠️ **GitHub.com Fallback** ⚠️