NETSEC VPN Client Setup and Remote Access - jhu-information-security-institute/infrastructure GitHub Wiki

Prerequisites

  • Transfer your instructor provided *.pub public and *.key private key files into the host that will connect as a Wireguard client
  • Instructor will provide your peer ip address, username, temporary password, and server public key for remote host access

Kali

  1. Install wireguard package using: $ sudo apt-get install wireguard
  2. Once you have your credentials, setup VPN client in Kali
    • Create the environment variables that the script below will use by replacing <PATH_TO_USERNAME_KEY_FILE> and <PATH_TO_USERNAME_PUBLIC_KEY_FILE> with the paths to server's *.pub public and client's *.key private key files, and use the IP address the instructor provided for XYZ
    CLIENTKEY=$(cat <PATH_TO_USERNAME_KEY_FILE>)
SERVERPUBKEY=$(cat <PATH_TO_SHIKRA_PUBLIC_KEY_FILE>)
export IPADDR="172.16.1.XYZ/32"
    • Run the script below as root as it will create the /etc/wireguard/wg0.conf file
    # umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = $IPADDR
PrivateKey = $CLIENTKEY

[Peer]
PublicKey = $SERVERPUBKEY
Endpoint = 128.220.249.5:51820
AllowedIPs = 172.16.0.0/16
PersistentKeepalive = 25
EOF
  3. Bring the VPN up and down using the corresponding commands below: 
    $ sudo wg-quick up wg0
$ sudo wg-quick down wg0
  4. If DNS is not passing through to 172.16.0.10, you can
    • Use /etc/hosts to manually create FQDN entries for *.netsec.isi.jhu.edu hosts that you will use frequently
    • Specify the nameserver in the interface configuration and install systemd-resolved 
      $ sudo apt-get install systemd-resolved
    • Make entries for individual hosts on netsec.isi.jhu.edu in /etc/hosts from your local VM or setup a localhost resolver (see here).

Remote Access

  • Connect to the NETSEC VPN
  • Remotely log in to one of the NETSEC hosts (e.g., attack1 or attack2) via ssh with your username and temporary password. When prompted to change it, provide a new password that will be used for all subsequent logins. On the first login, please make sure to use: 
    $ ssh <HOSTNAME>.netsec.isi.jhu.edu -l <USERNAME>@NETSEC.ISI.JHU.EDU

Otherwise, it tries to login with a local account that will not exist.

  • If you are lazy, from your VM, run $ xhost +localhost (see https://wiki.archlinux.org/title/Xhost), otherwise, you can likely do the xauth details in the next session
  • SSH into the desired system
    • Optionally, SSH using -X and setup xauth with remote host using the instructions here

Links

⚠️ **GitHub.com Fallback** ⚠️