Introduction

The goal of this lab is to implement a VPN solution so that traveler can connect to jump securely. Once the VPN session is connected, then traveler needs to be able to start an RDP session into MGMT02.

For this assignment, we decided to implement OpenVPN on Savannah's (my) virtual enterprise. The network diagram for her enterprise can be seen below:

[!CAUTION] Prerequisite Requirement: This build documentation covers the implementation of a VPN solution between traveler and jump. In the previous lab, RDP was configured between jump and mgmt02. This is a prerequisite, as the goal is to go from traveler (vpn client) > jump (vpn server) > mgmt02 (RDP).

Server Implementation (CentOS 7)

The jump box on the DMZ zone is running on CentOS 7. Since many repos for CentOS 7 are no longer supported, this made finding an open source solution for a VPN difficult. Thankfully, we found a GitHub user named angristan that has a script for downloading the OpenVPN on various Linux distributions, including CentOS 7.

The repository for this script can be found here. The script for installation that we used can be found here. The script checks for which distribution it is running on, downloads dependencies, downloads OpenVPN, enables OpenVPN, and guides the user through creating a client configuration folder.

To download and run the script, the following commands were used:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh

[!NOTE] When running the installation script, a few questions will be asked of the user. For our installation, we chose the following specifications:

• IPv4 Address: Jump server IP at 172.16.50.4
  • Public IPv4 Address of VPN Server: edge01-savannah WAN interface at 10.0.17.113
  • Reason: Jump server is hiding behind NAT. Traveler will search by 10.0.17.113 and the firewall will forward traffic to 172.16.50.4.
• Default Options:
  • Port: 1194
  • Protocol: UDP
  • DNS Resolver: Default
  • Compression: No compression
  • Encryption: Default
• Client Configuration:
  • Client Name: traveler01-savannah
  • Passwordless client

After the client file, named traveler01-savannah.ovpn is created on the OpenVPN server, the file needs to be transferred over to the VPN client (traveler workstation in our case).

To make saving the file easy, we used termbin to save the file to a temporary website page that traveler would be able to access. On the OpenVPN server (aka jump), we ran:

sudo yum install nc
cat traveler01-savannah.ovpn | nc termbin.com 9999

Client Implementation (Windows)

The traveler box needs to be configured as an OpenVPN client. First, we navigated to the URL made by termbin with the client configuration file content. The text was copied and saved to a file named traveler01-savannah.ovpn.

Using installation instructions from the YouTube video found here, the next step was to download the OpenVPN client software.

Navigating to the website openvpn.net/community-downloads/, the Windows 64-bit community OpenVPN client was installed.

The installation file was run as administrator. All default settings were selected during the installation. Once installed, the OpenVPN GUI was visible on the traveler Desktop, along with a pop-up:

Firewall Commands

We need to create some firewall rules on edge02 so we can allow OpenVPN traffic from the WAN (where traveler is) to the DMZ (where jump is). The NAT rules below also allow us to forward the OpenVPN traffic to our Jump box, which is essential since Jump is hiding behind NAT (configured in a previous lab).

set firewall name WAN-to-DMZ rule 30 action 'accept'
set firewall name WAN-to-DMZ rule 30 description 'Port Forward OpenVPN from jump'
set firewall name WAN-to-DMZ rule 30 destination address '172.16.50.4'
set firewall name WAN-to-DMZ rule 30 destination port '1194'
set firewall name WAN-to-DMZ rule 30 protocol 'udp'

set firewall name DMZ-to-WAN rule 30 action 'accept'
set firewall name DMZ-to-WAN rule 30 description 'Port Forward OpenVPN from jump'
set firewall name DMZ-to-WAN rule 30 destination address '10.0.17.13'
set firewall name DMZ-to-WAN rule 30 destination port '1194'
set firewall name DMZ-to-WAN rule 30 protocol 'udp'

set nat destination rule 30 destination port 1194
set nat destination rule 30 inbound-interface eth0
set nat destination rule 30 protocol udp
set nat destination rule 30 translation address 172.16.50.4
set nat destination rule 30 translation port 1194
set nat destination rule 30 description 'Port Forward OpenVPN from jump'

Test Case: OpenVPN Connection

Now that the OpenVPN server has been installed on jump, the client configuration file saved to traveler, the OpenVPN client software downloaded onto traveler, and the firewall configurations added, we can test out the VPN connection.

Right click on the OpenVPN GUI item in the carrot of the task bar. There will be an option to select Import > Import File:

When the selection menu pops up, select the client configuration file traveler01-savannah. Click “okay” until the file is fully imported:

Now, when you right-click on the OpenVPN GUI item in the carrot of the task bar, the option to connect will be available:

The connection window will pop up. The window will disappear on its own if the connection is successful. The OpenVPN GUI icon will be green and active:

Test Case: RDP Session with OpenVPN Connection

The goal of the lab is to conduct an RDP session from traveler01-savannah to mgmt02-savannah while the OpenVPN session between traveler01-savannah and jump (aka log01-savannah) are connected.

When run from traveler, we are able to establish an SSH connection from Traveler (WAN) to Jump (DMZ) and forward itself to RDP on MGMT02 (MGMT).

ssh -N -L 8888:172.16.200.11:3389 [email protected]
# Enter the password for the user when prompted

The command will buffer if it is working. At this time, open up the Remote Desktop Connection application on the same traveler box.

If it is the first time connecting, you will have to go to “Show Options” and manually enter the computer IP address of 127.0.0.1:8888 and the username. In this screenshot, I have done the full connection previously and saved the credentials.

Click Connect. If a warning appears, go ahead and bypass it (you should be able to trust your own internal connection after all). Once connected, the screen should appear similar to this: