Project 2: Remote Access - squatchulator/Tech-Journal GitHub Wiki

Project 2 - Remote Access Research and Integration

Demo video:

https://drive.google.com/file/d/1mcWKJUom3ZOhe0hWn1iEq6a20gf4gLrE/view?usp=sharing

The aim of this project is to apply research strategies in order to build a VPN configuration that will allow us to RDP across networks from a WAN machine to a MGMT machine, meaning we will have to traverse multiple firewalls to allow this traffic through. In this project, I initially used OpenVPN as my service of choice. I had some experience with OpenVPN in the past which is why I decided this may be the right course for me, but as I continued with the project I grew frustrated with the lack of transparency OpenVPN gives you once you try to make a connection client-side. It also makes it very hard to edit the configurations in the client itself, and you will need to do a lot of extra steps to get my configs working properly that I made for OpenVPN which can be found here. I also found the config files for OpenVPN to be unnecessarily complicated for the functionality I needed, so after exploring alternate solutions I found that Wireguard had lots of online documentation available as well as significantly simplified config files, and a more feature-rich client-side experience. In the future, or if given another week to try to get this project working properly, I would explore SoftEther as this is one that I have used plenty for work, and have a lot of experience troubleshooting with.

First, allow traffic to the jumpbox so we can downlaod what we need. The rule number can be whatever number you want, but 999 is easy to spot if you forget to delete it and we've used that number for temporary WAN access in previous labs. This will be done on edge01:

set firewall name DMZ-to-WAN rule 999 action accept
set firewall name DMZ-to-WAN rule 999 source address 172.16.50.4
commit
save

Installing the Script (can be found here)

For this project, I spent most of my time compiling all of the steps I took to successfully get a connection into a run-and-done script that only requires you have a copy of the script pushed to your SEC-350 git repository. The script updates the repos, installs Wireguard, configures Git credentials, generates keys for our VPN connection, creates and populates the config files (both client and server), and pushes them to the Git repository. A few caveats do exist with this script, namely adjusting the access token which will be discussed in the section below.
Now, since the script has already been made, we can simply download it onto Jump using the following command: wget -O wg-install.sh https://raw.githubusercontent.com/squatchulator/SEC-350/master/wg-install.sh
The file should now be under your working directory with the name wg-install.sh. Don't run it yet! There is a couple things we need to do first, mainly adjusting the Github access token.

Editing the Access Token

Since Github on Linux no longer allows password authentication for push/pull actions, I had to find a workaround. There is the option of using SSH, but to be honest I hate setting this up and I was already rolling with my script so I looked for other options. Thankfully, Github supports access tokens which you can generate on your Github profile. To do this, go to your Github homepage -> Settings -> Developer Settings -> Personal Access Tokens -> Tokens (classic) -> Generate New Token. Of course, this will only work if you have a script with similar functionality on your own repository, as this script is set up to access resources from mine. Generate the token with appropriate permissions, and copy it somewhere.
- NOTE: I don't believe these tokens are supposed to expire as quickly as they do for me, so for now I am just manually throwing them in every time I want to run the script. There's 100% an easier way to do this, but it's working for me and its all hands-free aside from entering the token into the script.
Once this is set up, the script should allow you to push and pull to the repo with no trouble.

Executing the script

Now, we need to execute the script in order to install and configure Wireguard. The script is heavily commented, and can be found here.

Firewall Configurations

Now that we've installed and ran our script, it's time to configure the firewall to allow for RDP communication through the network as well as to set up NAT to translate the ports and addresses properly.
Edge01:

set firewall name DMZ-to-LAN rule 20 action accept
set firewall name DMZ-to-LAN rule 20 description "RDP Tunnel from Jump to MGMT"
set firewall name DMZ-to-LAN rule 20 destination address 172.16.200.11
set firewall name DMZ-to-LAN rule 20 destination port 3389
set firewall name DMZ-to-LAN rule 20 protocol tcp

set firewall name WAN-to-DMZ rule 30 action accept
set firewall name WAN-to-DMZ rule 30 description "VPN Tunnel from WAN to Jump"
set firewall name WAN-to-DMZ rule 30 destination address 172.16.50.4
set firewall name WAN-to-DMZ rule 30 destination port 51820
set firewall name WAN-to-DMZ rule 30 protocol udp

set nat destination rule 30 destination port 51820
set nat destination rule 30 inbound-interface eth0
set nat destination rule 30 description "NAT from VPN to Jump"
set nat destination rule 30 protocol udp
set nat destination rule 30 translation address 172.16.50.4
set nat destination rule 30 translation port 51820

delete firewall name DMZ-to-WAN rule 999

Fw-Mgmt:

set firewall name LAN-to-MGMT rule 50 action accept
set firewall name LAN-to-MGMT rule 50 description "VPN Connection from Jump to MGMT"
set firewall name LAN-to-MGMT rule 50 destination port 3389
set firewall name LAN-to-MGMT rule 50 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 50 protocol tcp

Client-side Configuration

We can now set up the client. Navigate to the Github page where the script is downloaded (in this case it's this one) and download the .zip of the repo's contents.
Extract the folder, and navigate to the file called wg0-client.conf.
Copy this file to the desktop, and name it wg0.conf. This is to omit an error that appears otherwise, as Wireguard looks for files called wg0.conf even on client side, and even if it's different from the server config file.
Download Wireguard from here, and once it is set up click the "Add Tunnel" button and find your wg0.conf file that we renamed on the desktop.
Click the "Activate" button once it imports successfully, and you should start to see packets being sent and recieved!
Now, RDP into the MGMT02 machine at 172.16.200.11 and you should be able to.

Issues/Troubleshooting

OpenVPN

This project might have given me the most trouble out of any lab in this class so far. I started out with OpenVPN, and after I configured it I wasn't even able to get a connection working between the client and the server; my configs just were not working. I changed addresses, ports, and I played with my firewall rules over and over but something was not allowing the client and server to communicate. I also found it really hard to automate processes with OpenVPN. From the start I wanted to have a script that would do everything for me if I configured it right, and the size of the config files as well as the syntax really slipped me up and the official documentation was not up to date either which made troubleshooting twice as hard.

Firewall Rules

I think most of my time troubleshooting was in the firewall configs. Before I gave up on OpenVPN, I was certain that my configs were the issue and that I had older rules that conflicted with my new ones, so I feel like at this point I have a great grasp on the firewall configs we have up to this point in the class as well as general VyOS troubleshooting. I reached out to Erik to help me troubleshoot some potential problems with my firewall, and he was very helpful with helping me map out in my head where the traffic was going and at what points things were getting translated. After I switched to Wireguard and still wasn't having any luck, I re-entered all my firewall commands and finally was able to run a tcpdump on RDP traffic and got some replies which was a great feeling, so I feel like there was definetley some sort of syntax error, or more likely, an improperly entered port/ip number. I still think that there is something going on in the firewall that isn't allowing RDP communication between Traveler and MGMT02, but I'm really stumped at this point as to where that problem might be or how to go about diagnosing that.

Wireguard

Wireguard was such a breath of fresh air after working with OpenVPN. I didn't have to go into the configs on the client every time I wanted to test something, I could just click Edit and change them right there. I loved how easy it is to see logs of what's going on on the client as well, so I think Wireguard will be a VPN solution I absolutley use in the future for homelab-related things or for future VPN usage in classes. It was really easy to script, and it didn't require the use of a (now 3rd party as of OpenVPN 2.3) tool like Easy-RSA to perform keygen.
I don't think the wall I hit in regards to RDP was on Wireguard's end, as it was really easy to set up and test and the tunnel was working (sending and receiving packets between client and server) but there was just a disconnect somewhere not letting the RDP communication through. I think that since it was coming through via Jump that the Edge firewall would not be the problem, but I am going to talk with Adam and see what he thinks.

After talking with Adam

It seems like after running nc -zv 172.16.200.11 3389 that communication with that port and that IP is successful, and the sudo tcpdump -i wg0 port 3389 is returning SYN packets so it seems like the packets are getting to MGMT02 ok, just not able to get back. iptables -S shows all the IP tables configurations. We tried commenting out the PreUp = ufw route allow in on wg0 out on eth0 lines, changing the AllowedIPs to 10.8.0.2/32 instead of 10.8.0.0/24, and bringing back up the server. Adam disabled the UFW firewall, and it started working!