fanbase Posted April 1, 2014 Share Posted April 1, 2014 (edited) I'm trying to set up a VPN tunnel for all traffic connected to the Pineapple in client mode, with the tunnel endpoint being my Ubuntu VPS out in the cloud. The goal here is to provide internet access to all clients connected to the Pineapple, while enabling more powerful MitM attacks like Metasploit using my VPS. I've installed OpenVPN on both my server and Pineapple and set up their respective keys, but I am at a loss now as to the proper configuration. Tun? Tap? Br0? lo? Should I be using tap0 or tun0 for each side of the tunnel? (And how does it hook into the pineapple's traffic?) Could someone kindly sketch out the ideal configs for this kind of setup? In an earlier post, Sebkinne referred a user to this "howto", which specifies the client [=pineapple] as tap0. Forgive my ignorance, but don't you want to make the OpenVPN client side [=pineapple] "tun0" and the OpenVPN tunnel's endpoint on the ubuntu server "tap0"? (Which in turn redirects internet traffic to its internet-facing eth0 interface?) I'm lost. In advance, thank very much for any help you can offer. Edited April 2, 2014 by fanbase Quote Link to comment Share on other sites More sharing options...
GuardMoony Posted April 2, 2014 Share Posted April 2, 2014 In short the difference between tap and tun. Tun: This will create a seperate network(subnet) and you need to configure your device as a router to use it. What this means is that all broadcast traffic and special traffic like dhcp request will end at this point. Tap: This will create a extended network(same subnet) and you need to configure your device as a bridge to use it. What this means is that you can allow all traffic to pass over this device to the other side of the network. Now you can use this mixed. Say you put a tap tunnel on your pineapple and a tun device on your VPS. This way you can get all the traffic of the pineapple clients towards your VPS. While your vps can play as a router and do dhcp,dns, firewalling, redirects, ... and all the other stuff. If you want more info about this. Check the openvpn website. Quote Link to comment Share on other sites More sharing options...
fanbase Posted April 2, 2014 Author Share Posted April 2, 2014 (edited) Thanks for your reply, GuardMoony, but your answer seems at odds with the OpenVPN website: Now you can use this mixed. Say you put a tap tunnel on your pineapple and a tun device on your VPS. This way you can get all the traffic of the pineapple clients towards your VPS. While your vps can play as a router and do dhcp,dns, firewalling, redirects, ... and all the other stuff. If you want more info about this. Check the openvpn website. Really? The OpenVPN website seems pretty emphatic that you can't mix tap and tun, as do the comments in the config files: Absolute NO - TUN & TAP Cannot be mixed. https://forums.openvpn.net/topic14913.html You cannot mix --dev tun and --dev tap on different ends of the connection. Use one or the other consistently. http://openvpn.net/index.php/open-source/faq/community-software-general/305-what-is-the-difference-between-a-tun-device-and-a-tap-device.html Is there something I'm not getting? Edited April 2, 2014 by fanbase Quote Link to comment Share on other sites More sharing options...
GuardMoony Posted April 2, 2014 Share Posted April 2, 2014 No srry was wrong. i thought i used a mixed somewhere but its a dual tap setup. Quote Link to comment Share on other sites More sharing options...
fanbase Posted April 2, 2014 Author Share Posted April 2, 2014 (edited) 0.08 BTC reward for whomever can set this up for me and explain how they did it. I'll gladly turn over my keys temporarily. Edited April 2, 2014 by fanbase Quote Link to comment Share on other sites More sharing options...
wifi-stuff Posted April 3, 2014 Share Posted April 3, 2014 (edited) TAP is for layer 2, TUN is for layer 3. It sounds like you want tap, since that will give you layer2 visibility all the way through the tunnel. Then you may be able to play arp games and such, assuming the tap driver doesn't stop you. That will be a little more flexible. This needs to be the same on both sides (the openvpn client and server). Your gateway IP will end up on the TAP interface on your server (or on some interface that your TAP is bridged to). Once you have your connection up, it sounds like you want to bridge the wlan interface to the tap interface on your pineapple. This should be reasonably easily done since it looks like the bridge tools are included (brctl). Check out this page for more details on the openvpn side. It does not address the bridge.: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html http://www.dd-wrt.com/wiki/index.php/Brctl_command Edited April 3, 2014 by wifi-stuff Quote Link to comment Share on other sites More sharing options...
GuardMoony Posted April 3, 2014 Share Posted April 3, 2014 Like Wifi-stuff said. To have all the need stuff use tap ( layer 2 ). It's also better if do the setup yourself. That way at least you learn how it works, and it something goes wrong later you know what the problem could be. All the info you need, you can find in the 3 guides posted on this thread: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html http://www.dd-wrt.com/wiki/index.php/Brctl_command http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.