[[How To] Tunnel MK5 through VPN]

I'm on a Pineapple Nano

 

Linux version 3.18.36 (openwrt@19a38d794f6d) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49403) )

[[How To] Tunnel MK5 through VPN]

On 7/2/2014 at 9:18 PM, Darren Kitchen said:

Setting up an SSL VPN for use with the WiFi Pineapple Mark V is pretty simple. I have one going with a remotely deployed one of my own which is handy for remote access and routing traffic through my Kali VM. I'm working on an infusion to pretty this up, but essentially:

On your server in the cloud (vps, etc) configure OpenVPN. Pretty easy on anything Debian based, like Kali - which might be a good choice since all client traffic will route through this box:

apt-get install openvpn
mkdir /etc/openvpn #should be there automatically
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/
nano /etc/openvpn/easy-rsa/vars
#edit the "export KEY_xxxx" values replacing changeme with your favorite color or home address
source vars
./clean-all
./build-ca
./build-key-server server_name
# challenge password: no
# sign the cert: yes
# commit: yes
./build-key Pineapple #default hostname will be Pineapple, change accordingly
./build-dh
#copy /etc/openvpn/easy-rsa/keys/ca.crt and Pineapple.* to wifi pineapple's /etc/openvpn dir via scp, microSD card, carrier pigeon 

# Make a startup script
nano start-openvpn-server.sh #or use vi or write your own text editor in emacs
# Enter the following:
	echo "1" > /proc/sys/net/ipv4/ip_forward #the spice must flow
	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
	openvpn --config /etc/openvpn/server.conf -daemon
chmod +x start-openvpn-server.sh # make it executable

# setup your server config
nano /etc/openvpn/server.conf
	tls-server
	port 443
	proto tcp
	dev tun
	ca ca.crt
	cert server-name.crt
	key server-name.key
	dh dh1024.pem
	server 10.8.0.0 255.255.255.0
	push "redirect-gateway def1 bypass-dhcp"
	keepalive 1 180
	comp-lzo
	user nobody
	group nogroup
	persist-key
	persist-tun
	status openvpn-status.log
	verb 3

Finally start your server using the above created start-openvpn-server.sh script

Next on the WiFi Pineapple

 

opkg update
opkg install openvpn
nano /etc/config/openvpn
	client
	dev tun	
	proto tcp
	remote <ip of server> 443
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	ca /etc/openvpn/ca.crt
cert /etc/openvpn/Pineapple.crt
key /etc/openvpn/Pineapple.key
ns-cert-type server
comp-lzo
verb 3
keepalive 1 180
openvpn --config /etc/config/openvpn -daemon

# alternatively: /etc/init.d/openvpn start
# enable vpn on boot: /etc/init.d/openvpn enable

Once the connection is established you'll notice a new tun0 interface

For example with an IP address 10.8.0.6

Now any other host connected to this VPN, say your phone or laptop, can manage the WiFi Pineapple from http://10.8.0.6:1471 or ssh in as usual.

Additionally you'll likely want to route all of your WiFi Pineapple's clients through this VPN

So perform the following iptables lovin'

iptables -t nat -A POSTROUTING -s 172.16.42.0/24 -o tun0 -j MASQUERADE
iptables -A FORWARD -s 172.16.42.0/24 -o tun0 -j ACCEPT 
iptables -A FORWARD -d 172.16.42.0/24 -m state --state ESTABLISHED,RELATED -i tun0 -j ACCEPT

Now from your VPN server fire up tcpdump and enjoy

Further reading:

http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap

http://wiki.openwrt.org/doc/howto/vpn.openvpn

http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun

http://wiki.openwrt.org/doc/howto/vpn.overview

http://www.wsec.be/blog/2012/07/10/tunneling-your-way-out-of-corporate-networks-2-openvpn

http://ubuntuguide.org/wiki/OpenVPN_server

http://www.linux.com/learn/tutorials/457103-install-and-configure-openvpn-server-on-linux

http://www.openlogic.com/wazi/bid/188052/From-Zero-to-OpenVPN-in-30-Minutes

Trying to set up my nano as a travel router that connects to the VPN on my router. Followed the steps for the client but a few things have changed since this first posted. Instead the opkg openvpn now has options for openvpn :

collectd-mod-openvpn - 5.4.2-1 - OpenVPN traffic/compression input plugin
openvpn-easy-rsa - 2013-01-30-2 - Simple shell scripts to manage a Certificate Authority
openvpn-nossl - 2.3.6-5 - Open source VPN solution using plaintext (no SSL)
openvpn-openssl - 2.3.6-5 - Open source VPN solution using OpenSSL
openvpn-polarssl - 2.3.6-5 - Open source VPN solution using PolarSSL

I installed openvpn-openssl and edited the config file but when I went to:

openvpn --config /etc/config/openvpn --daemon 

I got a:

Options error: Unrecognized option or missing parameter(s) in /etc/config/openvpn:1: package (2.3.6)
Use --help for more information.

 

Sadly, openvpn --help I get:  "Usage message not available"

Did something change since this post or am I missing something?
 

[Built a Home Lab-Hak5 1818-1819]

I watched Hak5 1818 and 1819 a few weeks ago thinking it was the current Hak5 and I became obsessed. Being a noob, I immediately proceeded to build a home lab on a nuC6i7KYK, maxed ram and a 250gb drive. It took me about a week to brute force my education on XenServer and Xen Orchestra. I've got them both up and am running a few VM's.  This is when I realized I have this awesome piece of hardware running a headless server. This is where I need some advice:

Is it possible to build a front end on the nuc so I can utilize it as a daily desktop while keeping XenServer running under the hood or do I need to install a distro first then run XenServer on top?

Don't get me wrong running a VM through console is pretty cool, it just I feel a little stupid buying a 4k monitor to look at XenServer's customize System menu.