Using OpenVPN Inside Virtual Machine with Public IP

My team has been working on a solution that most customers have. Why can’t they use a VPN inside their VPS while still being able to connect to their VPS using their public IP address that we have assigned them ? Using OpenVPN inside a Virtual Machine has been something that I have been meaning to implement and it seems my team has beat me to the punch.

I have been away overseas for a few months and after a meeting with my team they ran through the list of things that they are working on, one of which is being able to provide our Pentesting customers a way to protect our public IP addresses while still having the ability to connect to their Cloud Pentesting Virtual Machines. I was astounded to think they have been spending the past few days finding and trying various solutions to this. They were thinking our reverse SSH tunnels port forwarding and all that complex networking stuff. After ending the meeting and taking my morning ritual of a mango smoothie and ice I came back to them with the solution that will not only working but it is very simple in its setup. Now don’t get me wrong my team is highly skilled at hacking and network architecture but they needed to think logically and not try and reinvent the wheel.

Network Protection

After sharing my thoughts I allowed them to go away and execute it. 10 minutes passed and there was a knock at my door with a sheepish look from my senior engineer….”yes it works”, he said. ” I know it works that is why I am the master and you are the grasshopper”, I said jokingly.

As customers will be aware also, our network relies on NAT for security and having this VPN connection will benefit customers greatly as it will protect our RIPE IP addresses from receiving complaints as all pentesting will be done via the VPN and not on our public IPs.

Anyway I need to fully test this after they have finished as we never roll out something without testing so once it is complete I shall share the configuration and also provide the OpenVPN configuration file to our Pentesting customers who wish to use our VPN in their Virtual Machines. I will update this later today with all the config!!!

So as promised here are the steps and configuration you need to connect a VPN inside a Virtual Machine:-

For those wishing to connect a VPN inside their Virtual Machine you will notice that once you connect your session gets disconnected. This is due to the VPN making changed to the routing table and more specifically the gateway.

There is a simple solution which can be used for any Virtual Machine.

Firstly we need to create a script and add it to our network /etc/network/if-up.d configuration so the routes that we add get added after a reboot as using iproute does not persist reboots so we use a script to overcome this.

So follow these commands to create the script.

sudo nano /etc/network/if-up.d/vpn-up

Enter the information below into the configuration editor

#! /bin/sh

ip rule add table 128 from 192.168.1.55
ip route add table 128 to 192.168.1.0/24 dev eth0
ip route add table 128 default via 192.168.1.254
exit 0

Please note that you will need to replace the IP addresses with your own internal IP and NOT your public IP as OneHost Cloud is using NAT our customers need to use the internal IP. You can find your IP details and gateway by

ifconfig -a
route -n

Once you add the script you will need to make it excutable

sudo chmod +x /etc/network/if-up.d/vpn-up

This will make it executable and because it is in the if-up.d directory it will get executed after every reboot.

Now  reboot and the script will execute and add the routes to the routing table. This will make all traffic exiting your VM to go via the VPN and enable you to still connect using your public IP address.

If you are using the OpenVPN that we provide you will need to browse to the directory where your onehost-openvpn.ovpn file is located and enter that directory. Once in that directory enter the following

sudo openvpn --config onehost-openvpn.ovpn

This will connect your VPN and still providing access to your VPS via the public IP.

As you are now using a VPN inside your VM you will receive a performance hit but this can be overcome by using SSH as most Kali Linux commands and tools can be executed via the command line. All you need to do is open 2 terminal sessions and leave one connected to the VPN and the other you connect to do your work. Alternately you can login using NoMachine and connect the VPN then exit and use SSH…..its up to your how you wish to do it.

For those wanting to download the script you can here

Easy!!

 

 

 

  • We have simplified this by adding route-nopull to the ovpn config file. This ensures that route changes are not made and SSH access is retained to the VM