Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

VPN Testing Barebone Notes/Howto:
#on client/FT
# 5.4.16.104 is the IP of the proxy / VPN server
#10.129.66.0/24 is an arbitrary virtual IP for the server, but chosen to hopefully not conflict with any
other private network
insmod tun.o
openvpn --proto tcp-client --remote 5.4.16.104 8080 --dev tun0 --ifconfig 10.129.129.1 10.129.66.1
--verb 5 --ping 30
#setup up client to use tunnel as default gw
route add -net 5.4.16.0 netmask 255.255.255.0 gw 10.1.1.1
route add default gw 10.129.66.1
#note: iptables v1.2.7a doesn't support SNAT and MASQ only works for tcp or udp
# udp entry will forward DNS requests
#this doesn't work since MASQ only takes the –to-ports arg and not a dest IP
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to 10.129.129.1
#or for a single target on a FT
iptables -t nat -I POSTROUTING 1 -s 192.168.1.128 -o tun0 -j MASQUERADE
#TBD does this work? Yes... but if not applied before a client creates an existing ct_contrack entry then
it won't work!
#therefore, this rule must be applied before ipt_ROUTE_gfint module loads and starts forwarding
connections
iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
# 1-2-08 testing: (simplified)
# iptables -t nat -A POSTROUTING -s 10.129.66.1 -o br0 -j MASQUERADE
# iptables -t nat -I POSTROUTING 1 -s 192.168.1.128 -o tun0 -j MASQUERADE
#Troubleshooting: make sure that your firewall allows the traffic (this is typically not a problem on
FTs since they are setup to route anyway)
# e.g. where 128 is your client/target
#note: do not confuse this example of a desktop that normally doesn't forward with a FT that does not
# normally need such a rule (should already be allowed)
#iptables -t filter -I FORWARD 1 -s 192.168.1.128 -j ACCEPT
#on proxy server (5.4.16.104)
#note –remote required since we aren't in multi-client mode... --mode=server requires TLS
sudo /usr/sbin/openvpn --remote 5.4.16.62 --proto tcp-server --port 8080 --dev tun --ifconfig
10.129.66.1 10.129.129.1 --ping 30 --user cbuser --group cbgroup --persist-key --verb 4
#enable forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh