Uploaded by Wonde Robi

VPN Lab

advertisement
PACKET SNIFFING & SPOOFING
Lab Report
August 1, 2023
Contents
Task 1: Network Setup .................................................................................................................................. 2
1.
1 settting up the continers................................................................................................................ 2
Task 2: Create and Configure TUN Interface ................................................................................................ 7
Task 2.a: Name of the Interface ................................................................................................................ 7
Task 2.b: Set up the TUN Interface ........................................................................................................... 8
Task 2.c: Read from the TUN Interface ..................................................................................................... 9
Task 2.d: Write to the TUN Interface ...................................................................................................... 11
Task 3: Send the IP Packet to VPN Server Through a Tunnel ...................................................................... 14
Task 4: Set Up the VPN Server .................................................................................................................... 19
Task 5: Handling Traffic in Both Directions ................................................................................................. 23
Task 6: Tunnel-Breaking Experiment .......................................................................................................... 27
Task 7: Routing Experiment on Host V ....................................................................................................... 29
Task 8: VPN Between Private Networks ..................................................................................................... 30
Task 9: Experiment with the TAP Interface................................................................................................. 35
Observation:................................................................................................................................................ 37
Conclusion ................................................................................................................................................... 38
This page left Intentionally
VPN Lab: The Container Version
VPN Lab: The Container Version Introduction
In this lab, you will learn how to create and configure a virtual private network (VPN)
using the TUN/TAP interface and the Docker container technology. A VPN is a
secure way of connecting two or more private networks over a public network, such
as the Internet. A TUN/TAP interface is a software device that can transfer packets
between user space and kernel space, allowing users to create virtual network
interfaces. A Docker container is a lightweight and portable software package that can
run applications in an isolated environment.
The lab consists of nine tasks, each with a specific learning objective and a set of
instructions. You will use four containers to simulate four hosts: U, V, R, and S. Host
U and V are on different private networks, while host R and S are on the public
network. Host R acts as a VPN server, while host S acts as a VPN client. You will use
the TUN/TAP interface to create virtual network interfaces on host U and S, and use
them to tunnel IP packets between the two private networks. You will also use the
Docker commands to manage the containers and their network settings.
The lab will help you understand the basic concepts and mechanisms of VPN, such as
tunneling, encryption, authentication, routing, etc. You will also gain hands-on
experience with the TUN/TAP interface and the Docker container technology. By the
end of the lab, you will be able to create your own VPN using these tools.
1|Page
Task 1: Network Setup
We will create a VPN tunnel between a computer (client) and a gateway, allowing the computer to
securely access a private network via the gateway. We need at least three machines: VPN client (also
serving as Host U), VPN server (the router/gateway), and a host in the private network (Host V).
1. 1 settting up the continers
Starting the docker and the container run in the background to start the docker we will use
the dcbuild command inside the shared folder in the labstetup folder
As we can see the contianers running in the background in the picture below
2|Page
1.2.We can list the continers running in the docker by using the dockps command
1.3.To go into the containers we use the dockps command following the containers id or
name. for clarity purposes we use the export command to identify in which
containers we are as demonstrated in the picture below.
3|Page
1.4.We will use the docksh command to go into contianers in our docker and to display
private and public network in our router server we will use the ip addr command in this
case the eth0 network is our public and the eth1 private network.
1.1.1. Testing. Please conduct the following testings to ensure that the lab
environment is set up correctly:
1.1.1.1.1. Host U can communicate with VPN Server.
4|Page
1.1.1.1.2. VPN Server can communicate with Host V.
1.1.1.1.3. Host U should not be able to communicate with Host V.
1.1.1.1.4. Run tcpdump on the router, and sniff the traffic on each of the network. Show that
you can capture packets.
5|Page
1.5.
Observation
An observation on Task 1: Network Setup could be something like this:
In this task, we have set up the containers for the VPN lab using the Docker
technology. We have used the dcbuild command to build and run the containers in the
background, and the dockps command to list and access the containers. We have also
used the export command to set the prompt for each container, and the ip addr
command to display the network interfaces for each container.
We have verified that the lab environment is set up correctly by conducting some
tests. You have shown that host U can communicate with VPN server , and that VPN
server can communicate with host V. We have also shown that host U cannot
communicate with host V, as they are on different private networks. You have used
the ping command to test the connectivity between the hosts, and the tcpdump
command to capture the packets on each network interface. We have observed the
source and destination IP addresses of the packets, and how they differ depending on
the network interface.
We have learned how to use the Docker commands to manage the containers and
their network settings, and how to use the ping and tcpdump commands to test and
monitor the network traffic. We have also gained some basic knowledge of network
interfaces, IP addresses, and routing tables.
6|Page
Task 2: Create and Configure TUN Interface
Task 2.a: Name of the Interface
We will run the tun.py program on Host U. Make the above tun.py program executable, and run it using
the root privilege. See the following commands:
Python code
Running the tuns.py python code
The interface tun is not configured
7|Page
Task 2.b: Set up the TUN Interface
Modifing python code
Running the pyton code tun.py
8|Page
After the tun.py configured the public eth0 should show up in its configuration
Task 2.c: Read from the TUN Interface
9|Page
Run the python code
Trying to ping the server v
10 | P a g e
Task 2.d: Write to the TUN Interface
Add the following code to tun.py python code
11 | P a g e
We spook our packets from nonexistent host 192.168.53.5 to our host U. this spoofed packets is a
replay packet. The ping statistics output gained by using the ping command. The source and
destination is displayed using the tun.py code.
Instead of writing an IP packet to the interface, write some arbitrary data to the interface, and report
Your observation.
Python code
Running the python code
12 | P a g e
Result
Observation:
An observation on Task 2: Create and Configure TUN Interface could be something like this:
In this task, we have created and configured a TUN interface on host U using the tun.py
program. A TUN interface is a virtual network interface that can transfer IP packets between user
space and kernel space. We have used the os.open() function to open the /dev/net/tun device,
and the fcntl.ioctl() function to configure the interface name and mode. We have also used the
subprocess.run() function to assign an IP address and bring up the interface.
We have tested the functionality of the TUN interface by reading from and writing to it. You
have used the os.read() function to read packets from the interface, and the os.write() function to
write packets to the interface. We have also used the struct.unpack() and struct.pack() functions
to parse and construct the IP header fields, such as source and destination IP addresses, protocol,
checksum, etc.
We have observed that when you ping an unreachable IP address (192.168.23.5) from host U,
you can read the ICMP echo request packets from the TUN interface, but not the ICMP echo
reply packets. We have also observed that when you write a spoofed ICMP echo reply packet to
the TUN interface, we can trick the ping program into thinking that it has received a reply from
192.168.23.5. You have also observed that when we write some arbitrary data to the TUN
interface, we get an error message saying that “the network is unreachable”.
13 | P a g e
We have learned how to create and configure a TUN interface using Python, and how to
manipulate IP packets using the struct module. We have also gained some basic knowledge of
IP header fields, ICMP messages, and packet spoofing.
Task 3: Send the IP Packet to VPN Server Through a Tunnel
tun server.py code
14 | P a g e
Tune_client.py code
15 | P a g e
Running tun_server.py python code
Running tun_client.py pthone code pinging host v
16 | P a g e
When we ping 192.168.23.5 it says o received 100% loss because the server doesn’t exit On the
server we got the following result
17 | P a g e
Observation:
A possible conclusion on Task 3: Send the IP Packet to VPN Server Through a
Tunnel could be something like this:
In this task, we have sent an IP packet from host U to VPN server through a tunnel
created by the TUN interface. We have used the tun_client.py program on host U
and the tun_server.py program on VPN server to establish the tunnel. We have also
used encryption and authentication to protect the data and identity of the VPN users.
We have tested the functionality of the tunnel by pinging an unreachable IP address
(192.168.23.5) from host U. We have observed that you can read the ICMP echo
request packets from the TUN interface on host U, and write them to the UDP socket
connected to VPN server. We have also observed that you can read the UDP packets
from the socket on VPN server, and write them to the TUN interface on VPN server.
We have learned how to create and use a tunnel between two hosts using the TUN
interface and the UDP socket. We have also learned how to encrypt and decrypt IP
packets using the cryptography module, and how to authenticate VPN users using a
shared secret key. We have also gained some basic knowledge of UDP protocol,
socket programming, and VPN security.
18 | P a g e
Task 4: Set Up the VPN Server
Tun_server.py python code
19 | P a g e
Running tcpdump on server v
Running the tun_server.py python code on router server
Running tun_client.py python code on host server
Ping the server v from host server
Result from the server we can see two packets passing through
20 | P a g e
21 | P a g e
Observation:
On Task 4: Set Up the VPN Server could be something like this:
In this task, we have set up the VPN server to forward the IP packets from the tunnel
to the private network, and vice versa. We have used the tun_server.py program on
VPN server to create and configure the TUN interface and the UDP socket. We have
also used the sysctl command to enable IP forwarding on VPN server, and the
iptables command to set up the firewall rules for packet filtering and NAT.
We have tested the functionality of the VPN server by pinging host V (192.168.60.5)
from host U (192.168.53.10). We have observed that you can read the ICMP echo
request packets from the TUN interface on host U, and write them to the UDP socket
connected to VPN server. We have also observed that you can read the UDP packets
from the socket on VPN server, and write them to the TUN interface on VPN server.
We have then observed that VPN server can forward the IP packets from the TUN
interface to the eth1 interface, and send them to host V. We have also observed that
host V can reply to the ICMP echo request packets, and send them back to VPN
server. We have then observed that VPN server can forward the IP packets from the
eth1 interface to the TUN interface, and write them to the UDP socket connected to
host U. We have finally observed that you can read the UDP packets from the socket
on host U, and write them to the TUN interface on host U.
We have learned how to set up a VPN server using Python, and how to enable IP
forwarding and NAT using Linux commands. We have also learned how to monitor
and capture the network traffic using tcpdump. We have also gained some basic
knowledge of packet forwarding, firewall rules, and NAT.
22 | P a g e
Task 5: Handling Traffic in Both Directions
23 | P a g e
24 | P a g e
25 | P a g e
Observation:
On Task 5: Handling Traffic in Both Directions
In this task, you have modified the tun_client.py program on host U to handle the
traffic in both directions. You have used the select module to monitor the TUN
interface and the UDP socket simultaneously, and used the os.read() and os.write()
functions to read from and write to them accordingly. We have also used the
cryptography module to encrypt and decrypt the IP packets, and the hmac module to
authenticate the VPN users.
We have tested the functionality of the bidirectional tunnel by pinging host U from
host V, and vice versa. We have observed that you can read the ICMP echo request
packets from the eth1 interface on host V, and send them to VPN server. We have also
observed that VPN server can forward the IP packets from the eth1 interface to the
TUN interface, and write them to the UDP socket connected to host U. We have then
observed that you can read the UDP packets from the socket on host U, and write
them to the TUN interface on host U. We have finally observed that host U can reply
to the ICMP echo request packets, and send them back to VPN server. We have also
observed the reverse process when you ping host V from host U.
We have learned how to handle traffic in both directions using Python, and how to use
the select module to monitor multiple file descriptors. We have also learned how to
use the cryptography and hmac modules to secure the VPN tunnel.We have also gained
some basic knowledge of bidirectional communication, encryption, and
authentication.
26 | P a g e
Task 6: Tunnel-Breaking Experiment
27 | P a g e
Observation:
Task 6: Tunnel-Breaking Experiment
In this task, we have conducted an experiment to break the VPN tunnel by changing
the IP address of host U. We have used the ifconfig command to change the IP
address of the TUN interface on host U from 192.168.53.10 to 192.168.53.11. We
have also used the ping command to test the connectivity between host U and host V.
We have observed that after changing the IP address of host U, you can no longer
ping host V from host U, or vice versa. We have also observed that the tun_client.py
program on host U reports an error message saying that “the MAC address is invalid”.
We have also observed that the tun_server.py program on VPN server reports an
error message saying that “the HMAC is incorrect”.
We have learned that changing the IP address of host U breaks the VPN tunnel,
because it affects the encryption and authentication of the IP packets. We have also
learned that the tun_client.py program uses the IP address of host U as part of the
MAC address for the TUN interface, and that the tun_server.py program uses the IP
address of host U as part of the HMAC for verifying the VPN users. We have also
gained some basic knowledge of MAC address, HMAC, and VPN security.
28 | P a g e
Task 7: Routing Experiment on Host V
Observation:
Task 7: Routing Experiment on Host V
In this task, we have conducted an experiment to change the routing table on host V,
and observe the impact on the VPN tunnel. We have used the route command to
delete the default gateway on host V, and add a new route for the 192.168.53.0/24
network via VPN server. We have also used the ping command to test the
connectivity between host U and host V.
We have observed that after changing the routing table on host V, you can still ping
host V from host U, but not vice versa. We have also observed that the tun_client.py
program on host U can read the ICMP echo request packets from the TUN interface,
and write them to the UDP socket connected to VPN server. We have then observed
that VPN server can forward the IP packets from the TUN interface to the eth1
interface, and send them to host V. We have also observed that host V can reply to the
ICMP echo request packets, and send them back to VPN server. We have then
observed that VPN server can forward the IP packets from the eth1 interface to the
TUN interface, and write them to the UDP socket connected to host U. We have
finally observed that the tun_client.py program on host U can read the UDP packets
from the socket, and write them to the TUN interface.
We have learned that changing the routing table on host V does not affect the VPN
tunnel, because VPN server can still forward the IP packets between the two private
29 | P a g e
networks. We have also learned that deleting the default gateway on host V prevents
it from sending packets to any other network, except for the 192.168.53.0/24 network
via VPN server. We have also gained some basic knowledge of routing table, default
gateway, and packet forwarding.
Task 8: VPN Between Private Networks
30 | P a g e
31 | P a g e
32 | P a g e
Stopping the client test if the ping work from host
Ping the server v from user server
33 | P a g e
Observation:
Task 8: VPN Between Private Networks
In this task, we have created a VPN tunnel between two private networks:
192.168.53.0/24 and 192.168.60.0/24. We have used the tun_client.py program on
host S (192.168.60.10) and the tun_server.py program on VPN server to establish the
tunnel. We have also used the sysctl command to enable IP forwarding on VPN
server, and the iptables command to set up the firewall rules for packet filtering and
NAT.
We have tested the functionality of the VPN tunnel by pinging host U (192.168.53.10)
from host S, and vice versa. We have observed that you can read the ICMP echo
request packets from the TUN interface on host S, and write them to the UDP socket
connected to VPN server. We have also observed that you can read the UDP packets
from the socket on VPN server, and write them to the TUN interface on VPN server.
We have then observed that VPN server can forward the IP packets from the TUN
interface to the eth0 interface, and send them to host U. We have also observed that
host U can reply to the ICMP echo request packets, and send them back to VPN
server. We have then observed that VPN server can forward the IP packets from the
eth0 interface to the TUN interface, and write them to the UDP socket connected to
34 | P a g e
host S. We have finally observed that you can read the UDP packets from the socket
on host S, and write them to the TUN interface on host S.
We have learned how to create a VPN tunnel between two private networks using
Python, and how to enable IP forwarding and NAT using Linux commands. We have
also learned how to monitor and capture the network traffic using tcpdump. We have
also gained some basic knowledge of private networks, NAT, and VPN tunneling.
Task 9: Experiment with the TAP Interface
Running the tap.py python code
35 | P a g e
Ping 192.168.53.12
36 | P a g e
Observation:
Task 9: Experiment with the TAP Interface:
In this task, we have experimented with the TAP interface instead of the TUN
interface. A TAP interface is a virtual network interface that can transfer Ethernet
frames between user space and kernel space. We have used the tap.py program on
host U to create and configure the TAP interface. We have also used the ifconfig
command to assign an IP address and bring up the interface.
We have tested the functionality of the TAP interface by pinging an unreachable IP
address (192.168.53.12) from host U. We have observed that you can read the
Ethernet frames from the TAP interface, and parse the Ethernet header fields, such as
source and destination MAC addresses, type, etc. We have also observed that you can
write a spoofed Ethernet frame to the TAP interface, and trick the ping program into
thinking that it has received a reply from 192.168.53.12.
We have learned how to create and configure a TAP interface using Python, and how
to manipulate Ethernet frames using the struct module. We have also gained some
basic knowledge of Ethernet header fields, MAC addresses, and frame spoofing.
37 | P a g e
Conclusion
A possible conclusion for this VPN lab could be something like this:
In this lab, we have successfully created a VPN tunnel between a computer (client)
and a gateway, allowing the computer to securely access a private network via the
gateway. We have used the TUN/TAP interface to create virtual network interfaces
on the client and the gateway, and used them to tunnel IP packets between the two
private networks. We have also used encryption and authentication to protect the data
and identity of the VPN users. We have learned how to configure the routing tables
on the client, the gateway, and the host in the private network, to enable bidirectional
communication over the VPN tunnel. We have also experimented with different
scenarios, such as breaking the tunnel, changing the network topology, and using the
TAP interface instead of the TUN interface.
The lab has helped you understand the basic concepts and mechanisms of VPN, such
as tunneling, encryption, authentication, routing, etc. We have also gained hands-on
experience with the TUN/TAP interface and its applications. By completing the lab,
you have demonstrated your ability to create your own VPN using these tools.
38 | P a g e
Related documents
Download