The objective of this post is to describe the OpenVpn configuration I used to connect to the box through the corporate proxy.
I am not going into details on howto setup a OpenVpn server as there are plenty of tutorials. Mine is using PKI and TLS.
Additionally the drop box I used is a Kali linux.
First and foremost the customer did not provide me with any details on the environment and deemed no VPN acces was possible. Well he was wrong....
The only possible access to the internet was through the corporate proxy and a proxy pac file.
First action was to download the pac file and understand which was the right proxy to use. You can normally look for a directive like:
return "PROXY 18.104.22.168:8080"
You should then consider that most of the proxies won't accept connection to port and protocol different from 443 and TCP.
So here you go with the OpenVpn client configuration.
remote <OpenVpn Server public address> 443
http-proxy <hostname/IP address of Proxy found in proxy pac file> <Proxy Port(ex. 8080)>
http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1
tls-auth tlsauth.key 1
And here it is the server's configuration.
local <OpenVpn Server public address>
key 2.0/keys/server.key # This file should be kept secret
tls-auth 2.0/keys/tlsauth.key 0
server 10.66.77.0 255.255.255.0
client-config-dir /etc/openvpn/ccd #we will assign the dropbox a static IP address see below
keepalive 10 120
cipher BF-CBC # Blowfish (default)
client-to-client #Very important setting so you can ssh to the dropbox from your pentesting laptop which will be connected to the same OpenVpn server
Finally to assign the drop box a static IP, in /etc/openvpn/ccd create a file called client (should have the same name used for the certificate pub and private keys ex: john.crt and john.key)
ifconfig-push 10.66.77.9 10.66.77.10
Connect both clients (your pentesting box and the remote vmware) to the OpenVpn server using:
openvpn --config /etc/openvpn/client.conf openvpn-client --verb 4If all goes well you should be able to ping each other's clients.
Final step is to move all your files to /etc/openvpn/ and, to make OpenVpn start at boot on your drop box, issue:
sudo update-rc.d openvpn enable