Pen Testing Drop Box using OpenVpn in a restricted environment

Recently I had to perform a penetration test using a vmware box located at the customer's premises in US and accessing it remotely from Europe making use of OpenVpn and my standard pentesting laptop.
The objective of this post is to describe the OpenVpn configuration I used to connect to the box through the corporate proxy.
I am not going into details on howto setup a OpenVpn server as there are plenty of tutorials. Mine is using PKI and TLS.
Additionally the drop box I used is a Kali linux.
First and foremost the customer did not provide me with any details on the environment and deemed no VPN acces was possible. Well he was wrong....
The only possible access to the internet was through the corporate proxy and a proxy pac file.
First action was to download the pac file and understand which was the right proxy to use. You can normally look for a directive like:

return "PROXY 1.2.3.4:8080"

You should then consider that most of the proxies won't accept connection to port and protocol different from 443 and TCP.
So here you go with the OpenVpn client configuration.

client.conf

client

dev tun

proto tcp

remote <OpenVpn Server public address> 443

http-proxy <hostname/IP address of Proxy found in proxy pac file> <Proxy Port(ex. 8080)>

http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1

resolv-retry infinite

nobind



user nobody

group nogroup

persist-key

persist-tun



mute-replay-warnings



ca ca.crt

cert client.crt

key client.key



ns-cert-type server

tls-auth tlsauth.key 1



cipher BF-CBC

comp-lzo



verb 3

mute 20 

And here it is the server's configuration.

server.conf

local <OpenVpn Server public address>

port 443

proto tcp

dev tun



ca 2.0/keys/ca.crt

cert 2.0/keys/server.crt

key 2.0/keys/server.key  # This file should be kept secret



dh 2.0/keys/dh1024.pem



tls-auth 2.0/keys/tlsauth.key 0



server 10.66.77.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-config-dir /etc/openvpn/ccd #we will assign the dropbox a static IP address see below



keepalive 10 120



cipher BF-CBC        # Blowfish (default)



comp-lzo

max-clients 3

client-to-client #Very important setting so you can ssh to the dropbox from your pentesting laptop which  will be connected to the same OpenVpn server

user nobody

group nogroup

persist-key

persist-tun



status openvpn-status.log



verb 3

mute 20

Finally to assign the drop box a static IP, in /etc/openvpn/ccd create a file called client (should have the same name used for the certificate pub and private keys ex: john.crt and john.key)

$cat client

ifconfig-push 10.66.77.9 10.66.77.10

Connect both clients (your pentesting box and the remote vmware) to the OpenVpn server using:

openvpn --config /etc/openvpn/client.conf openvpn-client --verb 4

If all goes well you should be able to ping each other's clients.
Final step is to move all your files to /etc/openvpn/ and, to make OpenVpn start at boot on your drop box, issue:

sudo update-rc.d openvpn enable