Published June 6, 2023, 5:20 a.m. by Violet Harris
hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
Deploying an openvpn server in minutes with one simple script, plus clients configuring android and automating connections on the WiFi Pineapple.
New dates available for Pentest With hak5! See info at http://pentestwithhak5.com/
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en
hak5 1817 - https://www.hak5.org/episodes/hak5-1817
Founded in 2005, hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community – where all hackers belong.
You may also like to read about:
deploying an open VPN server in minutes
with one simple script + configuring
Android clients and automating
connections on the Wi-Fi pineapple all
that and more this time on hack 5 hello
and welcome to hack 5 my name is darren
kitchen hello welcome to our show my
name is Shannon Morris it's your weekly
dose of Technol s that's right it is oh
I'm very excited about this week's
episode why is that because we're we're
taking the best of both worlds free and
easy way time we like putting them
together VPN style what right you can do
that we can do that we have the
technology ok the technology let's jump
right in because because we need to make
it to the end of the show quick I can't
wait to hear who caught an Eevee
oh wait really ah hate you so much
what are you get a squirtle said that's
Jaron ok so in recent episodes we have
been showing off open VPN server setup
in two different ways there's the
freeway and then of course there's the
easy way so the first was what I would
call the easy way it's using Open VPN
access server which has a really pretty
web interface that I personally like
very much for management but it's only
free for up to two concurrent use users
so keep that in mind I will say though
totally worth the money because it is
super simple and if that's that's your
gig you know yeah nothing wrong the pain
just make you CEO pay for it so after
which you would need to buy a license
for every single connection so the
second way was installing and
configuring the open source open VPN I
was command-line yeah that was very fun
and surprisingly it was a lot easier
than what I thought it was going to be I
thought it was going to be crazy
complicated there's a few complications
in there but for the general consensus I
would say it was quite decent we got
going about video tutorial and this
required manually setting up encryption
keys and firewall rules but doesn't have
any fees associated with it so much it's
free a little bit harder to do so today
we are going to show you the lazy way
where you can have your key cake and you
can eat it too or in my preference you
can have your Starbucks and you can eat
it too both are free and easy and it
steps up and
minutes is that a Battlestar Gallactica
reference toy bareback nuggets hmm
alright we're talking about we're
talking about an epic script here and I
gotta give Matt shout out over to NY are
over on github this here is OpenVPN -
install you might imagine by the file
name what that does and it is dubbed the
OpenVPN road warrior installer for
Debian Ubuntu and CentOS ok cent OS or
whatever you'd like so finally over at
this github address it is awesome and
what it does is well it installs with
just one command check this out and here
I'm going to go ahead and copy this
command yeah it's really simple so let
me just grab this I have a brand new
virtual private server that I have set
up right here I'm actually using this
really cool Chrome extension for SSH by
the way it's yeah here I'll show you
where it's under well it's called secure
shell beta but just want to point this
out secure shell beta yeah you can find
out more about that in the extension
repository for Chrome if you're a chrome
Puffs like myself but it has Requa
cleara placed my my go-to putty because
i have a love-hate relationship with
buddy regardless a mess has aged into
this server I'm going to go ahead and
paste this command on I did the thing I
didn't want to do okay so this is in
fact this right here is the inherent
problem with a command like this and
pasting where there's a carriage return
at the end of the command hmm so what
happened was if you just do this keep in
mind arm what here let's just dissect
this command what's really interesting
is it it's two commands separated by
ampersand ampersand oh right well so if
we take a look here what's going on is
this ampersand ampersand is kind of like
a semicolon where we can basically
string two commands together yeah rather
than just a normal semicolon which would
you know first it would run this and
then it would hit the semi cool and then
it would run that the ampersand
ampersand says if the first command is
successful then run the second command
which is really cool because if it goes
to do this and it runs this W get
command and it fails it's not going to
then try to you know run the next
and what isn't going to work because it
depends on the first one completing
successfully exactly so what this is
going to do is that first command the W
get man it's going to go ahead and grab
a file off of well in this case get dot
io / VPN which by the way awesome
address right there that tack o is going
to say will save the file and give it
this file name OpenVPN - install sh and
if that's successful what we're going to
do is run bash so our our interpreter
here the bourne-again shell space Open
VPN - installed Sh okay and what's
really cool about that is it is not
going to then require us to do a chmod
plus x which is typically what we do to
change out of operation do that like
every week right and and so save my plus
X all does is make it executable uh if
we say bash space the file name were
already we're invoking bash which is
already executable yeah and then we're
telling bash hey here's a file I want
you to run so that's the quick and dirty
way for really anything over the
Internet I don't want to just like W get
this file and then you know amp amp bash
run it uh which is cool you know it it
means that you can get this up and
running very quickly it's kind of not
cool if this is a production server and
you don't know exactly what it's going
to be downloading I mean I will say it's
a pretty trusting command we can say
it'll execute whatever you'd like I'm in
his route that could be a problem you
are in route yeah shouldn't you like
check summon or something you know the
checksum would help in that if I were
concerned about the integrity of the
file like getting corrupted in transit
so typically we do for instance the
Wi-Fi pineapple we when we download the
firmware we always recommend a five well
actually we use better than md5 we use
sha-256 means better hashing algorithm
it's the same idea ya know if the
checksum doesn't match then what we
posted and what you downloaded were
corrupt and you should download again so
are you not worried about the integrity
of this file not as much as I am and as
I'm concerned about the fact that I'm
running this on my server so if for
instance this were man in the middle
and somebody injected some malicious
commands into this bastard ripped would
be screwed thankfully it is HTTP so you
can see that it's a you know I can be
reasonably assured that it's not going
to be messed up in transit so this is
probably not something that you want to
go ahead and do on a production server
but if you just spun up a cheap virtual
private server like I did you should be
good to go and I want to just download
the file and inspect it first yeah
wow that was a very verbose way of
saying you're running something from the
Internet is route right but let's go
ahead yeah let's actually check out the
script because as soon as I ran it it
started running the script and you can
see what it does is it says welcome to
the the quick openvpn road warrior
installer and it's just going to ask us
a few questions it is a interactive you
know a little wizard thing and so it
automatically figures out the IP for
address of this server and then it's
going to say hey what port do you want
it on and it's going to default to the
the very default 1194 so I'm just going
to hit enter and it's like cool what DNS
do you want and I could sit use the
current which is the default or hey look
at this they've got Verisign Hurricane
electric Open DNS I like Google's I'm
going to choose to whatever or I could
just hit enter and then finally give us
the name you know by default it says
client I could say snubs right here
NURBS so I'm going to leave it as client
and just hit enter and it's like okay
cool that's all we need it we're good to
go you hit enter and it's doing an
apt-get update its going to installing
an open VPN server right now it's
installing the open VPN server right
then it's going to configure the
certificates for us whoo it's going to
configure the firewall doors is going to
generate the keys for us and that client
over VPN is going to put all that
together so in fact here check that out
create in our keys oh that's cool so all
of that work that we did and that show
in the previous week one script we are
building on top of each of these
episodes about Open VPN yeah that's what
I like about this is that you learn the
theory you learn all the hard ways to do
it and then you fully understand you
know the really easy ones right yeah
you're right we could have started with
this one and be like so do the thing and
then you're done but you wouldn't have
known what
and we know that in the background
what's doing is John because you want to
know what's happening
exactly haha man it is taken some time
to generate those keys too but check out
the pretty ASCII art we're getting for
it so you know it reminds me of doom to
unpacking a wad file we you know give us
a like on YouTube but that made me sense
to you oh my god sorry
and there we go as you can see
everything is done for us we've already
started the VPN service we've set up our
keys and it'll even say your client
configuration is available in tilde on
our home directory as client a VPN and
if we want we can just go ahead and run
this one more time and we'll get another
key so of ILs here you can see now I
have that client a VPN file so that's it
that's your ready to guilty you can pick
up from last week where all we have to
do now is copy this client ovp and file
to over to our device of choosing and
I'll in with it that's awesome so I
highly recommend everybody go and check
it out it's a github.com github Duncan
I'm /n y or n yr n yr yes near I also
wanted to point out that similarly if
you're not looking to do this on a
virtual private server with this script
there is another and I know that we've
been asked many times about this what
that Raspberry Pi you got sitting in
your desk drawer yes I have like four of
those sitting around with nothing set up
on them at the moment well it's time to
get one set up snubs because turns out
Raspberry Pi is a fantastic Open VPN
server and because you know it pretty
good uptime right I mean it's a pretty
stable portable very low power
requirements right and so there is a
nice little script there if you set up
newbs or raspbian or any of those that
will allow you to very much like this go
ahead and turn your Raspberry Pi into an
open VPN server as well that's awesome
yes so in fact I could it's not made for
this because I'm on x86 virtual private
server here called dance Raven props to
NSA meme generator or whatever it is NSA
well maybe we should do in generator
actually installing this honor
berry pie well we could I could also
just come over here to github.com slash
starship engineer who has the open VPN
setup and this is specifically for
Raspberry Pi but I wanted to show you
very similarly the server side all you
have to do I've already done apt-get
updates I probably already have get on
this server let's see get nope okay this
is where I would run this if I had it
installed but I don't um actually hang
on nope can't find it okay well what
that command would have done is is see
fix this up so you previously previous
episodes about that command that fixes
things okay so now that I have git
I can come back over here and basically
all you have to do is clone this guy's
repository which is awesome so let's do
that and then CD over to it and you'll
see that I need to make this mm-hmm
cueball yep executable but now if I run
Open VPN setup that Sh I'm great check
that out it's a pretty little venue like
the land turtle yes and I can go ahead
and choose like okay let's set up our
server and it's like yeah and of course
it's going to be referencing the
Raspberry Pi I'm not on one bill let's
just do some imagination here we'll
continue and let's keep our version of
grub because that could be bad on this
VPS and then we give it our local IP and
you know what I don't even know what
that is but we're going to go ahead and
just give it the public IP we'll give it
the public IP again and then we're going
to use 2048-bit encryption and then it's
going to be like okay we're ready to go
press enter and that's it and as you
might imagine it's doing very similar to
that previous script and it's generating
those keys and it's going to set
everything up for you and when you're
ready to create your clients you just
run this script again choose create a
client and it walks you through the
whole thing so I just wanted to point
that out I don't have a Raspberry Pi
right here on the desk but do some
imagination that it's exactly the same
process that's so very yeah so that's
just another props to another awesome
github project and you can find that
over at github comm slash star
ship engineer nice so yes so what's next
okay well when we get back we're going
to be talking about getting open VPN
client setup on Android and configuring
your Wi-Fi pineapple to dial in on boot
first a quick word from our sponsors
might not building your own open VPN
server is an awesome idea and you know
what else is an awesome the idea given
it a suite domain name like the best
open VPN server on the internet calm you
can probably get that over at domain.com
that's where Shannon and I shop because
they have an awesome domain discovery
system that makes it super easy to find
the right domain for you and their
checkout process is super simple meaning
your website's going to be up and
running and online in no time and get
this the guys over at domain comm huge
fans of hack 5 so they've got the hook
up just for you 20% off that's right all
you have to do is use the coupon code
hak5 that spells hack 5 do that at
checkout and save yourself a bundle over
at domain.com and you know what you
should tweet them at domain.com and say
hey thanks for supporting hack 5 all
these years when you think domain names
think domain.com we're back and we have
a few of your OpenVPN questions first up
in no attribution of this one since it
comes from like everybody but
essentially how do you set up an open
VPN client on Android awesome question
I'm glad you asked and this is something
they should absolutely be doing yeah and
that we will be doing as we do think
okay it's because she wants to
play pokemon go well she's at DEFCON I
do all your time opponent I really want
to play Pokemon go at DEFCON to see what
kind of like desert Pokemon are
available is one of the reasons why we
use something like I don't know signal
for messaging at a hostile environment
that is DEFCON but yes there's there you
should always be in whether you're using
Wi-Fi or LTE you should be protecting
traffic regardless and so we love open
VPN and if you're following along this
long you probably do as well and you
probably wondering how do I make my
Android do that the same way mawatha
high on Apple does I don't know why we
can play pokemon go yes so let's just
check it out - I am I am so this is my
phone's screen mirrored over here and so
you can see in the Play Store you will
find the there's two there's open VP
and connect by actual openvpn it's got
like 10 million downloads this one's
pretty robust so I actually have that
over here let me go ahead and open that
guy up and you'll see that what you need
to do is you need to transfer your
openvpn config file that client to OU
VPN over to here to the open VPN client
go to more and then import and then
import the profile from sd card then
scroll all the way down to wherever you
have saved it and find your client 2 or
VPN that's the same one that we just
created in the previous block or segment
and then hit select ok ok and then we
can go ahead and hit connect and there
we go we're connected and we can see
duration of our connection how many
packets received and sent and now all of
our traffic is going through that VPN
that's so cool I want to point out some
preference stuff here that there is a
battery saver mode where you can
actually pause the VPN when the screen
is blank I don't really recommend that I
also recommend you know setting it up so
that it will reconnect every time you
boot you want to make it seamless so
that you know it'll block any internet
traffic that isn't going through the VPN
and the very first time you do this you
will get a pop-up from Android saying
like hey there's a new service that
wants to register as a VPN provider oh
ok yeah so this is actually hooking into
some very low level stuff with an
Android allowing it to do this so you
don't need a rooted phone you don't need
iptables engine kernel or anything weird
like that it has gotten so much better
over these years so I didn't just want
to point that out it's that simple
as far as actually transferring your
Open VPN connection you know that the OU
VPN files securely from say your server
in the cloud or be it your raspberry pi
yeah the best way to do that you could
do it like thumb drive you know and
sneakernet the thing over but I just
wanted to point out that there's a
pretty good app here that I like called
and FTP so and FTP I have it set up
right here and I already have a SCP
connection but as you might imagine you
hit new you type in the details of your
server and then it has a couple of
protocols that it supports including SCP
and as you guys know SCP is
just copying over SSH so as long as we
can SSH into our server and that's what
I have over here so I'll go ahead and
click through to SCP over to this server
and then I go ahead and authenticate
alright and as you can see here I'm
currently looking at slash root and
there is not only my Ovi Open VPN
install SH but you'll notice that client
VPN file so all I have to do is select
that and hit download and it's going to
go ahead and download that over SSH to
my phone so there you go that's a secure
way to transfer that client a VPN file
to your phone that's so cool I'm very
excited about it yeah I am too and we
also got a question from Alberto who
writes hi Darren love the show I have a
question can you show us or me how to
make the Wi-Fi pineapple Nano connect to
an open VPN on boot making a boot script
great question this follows up with one
of our first segments on setting up Open
VPN as specifically when we used a Wi-Fi
pineapple in this case a nano or you
could use a tetra really any open wrt
based device and the idea here was that
and you should go back and watch this
episode if you haven't it's pretty cool
of creating a VPN access point so that
anything connected to in this case Wi-Fi
pineapple uh anything connected to this
other Wi-Fi
exactly so you don't have to worry about
having a client on your Android and a
client on your Kindle you're not going
to find a Kindle client and a client on
all of the esoteric different devices
everything going through the Wi-Fi and
on in this case the Wi-Fi pineapple is
going to go through that VPN the
question about setting this on startup
very important because it was manual
process that we showed yeah and you if
you want to redo it every single time
right exactly in fact this is what I do
I can't emphasize this enough t-mobile
is awesome at least here in the San
Francisco Bay Area with their LTE
getting like 40 megabits a second which
is fantastic way better than any DSL
that I could get
however they throttle certain packets if
they know what the packet is which is
why I've gone ahead and done this
because I use an old cell phone tethered
to a Wi-Fi pineapple at my house as a
way to connect to the internet because
I'm
I don't want to spend way too much money
with 80 on a DSL service that's crap
so that notwithstanding anyway I just
got tired of t-mobile throttling my
stuff might as well run it through a VPN
but I do want to make sure that if I
unplug and replug my Wi-Fi pineapple my
home access point that that VPN
reestablishes so let me show you what I
did and it's just as simple as opening
up an SSH connection here just as you
normally would to your Wi-Fi pineapple
all right and so I'm connected I can LS
and I see I've got my client a VPN file
right there in slash root and let's go
ahead and edit this file in slash Etsy
/r c local i'll go ahead and talk a
little bit about this basically when a
modern machine boots up right there's a
number of processes that it goes through
to everything in the working order that
you know and love yeah you've got you
know your BIOS and then there's a
bootloader and it'll initialize a kernel
which will set up a file system which
will spin up all of the background
processes so usually when we talk about
starting up a user land program and that
is to say a program that runs outside of
the operating system you know not like a
driver or something as part of the
kernel but rather like running Skype or
something yeah Skype Photoshop steam all
of those are user land applications and
so is this open VPN
well then you know we want it to run
after all of those other services have
started so in Windows you may be
familiar with there's a startup folder
and anything that you put in there is
going to go ahead and start up whether
it's a program or a shortcut to a
program and it's going to start up after
Windows completes loading everything
right and you get the hourglass of hell
and we've all been there on Linux it's a
little different it really depends on
the version you have so I'm on Ubuntu
1604 and I have system D right and
system D is one of the many rewrites
over the history of Linux finding the
perfect initialization routine the Wi-Fi
pineapple in particular it runs not a
boon to but rather open wrt which is a
flavor of embedded linux and it has a
boot process very similar to any other
modern PC cool bootloader execute the
kernel about the file system kicks off
punch scripts okay so in the case
Wi-Fi pineapple we're not using systemd
but rather if we take a look at /x c /r
c d will notice that we have a bunch of
these different scripts okay so
basically what we're going to have here
are scripts that begin with an S and
scripts that begin with a k okay all
right and so well the s scripts are your
startup scripts in case for kill okay is
for kill yes that makes complete sense
right and so on boot it's going to go
ahead and actually just execute all of
those s or startup scripts in numerical
order so let me go ahead and LS those
again and you can see I'll do an LS tack
la that's it USSR CD so you can see them
in the nice little list these are
actually symlinks and there are some
links to different indie scripts right
so you can see that it begins with for
existence you know is setting up booed
and setting up systems firewall setting
up the network and then USB setting up
the FS tab for the file system setting a
PHP and SS A to D and all of those other
things and you can see that when it gets
to you know when it's almost done when
it's pretty much done I don't 95 done s
95 done right so so done will actually
reference another file and that is
called our C dot local so that's that
one that I was talking about that's kind
of like you know if you're an old dos
guy it's sort of like an autoexec.bat
from back in the day I don't know what
that is okay well you would just you
know make autoexec.bat do a ten prints
NURBS is the derp derp and 20 go to 10
ah you basic so basically what you want
to do is put anything you would like in
the RC dot local file ok so check this
out if I go over to or I don't have to
go anywhere if I just nano that slash
Etsy sauce arcielo Cal file you'll
notice it says put your command above
this line as long as it ends with that X
is 0 we're all good yeah so as you might
remember I have this client over VPN
file in slash route so if I now say Open
VPN and then slash I think I just say
open VPN service actually you just say
you just pass it / whether the the file
so in this case less routes a client to
VPN and then so that the first thing
it's going to do on boot after it
finishes all of those other things these
gets s95 done it's going to run the
script which is going to run open VPN
and that's going to start the service
yep run that in the background and then
the next thing I'm going to do is those
IP tables and I cheat sheet and just
keep them right here so that I can just
paste them in and boom there we go we
just really cool save that file close it
out and now every time you boot it's
going to execute those scripts it's so
cool it's gonna you know do all of that
for you like we had done in that
previous episode so that is kind of the
hacky way to do this that makes it just
start up automatically every time you're
working on the Wi-Fi pineapple exactly
and that's the same way that you can do
anything that you want to happen on boot
on any machine that uses this
initialization scheme so check your
slash Etsy for an RC local file and I
would say that the proper way just so I
don't get bunch emails is to actually
add the firewall rules to your /ot
config firewall configuration script our
file and then go ahead and you know use
the the proper D script for Open VPN to
start it as a service and enable it so
that it starts up on boot but listen if
you just take the commands that we did
from the previous week and pop them into
this file it's gonna get the job done
it's so cool yes that was so well I feel
like we know how to do this in every way
possible I think the only thing we're
missing is I devices iOS are we gonna
bring one of those on hack 5 good yeah
sure I mean let us guys know do you want
do you wanna do some iOS stuff we could
um he's just like uh
I mean if you actually can I really I
can't I can't be hater I'm right I'm
rocking a Windows box right yeah that's
you know like what if I everybody gives
you a wrap for that I know I'll switch
to a Chromebook run yeah all right so we
have some put you over to come back over
here oh no I'll get a netbook I know I
know get over here we're not done yet we
have some dates popular that's my thing
uh we have some dates to announce first
off we have a pen test with hack five
coming up in September it's September
16th through the 18th it's three days
hands-on training with the guys and
ladies at hack five we're going to go
over everything special yeah pineapple
duck turtle Metasploit and putting them
all together in a story-driven
environment that is very much theatrical
and immersive and fun
so it's unlike any InfoSec training
you've ever heard of I don't want to
spoil it by giving too much away other
than saying it's a real delight so check
that out pen test with hack five comm we
love doing it and also we're going to
Def Con stuff con 24 this year and we
will be there with a booth selling the
things and we're going to be there with
some of our friends we have a special
guest this year oh very exciting yes we
tell them yeah Brian brushwood from you
know scam stuff and BB live and
everything
knocking the system all scam school all
of us shampoo all the good stuff going
to be there in force at our booth so
that's cool too super exciting I don't
know what to expect I have no idea what
he's bringing but I'm sure it'll be an
awesome bag of tricks so check that out
it's going to be joining us as well so
it's going to be good fun we hope to see
you at Def Con yes and if you can make
it check out hack 5 org for details on a
possible meetup to go to the movies
because there's a special movie we would
like to see with you yeah I believe this
episode is releasing a few days before
the new born 5 movies so hashtag fake
Def Con on that that's all I'm gonna say
that's all I'm going to say about yeah I
once had pink hair oh man
so good I can't wait to talk about that
so anyway yes good stuff
feedback at hak5 org is how you can
contact us directly otherwise
us a comment below find all of our other
shows as well as our products and the
events that we're doing over at our
homepage hak5 org I love your guys's
support of this show for over a decade
especially if you want to get some of
the tools that we develop and use here
like the Wi-Fi pineapple the land turtle
the USB rubber ducky you can find all of
those over our very own store hack shop
that's H a K shop comm thank you so much
for your support on that and with that
i'm darren kitchen i'm shanley trust
your technology
go to catch up oh good mom
i want me to see that the very best like
no one ever was dude dude don't to catch
them is my real test to train them is my
cause I will travel across the land
searching far and wide each Pokemon add
some Sun the power that's inside Pokemon
gotta catch them all ok we're down here
alright ok
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.