ITIS 6167/8167 Network Security

Project 2: VPN and its usage

Handout Date: Nov 12th, 2021
Due Date: Nov 29th, 2021 before 11:59 pm
Objective:
The objective of the project is to help students to learn about VPN and its usage in
network security. Specifically, the VPN network can allow end users to remotely access
corporation networks or penetrate firewalls. We will use two virtual machines in this experiment.
Restricted by time, we will play with only host-to-host tunnel.
Acknowledgement:
The project is using materials developed by Dr. Wenliang Du and his team at Syracuse
University. With his permission, we are using the virtual machines captured by the team. We
would like to thank him and his team, as well as the funding agencies that support the
development of the series of experiments.
Tasks of the Project
Task 1:
Before you start on the project, please watch/read the following materials so that you
know how VPN works and what techniques are essential for the adoption of VPN.
Microsoft’s view of VPN
https://technet.microsoft.com/en-us/library/cc779919(v=ws.10).aspx
How VPN works
https://www.youtube.com/watch?v=zpUHD-PQuZg
What is VPN
https://www.youtube.com/watch?v=4BfL0UHrzDY
The lab description PDF at the link below. You need to follow the lab description
closely for the project. There are a few things you need to pay close attention, which we
emphasize in this document.
https://seedsecuritylabs.org/Labs_16.04/Networking/Firewall_VPN/

1
Task 2:
Now you roughly understand how VPN works. Let us do some experiment. We will need
a virtualization environment and two virtual machines. The following setup is based on Oracle’s
VirtualBox. VMWare should also work for the experiment. We choose VirtualBox since it works
for more types of platforms.
(1) Go to the following page to understand how to set up your VM:
https://seedsecuritylabs.org/Labs_16.04/Documents/SEEDVM_VirtualBoxManual.pdf

(2) Now download VirtualBox from the following link. Please note that there are many
versions for many different host systems. I am using Windows 10 PC and I use the
VirtualBox 6.0.18.
https://www.virtualbox.org/wiki/Download_Old_Builds_6_0

(3) Now install VirtualBox.

(4) Download the SEEDUbuntu16.04 virtual machine. Be careful that the VM is a ZIP file
with the size of 3.4GB. It will take some time for you to download it.
https://seedsecuritylabs.org/lab_env.html

(5) Unzip the virtual machine.

(6) Launch VirtualBox. Since we need to use two VMs in this experiment, make sure that
you clone the VM to create two VMs. You need to clone it when the VM is fully
powered off. Read the documents again in Step (1) and follow the instructions strictly.

(7) Read the part “Network Configuration in VirtualBox for SEED Projects” of the document
in Step 1 to configure your VirtualBox and VMs so that they are connected with each
other and they can access the Internet. Be careful about this step since you want to make
sure that the two VMs can communicate.

(8) In VirtualBox, launch the two VMs. Within each VM, ping itself to make sure it is
working. Then you ping from VM1 to VM2, and vice versa, to make sure the link is
working.

Some TIPs during your experiment setup phase: (a) make sure you clone the VM when it is
powered off; (b) follow the set up instructions for networks in the manual. Be very careful since
we need two VMs that can talk to each other directly as well as to access the Internet;
I personally experienced some interesting things. I configure the two VMs and after the
launch, they have the same IP address (which will lead to subsequent operations cannot be done.)
If you see this, you can do two things. (1) It is possible that the two VMs are launched very close
to each other and the DHCP server gets confused. So try again. (2) When you configure the

2
networks of the VMs, give it a new MAC address by clicking on the “troubleshoot” button
illustrated in the manual.

Fig 1. In this figure, we show the VirtualBox running three VMs. I am using the Ubuntu1604 as VM1,
and Frirewall_Eva_VM2 as VM2.

3
4
Fig 2: The top figures are the screenshot of my VM1 and VM2. You can see the following information in
the figure. (a) you can run the command “ifconfig -a” to see the address of the VM. In my environment,
VM1 contains two network interfaces: enp0s3 which is the network card to outside world, and lo which
is the local interface. Enp0s3’s IP is 10.0.2.4, and VM2’s IP is 10.0.2.6. They can ping each other. (b) on
the left side of the screen, you can see three tools that you may need to run the project: terminal,
firefox, and wireshark. Write down the IP address of your VMs since you will need them.

Task 3:

If your host machine can access Internet, so are your VMs. Now launch Firefox (already in the
left side bar of the VMs) on both of your VMs and go to the SEED project page
(https://seedsecuritylabs.org/index.html).

From both of your VMs, go to https://seedsecuritylabs.org/Labs_16.04/Networking/Firewall_VPN/, and

download the “Sample VPN client and server programs (without encryption)”. In the following figure, we
show that VM1 downloads the vpn.zip file. Please note that you download the file from the VM, not
your host PC.

5
Now double click the vpn.zip, and you can extract the source files. See the figure below. Make sure that
you know where the extracted files are (some students forget where they store the folder and has to do
it again)

6
Make sure that you download and unzip the vpn files on both VM1 and VM2.

Now on your VM2 (which is the VPN server), start a terminal and go to the folder of the vpn unzipped
files. And run the command “make”. See the screenshot below.

On VM1 (which is the vpn client), you will do the same step with one minor change. Note that a vpn
client must know the IP address of the vpn server. So you need to edit the file to make sure that your
VM1 vpn client can find the vpn server.

On VM1, right click the file “vpnclient.c”, and open it with “gedit”. See below.

7
Now edit the file and put your server’s IP address (VM2’s IP address) in the server place. For my case,
the server IP is 10.0.2.6. And save the change.

Now on VM1, run the command “make” as well.

8
At this time, you are ready to run the project. You have set up the VMs properly. You have download
and compiled the vpnserver program on VM2 and vpnclient program on VM1.

Go to https://seedsecuritylabs.org/Labs_16.04/PDF/Firewall_VPN.pdf. Start from Section 2.2 on page 2

of the document and follow the steps.

Below are some of the tips that I find out.

Tip 1. For Section 2.2 of the lab description, you need to set up the firewall and block a specific
webpage. As an example, I used the UNCC faculty/staff webpage. For example, I block the IP address
range 152.15.0.0/16 so that VM1 cannot access my webpage at UNCC. The following figure shows that
VM1 block the access to webpage: https://webpages.uncc.edu/wwang22/index.html

If your firewall is set up correctly, you will see the following page when you try to access my page.

In your experiment, you cannot use my webpage as the block target. Choose another page and figure
out the IP address range of that page.

9
Tip 2:

For Section 2.3 of the project des cription, make sure that you start the vpn server first and then the vpn
client. Also, remember to assign ip addresses to the run0 interface at both the vpn server and vpn client.
If the server and client are successfully started and actually connected with each other, you should see
something like follows on the server side.

10
Tip 3:

For “Step 3: Set up routing on client and server VMs” on page 5 of the lab instruction, you need to make
sure:

On vpn server side, add the routing information for the vpn network to the tunnel interface. For my
case, I need to run the following command. In this way, the vpn server knows that to reach 192.168.53.x
address, it needs to send to the vpn interface instead of the enp0s3 interface. (note that your vpn
network address could be different)
$ sudo route add –net 192.168.53.0/24 tun0

On the vpn client side, I need to add two pieces of route information. One for the vpn network address,
and one for the address range that the firewall blocks. (note that your vpn network address could be
different)
$ sudo route add –net 192.168.53.0/24 tun0
$ sudo route add –net 152.15.0.0/16 tun0

If you successfully finish this step, VM1 can ping VM2’s vpn address (and vise versa), as the figure below.

11
Tip 4:

For “Step 4: Set up NAT on Server VM” on page 5 of the lab instruction, You need to make sure that
when you run the following command, you need to replace “eth8” with the real network interface on
the VM2. For example, in my case it is “enp0s3”.

$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o eth8

Task 4:

If your VPN works properly, now you can access the blocked page through vpn. Launch the
firefox on VM1 and see whether or not you can access the page.

Now on both sides, launch the “Wireshark” application. You can select the interface that you
will eavesdrop on. You need to try different combinations of the eavesdropped interfaces (real network
interface and the tunnel) on two VMs: eth—eth, eth--tun0, tun0—eth, and tun0--tun0 (the first
interface is of VM1 while the second interface is of VM2). After you set up the eavesdropping function,
ping different interfaces (eth and tun0) of the other VM from your current VM.

What do you see? What are the IP addresses of the packets that you capture on the eth
interfaces? What about the packets that you capture on the tun0 interfaces? Do you always see packets
on the tun0 interfaces when the interfaces ping each other?

Now on VM1, visit the blocked page with firefox. Capture the packets with wireshark on the
interfaces of eth and tun0. Examine the contents of the captured packets and explain how the vpn
works.

Report of the Project:

You need to turn in your project report. You need to describe:

(1) Describe and draw a figure to show your network environment including both the eth and
tun0 interfaces/addresses on both VMs;
(2) Screen captures to show that the two VMs can communicate with each other (ping packets
between the eth interfaces and the tun0 interfaces);
(3) Screen captures of the packets that are captured by Wireshark on both VMs. Here you need
to capture multiple packets from multiple interfaces (both eth and tun0) on the VMs since
you need them in step (4);
(4) Explain how VPN uses the “tunneling” technique to hide one IP packet into another IP
packet. Use your screen captures to illustrate how the technique is implemented in our
experiment environment. Explain what are the IP addresses you see at the eth interfaces
even when the two tun0 interfaces are communicating with each other. Explain how can
VM1 access the blocked webpage through vpn?

12