VPN routing does not create default route

[MarkusTeufelberger]

init_rttable() in https://github.com/cuckoosandbox/cuckoo/blob/master/utils/rooter.py#L82 does not create a "default" routing table entry and thus packets were not routed to the tun0 interface on my machine.

My fix: Comment out lines 82-86 in rooter.py and insert the following line afterwards

run(settings.ip, "route", "add", "default", "dev", interface, "table", rt_table)

I am not sure if one really wants to add/copy existing routes on the tun interface anyways, in that case the code might still be left uncommented.

I am not sure how routing works apparently on some people's machines if cuckoo never sets any default table for the "rt_table" entry. Maybe a custom config in OpenVPN creates these when the interface comes up? Anyways, hopefully this helps someone and maybe this should also be added to cuckoo.

[doomedraven]

do you have configurated /etc/iproute2/rt_tables?

[MarkusTeufelberger]

Yes.

[lowson]

@MarkusTeufelberger you are awesome!

I have been trying for hours to get a VPN setup to work, every time I booted rooter.py it would clear any routes the VPN script created and no VM would connect, your fix worked perfectly :)

[jbremer]

@MarkusTeufelberger @lowson Could either of you test this feature in our latest release (2.0.0)? VPN support should've been improved there.

[lowson]

Just upgraded to the official 2.0.0 and nothing VPN related appears to work.

When selecting a VPN, the traffic is routed down the internet option or nothing.

Log from cuckoo: [cuckoo.core.scheduler] INFO: Starting analysis of URL "http://whatismyipaddress.com" (task #11, options "procmemdump=yes,route=internet")

rooter debug also shows this in the logs: forward_enable eth1 eth0 192.168.x.x

I reviewed the task submit request and I see the following set showing the vpn selection: vpn: "vpn0" and network-routing: "internet"

[doomedraven]

it works for me since rc2

[lowson]

@doomedraven any ideas on how to debug the issue?

[doomedraven]

not really if you see router verbose you will see command executed, can be some problem in .ovpn configuration as in my case ovpn eds with .ovpn --script-security 2 --route-noexec check in one of the isues i already specified my .ovpn conf

[lowson]

So after some testing it looks like something is wrong in the code. I haven't located the specific issue yet but I am still investigating.

If I set the default route to "internet" and then select a VPN the during submission I see the following with the wrong route to internet and the VPN doesn't work. [cuckoo.core.scheduler] INFO: Starting analysis of URL "http://google.ca" (task #17, options "human=0,procmemdump=yes,route=internet")

If I change default route to "vpn0", forcing a VPN option i see the vpn0 in the logs and everything works as expected : [cuckoo.core.scheduler] INFO: Starting analysis of URL "http://google.ca" (task #17, options "human=0,procmemdump=yes,route=vpn0")

Now a side not is I still had to change the original rooter code as per @MarkusTeufelberger

If anyone has any idea on what should happen when you select a VPN vs internet and where the logic might be fore this it would be great

[doomedraven]

yes if you set default route it kinda set to that route all the time, so just unset it,

when you connect to ovpn it output some values which yo uneed to set

print 'ip rule add from {} table {}'.format(local_ip, ip_table)
print 'ip route add default via {} dev {} table {}'.format(vpn_gateway, dev, ip_table)

and execute as this but instead of print, that should be executed in terminal, but with that comamnd after .ovpn

[lowson]

My issue is here:

https://github.com/cuckoosandbox/cuckoo/blob/master/cuckoo/core/scheduler.py#L236

at this point in the code the VPN is not set, I can select it but by this part it is set to internet.

I can override the setting here to the vpn0 and everything works fine.

where is the code logic to set route = vpn options?

[doomedraven]

route=vpn0 as post data

[lowson]

Ah just as I thought, so even when I select a vpn the post data route is not chaining to the selected vpn

Tested in Chrome and Firefox

[jbremer]

Thanks for the report @lowson! What about the initial issue here, has that been resolved @MarkusTeufelberger?

[lowson]

hey @jbremer I still had to do the original changes above to have the VPN operate correctly.

[MarkusTeufelberger]

init_rttable() still doesn't create a default table entry, so I doubt that it'll suddenly start working now. I'll investigate tomorrow.

[MarkusTeufelberger]

Confirmed broken without my patch to automatically add the default route. Even doomedraven seems to (manually) add the default route according to his comment above...

[jbremer]

Ok, sure. I believe my OpenVPN settings automatically configure it though, could that be possible? And if so, what would be the preferred way to figure out if we have to set it in the rooter or not? Thanks!

[doomedraven]

@jbremer post your .ovpn to see if you have some specify args there, yup i have script which receives options directly from server on setup and sets it

[doomedraven]

mine

client
dev tun1
proto udp
remote X 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
auth-user-pass login.conf
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
<striped>
-----END CERTIFICATE-----
</ca>