VPN Routing Ubuntu 16.04

[kevthehermit]

In the apps/rooter.py

It looks like you cant use service openvpn start client.conf on ubuntu 16.04

You have to use systemctl start openvpn@client

This also affects the vpn_status function

[jbremer]

What about /etc/init.d/openvpn start ..., would that be more portable?

[kevthehermit]

I am still testing but at the moment this change seems to be working.

def vpn_enable(name):
    """Start a VPN."""
    #run(s.service, "openvpn", "start", name)
    run("/bin/systemctl", "start", "openvpn@{0}".format(name))

def vpn_disable(name):
    """Stop a running VPN."""
    #run(s.service, "openvpn", "stop", name)
    run("/bin/systemctl", "start", "openvpn@{0}".format(name))

There is an option in cuckoomain to change the service binary with --service. So may be able to use this option to detect systemctl and change the run command accordingly.

[jbremer]

I'd rather use a method that works on Ubuntu 14.04 and Ubuntu 16.04 without additional configuration (i.e., --service systemctl). Do you mind testing for me if /etc/init.d/openvpn works as well? Thanks!

[vladbrinzea]

Hi, has this been solved? Having trouble using Cuckoo 2.0.5 (unmodified) VPN routing on Ubuntu 16.04, been through all the docs and guides, still not working so suspecting it may be an Ubuntu issue? Any workarounds currently available to the general public?

Let me know if there's any config files you want to have a look at.

Thank you, Vlad

[ericudaykumar]

Hi @kevthehermit I ran into the same issue and followed your fix with command change and inserting those lines to start and stop openvpn in the "/apps/rooter.py" and compiled a new /apps/rooter.pyc" file. But don't see the new change getting picked up. I restarted cuckoo by rebooting the system. Is there anything else i need to recompile in order for the new code change to be picked up by cuckoo rooter? Appreciate your help or anyone else who can advice. Thank you.

[ericudaykumar]

Ok so my code changes are getting picked up after i updated the openvpn command to launch in "/apps/rooter.py" and also added some debug statements (log.debug) and i started cuckoo rooter this way and here is the output:

$ sudo /home/cuckoo/venv/bin/cuckoo --debug rooter [cuckoo.apps.rooter] DEBUG: Processing command: nic_available tun0 [cuckoo.apps.rooter] DEBUG: Processing command: forward_enable vboxnet0 tun0 192.168.56.101 [cuckoo.apps.rooter] DEBUG: Processing command: srcroute_enable 400 192.168.56.101 [cuckoo.apps.rooter] DEBUG: Processing command: forward_disable vboxnet0 tun0 192.168.56.101 [cuckoo.apps.rooter] DEBUG: Processing command: srcroute_disable 400 192.168.56.101 [cuckoo.apps.rooter] DEBUG: Processing command: drop_disable 192.168.56.101 192.168.56.1 2042

"192.168.56.101" is the Windows Virtual Machine (using VirtualBox). My host is Ubuntu 16.0.4LTS. "400" is the tun0 interface for my VPN assigned in iproute2. I already have the tun0 interface created and set to up using "ip link set tun0 up".

Why aren't the "vpn_enable()" and "vpn_disable()" functions being called?

[ericudaykumar]

Ok, solved this issue. Basically there was no code to call "vpn_enable()" nor "vpn_disable()" from within "/venv/lib/python2.7/site-packages/cuckoo/core/scheduler.py". So when a user has multiple VPN exit routes configured, and opens the Cuckoo web interface and selects a VPN exit for per-analysis routing, it won't work and there will be no internet connection, although routing tables are correctly being populated by Cuckoo, because the VPN connection was never established.

To resolve this, the following python code needs to be edited in "/venv/lib/python2.7/site-packages/cuckoo/core/scheduler.py"

Within "route_network()" function, after the "if" "self.route == "tor":" add this "if" condition:

if self.route in config("routing:vpn:vpns"): rooter( "vpn_enable", self.route )

Within "uroute_network()" function, after the "if" "self.route == "tor":" add this "if" condition:

if self.route in config("routing:vpn:vpns"): rooter( "vpn_disable", self.route )

Then recompile scheduler.py like this (which will create the new scheduler.pyc file): $ python -m py_compile /venv/lib/python2.7/site-packages/cuckoo/core/scheduler.py

Now VPN routing per-submitted-analysis works just fine.

[doomedraven]

@ericudaykumar here is the problem, what if 2 vms wants to use the same vpn as exit node but first analysis finished already, so it will disable vpn for second vm

[ericudaykumar]

@doomedraven -- right, so then what would be the correct implementation? should the "vpn_enable()" and "vpn_disable()" go somewhere else in the cuckoo code? Where would be the best place to invoke these functions to avoid resource contention? Or maybe i have to implement checking the "vpn_status()" first and then if already in use, wait until a certain time limit and try again and give up if the time limit is reached. Appreciate any thoughts and advice. Thank you.

[doomedraven]

the current implementation is totally fine, it works just fine, you just need to start all vpns manually and forget about this, i have .sh which do that for me on OS start