Getting on path using OpenVpn

[mk...@bu.edu]

How to use OpenVpn for setting ngtf "on path" with the device?

[Alex Klyubin]

See https://github.com/google/nogotofail/blob/dev/docs/gce/readme.md for some ideas. The document provides instructions for running nogotofail MiTM daemon and OpenVPN server on a Google Compute Engine (GCE) instance and connecting to it from clients via OpenVPN.

On Wed, Mar 4, 2015 at 5:31 PM <mk...@bu.edu> wrote:

How to use OpenVpn for setting ngtf "on path" with the device?

--
You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/601a38c8-f678-4cde-978c-14de7dd8b1a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[yzn...@gmail.com]

I setup a GCE instance and installed nogotofail.

I setup an OpenVPN connection from my Android tablet using the "OpenVPN Connect" app (and exported nogotofail.ovpn profile from the GCE VM) instance. I was able to tunnel into the GCE VM and access the Internet from my tablet browser.

I ran the ngtf server (nogotofail.mitm) on my GCE VM and tried experimenting with configuration (.conf) files that worked on my raspberry pi proxy device. 

I did notice only the "redirect" mode worked for me - it was the only mode that allowed me to still browser the internet and see log entries in ngtf server (nogotofail.mitm). The "socks" mode didn't let me browse the Internet but produced ngtf server log entries (connection open/closed) and "tproxy" let me browse the internet but didn't output any log entries. 

Does the "redirect" mode sound like the correct mode to use? 

Also, my I couldn't get the ngtf client (Android) to connect to the ngtf server on GCE. In pointed the client to the ip address returned by http://ip6.me and port 8443. The client showed the message:

"connecting to <ip6.me>". 

I Occassionally saw the ngtf server log message:

 "Failed to connect to endpoint <ip6.me>:8443 errno 110". 

I'm sure I'm close - any suggestions?

[Alex Klyubin]

Please follow the instructions in docs/gce. They will create a working setup. In particular, they'll take care of choosing the "mode", DNS, and OpenVPN client settings. You should not need to change settings in the Android app.

Alex

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/af3fc9ea-81a2-42c4-8b85-49eccea6ad35%40googlegroups.com.

[yzn...@gmail.com]

Thanks Alex for responding. I read through the GCE setup instructions again to check the steps I used - I don't think I missed any.

I did some digging and saw the setup script (setup.sh) creates a nogotofail MiTM daemon (nogotofail-mitm) on a GCE vm instance (I was able to start the service using /etc/init.d/nogotofail-mitm start).

In my testing I have been running the nogotofail server from the terminal using python as shown in the github instructions i.e. python -m nogotofail.mitm ...

The GCE readme doc suggets you start the nogotofail MiTM daemon (I assume /etc/init.d/nogotofail-mitm) to get on path with the client.

How do you specify the switches and the location of the configuration file when running the daemon? They are some config settings for attacks i'd like to customise.

Apologies if I missed instuctions on configuring the daemon on GitHub. I only saw steps for manually running ngtf from the terminal using python.

[Alex Klyubin]

The way the docs/gce scripts set nogotofail up is that /etc/init.d/nogotofail-mitm passes command-line arguments to the nogotofail daemon. The most important of the parameters is the one that tells nogotofail to read its configuration from the /etc/nogotofail/mitm.conf.

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/f4d7ef23-23ec-4d3a-a78f-190c4940ce34%40googlegroups.com.

[yzn...@gmail.com]

Thanks Alex, that makes sense.

It's still can't get the Android client to connect to the mitm daemon on GCE. I'll keep persevering - it's probably a step I missed somewhere.

Also, you mind if I submit a feature request for some updates to the /docs/gce/readme.md file? I have some suggestions that may make it easier for newbies like me.

[Alex Klyubin]

If you connect your Android device to the VPN, then your Android client should be able to connect to the default mitm.nogotofail.:8443. The GCE instance will have been set up with its own caching DNS server which resolves mitm.nogotofail correctly. All this assumes you set up the GCE instance and the Android client by following instructions in docs/gce/readme.md.

Updates to the documentation/scripts welcome.

Alex

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/7707ac49-7986-418a-ab4c-b45994dd1a34%40googlegroups.com.